Financial Crime World

European Data Protection Regulation: Enforcement and Sanctions

The European General Data Protection Regulation (GDPR) aims to ensure the protection of individuals’ personal data within the EU. In Estonia, the Data Protection Inspectorate is responsible for enforcing the GDPR and imposing sanctions on organizations that violate the regulations.

Fines

The GDPR introduces an antitrust-type sanction regime with fines of up to 4% of annual worldwide turnover or €20m, whichever is greater. These fines can be imposed for breaches such as:

  • Failure to comply with data quality principles
  • Carrying out processing without satisfying a condition for processing personal data

In Estonia, the Data Protection Inspectorate has the authority to impose fines under national law. The maximum penalty is EUR 20,000,000 or up to 4% of its total global annual turnover for the previous financial year, whichever amount is higher.

Imprisonment

The Estonian Penal Code sets out penalties for intentional or negligent infringement of the GDPR. Offences such as:

  • Illegal disclosure of personal data
  • Enabling illegal access

can result in imprisonment for up to one year.

Compensation

Data subjects have a right to compensation in respect of material and non-material damage caused by violations of the GDPR. This requires more than a mere infringement of the regulation, and there must be actual material or non-material damage.

Other Powers

The Data Protection Inspectorate has a range of powers and sanctions at its disposal, including:

  • Investigative powers
  • Corrective powers
  • The ability to issue warnings or reprimands

Practice

In recent years, the Data Protection Inspectorate has issued several fines and precepts for violations of the GDPR. These include:

  • A €200,000 fine imposed on a hospital for storing health data in an open construction garbage container
  • A precept issued to three online pharmacies for processing personal data without consent

The Data Protection Inspectorate’s annual report for 2021 shows that it received a total of 693 complaints, challenges, and misdemeanour notices. In addition to fines, the inspectorate has also issued warnings and reprimands to organizations that violate the GDPR.

Conclusion

The European GDPR aims to ensure the protection of individuals’ personal data within the EU. The Data Protection Inspectorate in Estonia is responsible for enforcing the regulation and imposing sanctions on organizations that violate it. Fines, imprisonment, compensation, and other powers are available to the inspectorate as part of its enforcement efforts.