What are the penalties for noncompliance with any applicable data protection laws?
Noncompliance with Data Privacy Laws and Data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
The remedies available under the European Union’s General Data Protection Regulation (GDPR) are significant and go up to maximum of €20 million or four percent of worldwide turnover.
Data subjects are able to take action against processors and claim damages where they have "suffered material or immaterial damage" as a result of an infringement of the processor obligations under the GDPR.
As well as damages claims from data subjects, non-compliant data controllers and data processors are also vulnerable to sanctions by the regulator. The sanctions range from access and audit rights, to administrative orders and, ultimately, to fines of up to 4% of annual global turnover for certain breaches.
In Germany, if an employer (or other data controller) causes harm to a data subject by collecting, processing or using the employee’s personal data in violation of data protection regulations, the employer must compensate the data subject for the harm caused. There are no punitive damages under German law. The right to claim compensation also applies if the personal data is stored by non-automated procedures or filing systems. This obligation will not apply if the data controller has exercised due care in accordance with the circumstances of the specific case.
Under the Bundesdatenschutzgesetz, criminal offenses can result in prison sentences of up to 3 years, in addition to any levied fines. Fines of up to €50,000 can arise if a request for information is not handled correctly or a consumer is not properly informed.
HR Best Practices: Before processing personal data, make sure to be in line the security measures necessary to ensure data security within your organization. Furthermore, ensure all data processors have data breach response plans in place.