Penalties according to the general data protection regulation

At present, everyone is talking about the General Data Protection Regulation (GDPR). This regulation came into force on May 24, 2016, and as of May 25, 2018, will be immediately applicable in Austria as well. The focus in the media reporting is on the sanction provisions of the GDPR: In fact, these fines provide for financial penalties that differ significantly from those which can be imposed under current legislation.

Certain violations are penalized with fines of up to EUR 20 million or, in the case of a company, up to 4% of the total obtained annual turnover of the previous financial year (Article 83 paragraph 5 GDPR). These penalties can be imposed not only on globally operation corporations, but also on small and medium-sized companies.

It is argued that, in the Austrian Administrative Criminal Law, the accumulation principle applies. Afterwards, penalties are imposed parallely for each act and are consequently added. This also applies if several provisions have been violated by an act. In the worst case, therefore, a total penalty, which clearly exceeds the abovementioned sentences, threatens.

In general, there is currently an identifiable trend, that sanctions the non-compliance of the legislation with fines that threaten its existence. Similarly, for instance, also the Insurance Distribution Directive (IDD), adopted at the end of February 2016, provides for a maximum penalty of at least EUR 5 million or 5% of the company’s total annual turnover, up to double of the profit or loss prevented by the violation (Article 33 paragraph 2 e IDD).

In both cases (GDPR and IDD), the “EU legislation“ standardizes a competent authority for the imposition of penalties. This stands in tension with the judicature of the Austrian Constitutional Court. This court determines that, the imposition of high fines is reserved for the ordinary courts. Although it has not drawn a concrete limit, an administrative penalty of EUR 72,000.00 has already been considered as no longer permissible. It is, therefore, quite possible that, in the opinion of the Constitutional Court, (high) penalties under the GDPR or the IDD can only be imposed by the ordinary courts.

The GDPR contains an exemption clause whereby even though fines are “initiated“ by the competent authority, they are ultimately imposed by a court (Article 83 paragraph 9 GDPR). Based on this provision, the Austrian legislature could dissolve the tension between the GDPR and the national constitutional law.

It remains to be seen to what extent the legislature makes use of it, and provides for a judicial jurisdiction in connection with fines under the GDPR. The same applies to the IDD, which, as a directive, requires the implementation into national law, for which the legislature has time until 23 February 2018.

It is already certain that, apart from the still outstanding transposition acts, the violations of the GDPR and the IDD are punishable by exorbitant fines. In addition, also the claims for damages, image damage and disadvantages of competition, can, in case of emergency, threaten. Having said that, in order to ensure the conversion in due time to the legal situation in future and to avoid penalties, (insurance) companies should be advised to deal with the new requirements as soon as possible.

BLS Attorneys at Law will be happy to advise you on all matters of data protection law as well as on insurance law, and will assist you during the preparation for the challenges of the GDPR and the IDD.