|Austria||05.06.2018||Sec 30 ADPA governs the mechanism of imposing the GDPR-penalties: The fines shall primarily be imposed directly against the responsible legal entity. Besides, the Austrian Data Protection Authority is still entitled to punish natural persons in charge (especially managing directors or representatives appointed under administrative law; not the Data Protection Officer). However, as long as it is not required due to special circumstances of the individual incident, the responsible legal entity shall be fined, only.
Besides, Sec 62 ADPA provides for an administrative penalty of up to EUR 50.000 for any breach of the ADPA that is not subject to the GDPR fines (thus breaches of Austrian-specific provisions like CCTV-requirements).
Further, Sec 63 ADPA contains a criminal offence and provides for imprisonment or a fine for any unlawful data processing with the intention to gain profit or with the intention to damage another person (personal offences based on responsibility).
|Belgium||08.10.2018||BPA introduces different tiers of criminal penalties for violations of the BPA as well as the GDPR itself, with a maximum penalty of EUR 30.000. Taking into account the mandatory multiplication of criminal fines, this equals a de facto maximum fine of EUR 240.000.
The BPA also clarifies that a controller, processor, or its representative in Belgium, as the case may be, is in principle civilly liable for the payment of the fines which have been imposed on his contractor or agent.
Finally, the Act stipulates that the administrative fines of Article 83 GDPR cannot be imposed on public authorities, except when the latter is a public-law legal entity offering goods or services on a market.
|Czech Republic||13.09.2018||Section 59 stipulates fines for the administrative offence of unlawful publication of personal data where the prohibition of disclosure is stipulated by law (e.g. Criminal Procedure Code). Fines may amount to CZK 1 million. Maximum fines of CZK 5 million are stipulated if the administrative offence is carried out through print, film, radio, television, publicly accessible computer network or other similarly effective means.
Sections 60 and 61 stipulate various administrative offences in relation to data processing by public authorities and bodies. A fine up to CZK 10 million (i.e. lower than GDPR) may be imposed.
No new criminal penalties will be introduced (unauthorised use of personal data is already recognised by the current Criminal Code).
|Denmark||06.09.2018||Administrative fines as prescribed in the GDPR are not permitted under Danish law. Fines will be imposed by the courts as a criminal penalty. However, the Danish Supervisory Authority may impose administrative fines in uncomplicated cases, where the person accused of the violation pleads guilty and agrees to pay the fine.
|Finland||13.11.2018||Regarding infringements of the GPDR and the Data Protection Act, which are not subject to GDPR administrative fines, the Act refers to the Criminal Code.
The Criminal Code includes provisions on Data Protection Offences, Message interceptions, Aggravated message interceptions, Computer break-ins, Aggravated computer break-ins, Secrecy offences and Secrecy violations.
In connection with the new Data Protection Act, the wording of the provision on Data Protection Offence, Chapter 38, Section 9 of the Criminal Code, is updated to address the infringements of the GDPR.
|France||11.02.2019||Articles 50-52. The FDPA reiterates the penalties provided for in Article 83 of the GDPR. The penalties do not apply to processing done by the State.
• Sanctions listed in articles 226-16 to 226-24 and in articles R. 625-10 to R. 625-13 of the French Criminal Code (e.g. collecting personal data by fraudulent, unfair or unlawful means, processing the national identification number in cases which are not provided for in the FDPA, not notifying a data breach etc.)
• Any action obstructing the CNIL's action
Yes - § 42 FDPA: Imprisonment or a fine for (1) unlawful transfer / making accessible of non-publicly accessible personal data of a large number of individuals for commercial purposes; (2) unlawful processing of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person; (3) fraudulent obtaining of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person (personal offences based on responsibility).
§ 43 FDPA: Fines for failure to handle an information request appropriately or to inform a consumer or to inform them fully and correctly and to do so within the prescribed time limits.
|Hungary||01/04/2019||Covered by the amended InfoAct.|
Under the Act:
Sections 167, 167 bis and 167 ter of the IDPA provide sanctions (including criminal sanctions) for whoever, with the view of obtaining a personal gain, a gain for a third party or with the intent to cause harm to another: unlawfully processes, transfers, discloses, disseminates or fraudulently acquires personal data.
Furthermore, Section 168 of the IDPA provides sanctions (including criminal sanctions) if you communicate or attest false information or if you intentionally try to interrupt or disrupt an ongoing procedure/investigation of the Authority.
Section 170 IDPA provides sanctions (including criminal sanctions) for people who do not respect the measures adopted by the Authority under the articles 58 (2) (f) GDPR, 2-septies (1) IDPA as well as the general measures referred to in article 21(1), of the legislative decree implementing article 13 of law no. 163 of 25 October 2017
Section 171 IDPA, provides sanctions in the field of employment for employers breaching the guarantees on remote controls and monitoring of employee (Articles 4 and 8 of the Italian Workers' Statute).
Lastly, it is to be noted that Section 172 IDPA provides that being convicted of any of the above criminal offences shall entail publication of the relevant judgment.
|Poland||16.05.2018||The PDPA provides two criminal sanctions for: (i) unpermitted and unauthorized processing, and (ii) in case of jeopardizing or impeding the PUODO's inspection.|
|Slovakia||13.09.2018||Slovak criminal act no. 300/2005 Coll. sanctions the unauthorized use of personal data. Any person who, without lawful authority, communicates, makes accessible or discloses a) personal data of another obtained in connection with the execution of public administration or with the exercise of constitutional rights of a citizen, or b) personal data of another obtained in connection with the execution of his profession or employment, and thus breaches a generally binding legal regulation, shall be liable to a term of imprisonment.
|Spain||05.03.2019||The SDPA only provides administrative fines. It also provides statute of limitations for data protection offenses (1 to 3 years depending on the offense) and the statute of limitations for fines (also between 1 and 3 years).|
|Sweden||06.09.2018||Paragraph 6:2 of the Data Protection Act, public authorities may be subject to administrative fines. Administrative fines pursuant to article 83 may also be imposed for infringement of article 10 of the GDPR. The regulation with supplementary provisions includes further provisions on the enforcement of administrative fines, paragraphs 9-11|
The Data Protection Act includes the following criminal offences:
(i)To knowingly or recklessly (a) to obtain or disclose personal data without the consent of the controller; (b) to procure the disclosure of personal data to another person without the consent of the controller; or (c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained or (d) to sell data if obtained in circumstances in which an offence has been committed under (a)-(c) (S170);
Director's Liability: If an offence has been committed by an organisation and it is proved to have been done with the consent or connivance or neglect of a director, manager, secretary or other officer, they can also be guilty of the office (s196).