Contributed By Luther Rechtsanwaltsgesellschaft mbH (Cologne)
According to Article 84 of the GDPR, sanctions for violations of the data protection framework must be effective, proportionate and dissuasive. Depending on the circumstances of the individual case, fines are imposed in addition to or instead of measures pursuant to Article 58 paragraph 2 of the GDPR. Such measures may include, for example, reprimands; instructions to adapt data processing to legal requirements; and/or temporary or definitive prohibition of data processing. There is a catalogue of criteria in Article 83 paragraph 2 a-k of the GDPR for the assessment of sanctions. The maximum fine amounts to up to EUR20 million, or up to 4% of the total annual turnover achieved worldwide in the previous financial year, whichever is the higher. Here it is worthy of note that the annual turnover of the entire group and not that of the individual legal entity applies. Further, it should be noted that breach of data protection law will commonly be interpreted as unfair competition, entitling competitors to take legal action (including compensation of damages).