National authorities can or must assess fines for specific data protection violations in accordance with the General Data Protection Regulation. The fines are applied additionally or instead of further remedies or powers, such as the order to end a violation, an instruction to adjust the data processing to statutory requirements, as well as the granting of a prohibition which is limited in time or permanently, to perform data processing. For the provisions which relate to order processors, they can be directly and/or in conjunction with the person responsible, subject to sanctions.
The fines must be effective, reasonable and dissuasive for each individual case. For the decision of whether and what amount of sanctions can be assessed, the authorities have a statutory catalogue of criteria which must be used in taking a decision. Among other things, intentional infringement, a failure to take measures to mitigate the damage which occurred, or lack of collaboration with authorities can increase the penalties. For the especially severe violations listed in Art. 83, para. 5 of the GDPR, the fine framework can be up to 20 million euros, or in the case of a company, up to 4% of their total global turnover in the previous fiscal year, whichever is higher. But even the catalogue of less severe violations (Art. 83, para. 4) sets forth fines of up to 10,000,000 euros, or, in the case of a company, up to 2% of its entire global turnover of the previous fiscal year, whichever is higher. Especially important here is that the term “company” is equivalent to that used in Art. 101 and 102 of the Treaty on the
Functioning of the European Union (TFEU). According to case law from the Court of Justice of the European Union, this refers to the broad, functional corporate term as a company which is a unit which exercises a commercial activity, independent of its legal form and its type of financing. This commercial unit can therefore consist of one individual company in the sense of a legal subject, but out of several natural or legal persons. Thus, a whole group can be treated as one company. To calculate fines, the entire group’s turnover is used to calculate a penalty based on the company’s turnover. In addition, Member States have rules for sanctions for other violations against the Regulation. This applies to those violations to which a fine has not already been assessed. Therefore, one must ensure that these penalties are also effective, proportional and act as a deterrent.
An objectionable fact in the company can be found through proactive inspection activities conducted by the assigned authorities, by an unsatisfied employee who complains to the authorities or by customers or potential customers who register a notice to the authorities, through the company making its own declaration, or by the press in general, through investigative journalism.