Non-compliance with the GDPR

The new GDPR/RGPD, which enters into force on May 25, establishes that data controllers and processors will be liable for breaches of the Regulation, which will be sanctioned with administrative fines. However, in the event of a minor infringement, or if the fine to be imposed would be a disproportionate burden for a natural person, a warning may be imposed instead.

Controller means the natural or legal person who determines the purposes and means of the processing. Thus, for example, a consultancy firm is responsible for the personal data relating to its employees and its customers; a self-employed person is responsible for processing the personal data of his customers and a hotel is responsible for the file of its guests.

Processor shall be the natural or legal person who processes personal data on behalf of the controller, as a result of the existence of a legal relationship linking him/her to the controller and delimiting the scope of his/her action for the provision of a service.

Which infringements are considered very serious by the AEPD?

Examples of very serious violations are: Use of data for a purpose other than that agreed. Obstructing an AEPD inspection. Deliberate reversal of an anonymization procedure to make it possible to re-identify data subjects.

Read more  What are examples of gross misconduct?

What is the penalty for non-compliance with the GDPR?

The GDPR fines are as follows: Fine of up to EUR 10 million or up to 2% of the total annual aggregate annual turnover of the previous financial year.

What types of infringements are minor infringements under the data protection law?

Minor Infringements

– Failure to comply with the duty to inform the data subject about the processing of his or her personal data when the data is collected from the data subject himself or herself. – The transmission of data to a data processor without complying with the formal duties established by law.


The grounds on which the Luxembourg authority relied to impose this fine are still not entirely clear. The Wall Street Journal noted that the decision was related to Amazon’s data collection practices, but did not include Amazon Web Services.

Since the adoption of the GDPR in April 2016, and especially since its application as of May 2018, many experts have been warning of the harshness of the penalties provided for by the new European regulation.

What acts in data protection matters would give rise to an infringement categorized as very serious by law 3 2018 on the protection of personal data?

Serious Violations

The processing of personal data of a minor without obtaining his/her consent. … Entrust the processing of data to a third party without the prior formalization of a contract or other written legal act with the required content. Not having the Register of processing activities.

What sanctions can be applied for the improper use of data or for the existence of security breaches in the processing and custody of personal data?

Failure to report security breaches is considered a serious breach and could lead to fines of up to €10 million or 2% of the company’s turnover in the previous financial year.

Read more  What is the main legislation relating to safeguarding and child protection?

What happens if the data protection law is not complied with?

infringement: possibilities include a warning, a temporary or permanent ban on processing and a fine of up to EUR 20 million or 4 % of the total annual worldwide turnover.

Penalties for non-compliance with the data protection law examples

According to the new Regulation, failure to comply with personal data protection regulations is punishable by financial penalties that can be very high. In this regard, the GDPR classifies infringements into two categories:

To set the amount of the penalty (within the margins established for each of the infringements), a series of graduation criteria are taken into account (for example, the volume of business or activity of the infringer, the degree of intentionality, whether or not there is recidivism, the damage caused to the persons concerned and third parties…).

When the AEPD warns instead of imposing a financial penalty, the data controller or data processor must prove the adoption of the corrective measures indicated by the AEPD in its warning resolution. If compliance with these measures is not accredited, the AEPD will order the opening of a sanctioning procedure for such non-compliance, and may impose a sanction for a very serious infringement.

What is a warning sanction?

Sanction provided for minor offenses consisting of warning the offender of the impropriety of his conduct and of the consequences that may arise in the event of a repeat offense (consisting of the imposition of a more serious sanction).

When is the statute of limitations for Data Protection offenses?

Pursuant to Article 78 of the LOPDGDD, penalties imposed in application of the RGPD and the LOPDGDD, prescribe: 1 YEAR → penalties for an amount equal to or less than 40,000 euros. 2 YEARS → penalties for amounts between 40,001 and 300,000 euros. 3 YEARS → penalties for an amount greater than 300,000 euros.

Who controls data protection?

The Spanish Data Protection Agency is responsible for ensuring compliance with data protection regulations and monitoring their application.

Read more  How long does indefinite leave to remain application take 2021?

Sanction tranche 2

The main objective of this new regulation is to protect the privacy of EU citizens’ personal data and to control how companies and institutions process, store and use this data. The new regulation replaces the 1995 Data Protection Directive to adapt it to the current context while harmonizing and unifying the specific legislation of each country. Precisely, its regulatory nature makes it directly binding.

Companies that rely on Adaptive Defense have an advantage when it comes to complying with the requirements of the GDPR, since it has the tools to implement all these prevention and protection measures.

Fines for non-compliance with the new regulation will be heavy and can reach up to 20 million euros or 4% of the company’s annual global turnover. These maximum penalties will be imposed in the event that a company has very serious breaches such as not having sufficient customer consent to process their data.

By Rachel Robison

Rachel Robison is a blogger who collects information on court filings and notices.