Sanctions and enforcement under the GDPR
Produced in partnership with Stephanie Pritchett of Pritchetts Law
Sanctions and enforcement under the GDPR

The following Financial Services guidance note Produced in partnership with Stephanie Pritchett of Pritchetts Law provides comprehensive and up to date legal information covering:

  • Sanctions and enforcement under the GDPR
  • Monitoring and enforcement of the application of the GDPR—roles and powers
  • Investigative powers
  • Corrective powers
  • Criminal sanctions
  • Administrative fines
  • Safeguards and procedures
  • Appeals

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU law. During this period, the GDPR applies in the UK and the UK generally continues to be treated as an EU (and EEA) state for EEA and UK data protection law purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection laws that are anticipated to apply after the end of it, see Practice Note: Brexit—implications for data protection.

The General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) became directly applicable and fully enforceable in EU Member States on 25 May 2018.

The main approach to sanctions and enforcement that has been taken under the GDPR is to introduce higher penalties for non-compliance, in the hopes of producing higher levels of compliance because of the increased penalty provisions and in particular the increased levels of fines for non-compliance—up to the greater of 4% of total global annual turnover or €20m. The GDPR also created the European Data Protection Board (EDPB) in an attempt to impose a more consistent application of the GDPR and penalties