|Denmark||29.06.2017||Administrative fines as prescribed in the GDPR not permitted under Danish law. Fines will be imposed by the courts as a criminal penalty.
|Finland||02.08.2017||The Working Group has proposed that administrative fines would be supplemented with criminal sanctions in cases where fines are not available. The Working Group has also proposed establishing a new Sanctions Board under which the Data Protection Authority which would be responsible for imposing administrative fines.
|France||29.06.2017||Legislation expected on collective redress for GDPR breaches.
|Germany||07.08.2017||Yes - § 42: Imprisonment or a fine for (1) unlawful transfer / making accessible of non-publicly accessible personal data of a large number of individuals for commercial purposes; (2) unlawful processing of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person; (3) fraudulent obtaining of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person (personal offences based on responsibility).
§ 43: Fines for failure to handle an information request appropriately or to inform a consumer or to inform them fully and correctly and to do so within the prescribed time limits.
|Ireland||12.09.2017||The General Scheme envisages that:
• public authorities and public bodies will generally be exempt from administrative fines, except where they are acting as ‘undertakings’
• the Data Protection Commission may convene oral hearings before large administrative fines will be imposed
• appeals of administrative fines imposed by the Data Protection Commission will be subject to a time limit of 30 days from receipt of notice of the decision;
• the Data Protection Commission will be required to make a summary application for any administrative fine imposed by it to be confirmed by the Circuit Court.
|Poland||01.08.2017||Criminal sanctions restricted to most severe infringements. DPA may give admonitions instead of financial penalties for minor infringements. Financial penalties for public bodies will be limited to approx. 25,000 EUR.|
|UK||07.08.2017||Two new criminal penalties to be introduced:
1) re-identifying anonymised or pseudonymised data;
2)altering records with intent to avoid response to a subject access request.