Penalties

Overview

Country
Last reviewed
Penalties

Belgium 28.07.2017 n/a
Czech Republic 29.06.2017 n/a
Denmark 29.06.2017 Administrative fines as prescribed in the GDPR not permitted under Danish law. Fines will be imposed by the courts as a criminal penalty.
Finland 02.08.2017 The Working Group has proposed that administrative fines would be supplemented with criminal sanctions in cases where fines are not available. The Working Group has also proposed establishing a new Sanctions Board under which the Data Protection Authority which would be responsible for imposing administrative fines.
France 29.06.2017 Legislation expected on collective redress for GDPR breaches.
Germany 07.08.2017 Yes - § 42: Imprisonment or a fine for (1) unlawful transfer / making accessible of non-publicly accessible personal data of a large number of individuals for commercial purposes; (2) unlawful processing of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person; (3) fraudulent obtaining of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person (personal offences based on responsibility).

§ 43: Fines for failure to handle an information request appropriately or to inform a consumer or to inform them fully and correctly and to do so within the prescribed time limits.
Hungary 16.10.2017 n/a 
Ireland  12.09.2017  The General Scheme envisages that:
• public authorities and public bodies will generally be exempt from administrative fines, except where they are acting as ‘undertakings’
• the Data Protection Commission may convene oral hearings before large administrative fines will be imposed
• appeals of administrative fines imposed by the Data Protection Commission will be subject to a time limit of 30 days from receipt of notice of the decision;
• the Data Protection Commission will be required to make a summary application for any administrative fine imposed by it to be confirmed by the Circuit Court.
Italy 28.06.2017 n/a
Netherlands 28.06.2017 n/a
Poland 01.08.2017 Criminal sanctions restricted to most severe infringements. DPA may give admonitions instead of financial penalties for minor infringements. Financial penalties for public bodies will be limited to approx. 25,000 EUR.
Spain 27.07.2017 n/a
Sweden 17.07.2017 n/a
UK 07.08.2017 Two new criminal penalties to be introduced:
1) re-identifying anonymised or pseudonymised data;
2)altering records with intent to avoid response to a subject access request.