Regulation (EU) 2016/679 of the European parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”) will apply as of May 25th 2018 directly in all Member States of the EU.
The GDPR has been exhaustively commented upon and, for an overview of the top ten significant changes introduced by the GDPR, we refer to our previous Newsflash on the subject.
Despite being a regulation (thus directly applicable in all EU Member States) the GDPR leaves room for adaptation of certain provisions to the EU Member States, in particular regarding the powers of the national supervisory authority (i.e. the Commission Nationale pour la Protection des Données, “CNPD”) and the administrative penalties which may be faced by business in breach of the GDPR provisions.
The Luxembourg draft law No. 7184 of 12 September 2017 (the “Draft Law”) aims to adapt the existing legal framework in such a sense.
Such approach is consistent with the new ex-post model introduced by the GDPR. Indeed, the current rules are based on an ex-ante model whereas the GDPR introduces an ex-post model. In other words, the current regime rests on a system of preliminary notifications to the competent authority in each EU Member State whereas, as per the GDPR, the processors and controllers must self-assess the legality of their practices and the said competent authority only intervenes afterwards with powers of sanction if such practices breach the GDPR provisions.
Therefore, it is of tremendous importance for the CNPD to be granted with sufficient and necessary powers of investigation and sanction.
In addition to investigative powers (Article 58 paragraph 1 of the GDPR) and corrective powers (Article 58 paragraph 2 of the GDPR), the CNPD may impose administrative fines (Article 58 paragraph 2 (i) of the GDPR).
The GDPR provides for strict pecuniary sanctions which vary according to the provisions that have been violated. These fines vary (i) from a maximum of 10 million Euro to a maximum of 20 million Euro, or, (ii) for an undertaking, from of a maximum of 2% to a maximum of 4% of the worldwide annual turnover of the previous financial year.
These rules have been strictly followed by the Draft Law which directly refers to the GDPR for the amounts of such administrative fines.
Sanctions are always the ultimate step in front of a defaulting controller, therefore for sake of ensuring efficient application of the GDPR, it clearly states that “supervisory authority shall ensure that the imposition of administrative fines […] shall in each individual case be effective, proportionate and dissuasive.”
In addition, in exceptional circumstances where sanctions could not be efficient towards controllers, the CNDP, pursuant to the GDPR, should be able to impose penalty payment (astreintes) in compliance with the Luxembourg Civil Code.
As far as the scope of administrative fines is concerned, the GDPR is clear and states that “each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State”.
Article 49 (1) of the Draft Law provides that the administrative fines of Article 83 of the GDPR may equally be imposed upon public legal persons.