UK GDPR and EU GDPR—sanctions and enforcement

The following Information Law practice note provides comprehensive and up to date legal information covering:

  • UK GDPR and EU GDPR—sanctions and enforcement
  • Supervisory authorities
  • Lead supervisory authorities and the one-stop shop under the EU GDPR
  • Investigative powers
  • Corrective powers of supervisory authorities and compensation claims
  • Fines
  • Criminal sanctions
  • Safeguards and procedures
  • More...

UK GDPR and EU GDPR—sanctions and enforcement

This Practice Note introduces the approach to sanctions and enforcement under:

  1. the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) regime (which was applicable under UK law until the end of the Brexit implementation period at 11 pm UK time on 31 December 2020 and remains applicable in EEA states thereafter), and

  2. the United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) regime (applicable under UK law from the end of the Brexit implementation period on 31 December 2020)

Where there is no need to distinguish the two regimes, this Practice Note refers to both as the ‘GDPR’ for convenience. Given the extent of data flows between the EEA and UK and how long it takes for data protection cases to be resolved or historic issues to otherwise arise, the sanctions and enforcement under the EU GDPR regime will remain of particular interest to UK practitioners. For more detailed guidance on each regime, see Practice Notes: UK GDPR—sanctions and enforcement and EU GDPR—sanctions and enforcement.

This Practice Note does not consider sanctions and enforcement under other data protection regimes, including the regimes applicable to the processing of personal data by competent authorities for law enforcement purposes or by the intelligence services. For further background on such other regimes, see Practice Note: The Data Protection Act

Popular documents