Penalties

Overview

Country
Last reviewed
Penalties

Austria 05.06.2018 Sec 30 ADPA governs the mechanism of imposing the GDPR-penalties: The fines shall primarily be imposed directly against the responsible legal entity. Besides, the Austrian Data Protection Authority is still entitled to punish natural persons in charge (especially managing directors or representatives appointed under administrative law; not the Data Protection Officer). However, as long as it is not required due to special circumstances of the individual incident, the responsible legal entity shall be fined, only.

Besides, Sec 62 ADPA provides for an administrative penalty of up to EUR 50.000 for any breach of the ADPA that is not subject to the GDPR fines (thus breaches of Austrian-specific provisions like CCTV-requirements).

Further, Sec 63 ADPA contains a criminal offence and provides for imprisonment or a fine for any unlawful data processing with the intention to gain profit or with the intention to damage another person (personal offences based on responsibility).
Belgium 17.05.2018 n/a
Czech Republic 16.05.2018 Section 59 stipulates fines for administrative offence of unlawful publication of personal data where the prohibition of disclosure is stipulated by law (e.g. Criminal Procedure Code). Fine may amount to CZK 1 million. Maximum fines of CZK 5 million is stipulated if this administrative offence is carried out through print, film, radio, television, publicly accessible computer network or other similarly effective means.
Sections 60 and 61 stipulate various administrative offences in relation to data processing. A fine up to CZK 10 million may be imposed.
No new criminal penalties will be introduced (unauthorised use of personal data is already recognised by the current Criminal Code).
Denmark 22.05.2018 Administrative fines as prescribed in the GDPR not permitted under Danish law. Fines will be imposed by the courts as a criminal penalty. However, the Danish Supervisory Authority may impose administrative fines in uncomplicated cases, where the person accused of the violation pleads guilty and accepts to pay the fine.
Finland 17.05.2018 The administrative fines pursuant to Article 83 may also be imposed for the breach of Article 10. The penalties cannot be imposed on Finnish public authorities.
France 22.05.2018 The New French Data Protection Act reiterates the penalties provided for in Article 83 of the GDPR. The penalties do not apply to processing implemented by the State.
Germany 23.05.2018

Yes - § 42 FDPA: Imprisonment or a fine for (1) unlawful transfer / making accessible of non-publicly accessible personal data of a large number of individuals for commercial purposes; (2) unlawful processing of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person; (3) fraudulent obtaining of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person (personal offences based on responsibility).  

§ 43 FDPA: Fines for failure to handle an information request appropriately or to inform a consumer or to inform them fully and correctly and to do so within the prescribed time limits.

Hungary 17.05.2018 n/a 
Ireland  28.07.2017

Imprisonment of up to 12 months for unauthorised access to or disclosure of personal data. Directors personally liable for corporate offences where negligent, provided consent or connivance. 

Italy 17.05.2018

Section 15 of the Scheme amends some IDPA provisions, in particular there are criminal sanctions for the following:

a) unlawfully processing (i) traffic data relating to contracting parties and users that are processed by the provider of a public communications network or publicly available electronic communications service and (ii) location data other than traffic data. 
b) automated calling or communications systems without human intervention for the purposes of direct marketing or sending advertising materials (without the data subject's consent) and the data processing is in breach of the provision concerning the Calling Line Identification.
Criminal sanction: Imprisonment for between six and eighteen months.

c) unlawfully processing special categories or data/criminal records data
Criminal sanction: Imprisonment for between twelve and thirty-six months.
d) unlawfully transferring data to a third country in breach of the conditions set out in Sections 45, 46 and 49 GDPR.
Criminal sanction: Imprisonment for between twelve and thirty-six months.
e) declaring or attesting to untrue information or circumstances, or else submitting forged records or documents in a proceeding before the Italian DPA and/or in the course of inquiries.

Criminal sanction: Imprisonment for between six months and three years.

Furthermore, Section 15 of the Scheme introduces new offences in the IDPA, in particular:
• the disclosure  or dissemination of personal data relating a large number of people in breach of various Section 2 provisions of IDPA.
Criminal sanction: Imprisonment for between one and six years.
• the disclosure or dissemination of personal data relating a large number of people without their consent, when it was the necessary lawful basis.
Criminal sanction: Imprisonment for between one and six years.
• fraudulently acquiring personal data relating a large number of people.
Criminal sanction: Imprisonment for between one and four years.
Lastly, it is to be noted that Section 172 IDPA foresees that being convicted of any of the offences referred to in this Code shall entail publication of the relevant judgment.

Netherlands 17.05.2018 n/a
Poland 16.05.2018 PDPA provides two criminal sanctions for: (i) unpermitted and unauthorized processing, and (ii) in case of jeopardizing or impeding the GIODO's inspection.
Spain 16.05.2018 Spanish Data Protection Draft Bill only provides administrative fines.
Sweden 22.05.2018 According to paragraph 6:2 of the Data Protection Act, public authorities may be subject to administative fines. Administrative fines pursuant to article 83 may also be imposed for infringement of article 10 of GDPR.
UK 23.05.2018

The Data Protection Act includes the following criminal offences:

(i)To knowingly or recklessly (a) to obtain or disclose personal data without the consent of the controller; (b) to procure the disclosure of personal data to another person without the consent of the controller; or (c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained or (d) to sell data if obtained in circumstances in which an offence has been committed under (a)-(c) (S170);
(ii) To knowingly or recklessly re-identify information that is de-identified personal data without the consent of the responsible controller (S171);
(iii) To alter, deface, block, erase, destroy or conceal information with the intention of preventing its disclosure pursuant to a subject access request (S173);
(iv) Destroying or falsifying documents – or permitting the destruction or falsifying – of documents with the intention of obstructing the commissioner after an information or assessment notice has been given.

Director's Liability: If an offence has been committed by an organisation and it is proved to have been done with the consent or connivance or neglect of a director, manager, secretary or other officer, they can also be guilty of the office (s196).