| Country |
Last reviewed |
Penalties |
|---|---|---|
| Belgium | 28.07.2017 | n/a |
| Czech Republic | 29.06.2017 | n/a |
| Denmark | 29.06.2017 | Administrative fines as prescribed in the GDPR not permitted under Danish law. Fines will be imposed by the courts as a criminal penalty. |
| Finland | 02.08.2017 | The Working Group has proposed that administrative fines would be supplemented with criminal sanctions in cases where fines are not available. The Working Group has also proposed establishing a new Sanctions Board under which the Data Protection Authority which would be responsible for imposing administrative fines. |
| France | 29.06.2017 | Legislation expected on collective redress for GDPR breaches. |
| Germany | 07.08.2017 | Yes - § 42: Imprisonment or a fine for (1) unlawful transfer / making accessible of non-publicly accessible personal data of a large number of individuals for commercial purposes; (2) unlawful processing of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person; (3) fraudulent obtaining of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person (personal offences based on responsibility). § 43: Fines for failure to handle an information request appropriately or to inform a consumer or to inform them fully and correctly and to do so within the prescribed time limits. |
| Ireland | 12.09.2017 | The General Scheme envisages that:
• public authorities and public bodies will generally be exempt from administrative fines, except where they are acting as ‘undertakings’ • the Data Protection Commission may convene oral hearings before large administrative fines will be imposed • appeals of administrative fines imposed by the Data Protection Commission will be subject to a time limit of 30 days from receipt of notice of the decision; • the Data Protection Commission will be required to make a summary application for any administrative fine imposed by it to be confirmed by the Circuit Court. |
| Italy | 28.06.2017 | n/a |
| Netherlands | 28.06.2017 | n/a |
| Poland | 01.08.2017 | Criminal sanctions restricted to most severe infringements. DPA may give admonitions instead of financial penalties for minor infringements. Financial penalties for public bodies will be limited to approx. 25,000 EUR. |
| Spain | 27.07.2017 | n/a |
| Sweden | 17.07.2017 | n/a |
| UK | 07.08.2017 | Two new criminal penalties to be introduced: 1) re-identifying anonymised or pseudonymised data; 2)altering records with intent to avoid response to a subject access request. |