Data Protection in Albania

Enforcement

Change countries

Change country

Data protection laws in Albania

On 19 December 2024, the Parliament of the Republic of Albania passed Law No. 124/2024, titled “On Personal Data Protection” (the “Data Protection Law”) (Official Gazette of the Republic of Albania No. 9, dated 17 January 2025). This legislation aims to align Albania’s legal framework with the European Union’s standards, particularly by incorporating Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR) and Directive (EU) 2016/680, both of which address the protection of personal data in various contexts, including criminal law enforcement.

The adoption of this law marks the culmination of an extensive process, with the Office of the Information and Data Protection Commissioner pursuing the alignment of Albanian data protection laws with the GDPR since 2018.

The Data Protection Law establishes the rules for safeguarding individuals’ personal data and aims to protect fundamental human rights and freedoms, particularly the right to personal data protection.

Scope

The Data Protection Law applies when personal data are processed in whole or in part by automatic means, as well as to the processing of personal data which are part of a filing system or are intended to become part of a filing system where the processing is not carried out by automatic means; however, the law does not cover data processing by natural persons for purely personal or family purposes (Article 3).

Territorial Scope

The Data Protection Law shall apply:

in the framework of the activities of a controller or processor established in the Republic of Albania, regardless of whether the processing takes place in the Republic of Albania or not;
of data subjects, who are located in the Republic of Albania, by a controller who is not established in the Republic of Albania, but the processing operations relate to:

1. the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
2. the monitoring the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania;

by a controller or processor, who is not established in the Republic of Albania, but in a territory where Albanian law applies on the basis of public international law (Article 4).

Related resources

Definitions

Definitions in Albania

Definition of Personal Data

Data Protection Law defines personal data as any information relating to a data subject (Article 5(3)).

A “data subject” refers to any identified or identifiable natural person. A person is identifiable if he or she can be identified, directly or indirectly, by reference to one or more specific identifiers, such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity (Article 5(23)).

Definition of Sensitive Personal Data

Data Protection Law defines sensitive data as special categories of personal data that reveal racial or ethnic origin, political opinions, religious beliefs or philosophical views, trade union membership, genetic data, biometric data, data concerning a person’s health, life or sexual orientation (Article 5(28)).

“Genetic data” means personal data relating to the inherited or acquired genetic characteristics of a person which provide unique information concerning his or her physiology or health and which are obtained, in particular, because of the analysis of a biological sample taken from that person (Article 5(25)).

“Biometric data” means personal data resulting from specific technical processing of the physical, physiological or behavioural characteristics of a person which enable or confirm the unique identification of that person, such as facial images or fingerprints (Article 5(24)).

“Data concerning health” means personal data relating to the physical or mental health of a person, including the provision of healthcare services, which indicates information relating to his or her state of health (Article 5(26)).

Authority

National data protection authority in Albania

The Commissioner for the Right to Information and Personal Data Protection (the “Commissioner”) is the Albanian authority in charge of overseeing and ensuring the implementation of the applicable legislation on data protection, with the primary goal of protecting the fundamental rights and freedoms of individuals in relation to the processing of personal data. The Commissioner is an independent authority, elected by a majority of the Parliament members, based on a proposal from the Council of Ministers, for a seven-year term, with the possibility of re-election.

In carrying out their duties and exercising their powers under the Data Protection Law, the Commissioner operates independently, free from any direct or indirect influence, and does not seek or accept instructions. During the Commissioner’s term, they are prohibited from engaging in any activities or professions that may conflict with their duties, whether paid or unpaid.

The Commissioner is supported by the Office of the Commissioner, which is provided with the necessary human, technical, financial, and infrastructural resources to effectively perform its functions. The staff operates under the exclusive direction of the Commissioner and reports to them regularly. To fulfil the mission and objectives of the office, the Commissioner may also consult with external advisors on specific matters. The Commissioner has the authority to approve the organizational structure of the Office of the Commissioner.

The Commissioner is seated at:

Rr. “Abdi Toptani”, Nd. 5
Postal Code 1001
Tirana
Albania

Registration

Registration in Albania

A data controller or processor must notify the Commissioner of the contact details of the Data Protection Officer.

If a data controller or processor is not established in the Republic of Albania but engages in processing activities related to data subjects in Albania, the controller or processor must appoint a representative and notify the Commissioner. This notification must include the identity of the representative appointed in the Republic of Albania. The notification must be provided in writing (Article 25).

This requirement applies when processing involves:

the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
the monitoring of the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania.

This requirement shall not apply:

to processing, which is incidental, does not involve the processing of sensitive data or criminal data on a large scale and is not likely to result in a risk to the fundamental rights and freedoms of natural persons, taking into account the nature, context, object and purposes of the processing; or
to public authorities.

Data protection officers

Data protection officers in Albania

Obligation to designate a Data Protection Officer (“DPO”) (Article 33)

The controller and the processor must designate a DPO if:

The processing is carried out by a public authority or body, excluding courts, in the course of judicial activities;
The core activities of the controller or processor involve processing operations that, due to their nature, scope, or purpose, require regular and systematic monitoring of data subjects on a large scale;
The core activities of the controller or processor involve processing sensitive data or criminal data on a large scale.

A group of companies may appoint a single DPO, who should be easily accessible to each member of the group. In the case of a public authority, one DPO may be designated to cover multiple authorities, considering their organizational structure and size.

In situations not covered by the first paragraph above, the controller, processor, associations, or other bodies representing a category of controllers or processors may, or in some cases must, designate a DPO, as required by law.

Duties and position of the DPO (Article 34)

The DPO has the following duties:

Provides advice, upon request, to the management bodies of the controller or processor on all matters related to data protection;
Participates in data protection impact assessments;
Informs and advises the staff of the controller or processor on data protection, including raising awareness and training staff involved in processing operations;
Monitors compliance with the Data Protection Law, other applicable data protection provisions, and the policies of the controller or processor, including the assignment of responsibilities, awareness-raising, staff training, and relevant audits;
Cooperates with and serves as a point of contact for the Commissioner;
Gives due attention to the risks of infringing fundamental rights and freedoms that may arise from personal data processing, considering the nature, context, circumstances, and purposes of the processing.

The DPO must be appointed based on certified professional qualifications, particularly with sound knowledge of data protection law and practices, and the ability to perform the tasks outlined in the paragraph above.

The DPO may be an employee of the controller or processor, or someone under a service contract. The DPO may hold other responsibilities, but the controller or processor must ensure these duties do not conflict with the role of the DPO.

The controller and processor must ensure the DPO is involved in a timely manner in all matters related to data protection and has the necessary resources to carry out their duties. The DPO must also maintain confidentiality regarding their duties.

The controller and processor must ensure the DPO is not given instructions regarding the performance of their duties and cannot be dismissed or penalized for carrying out their responsibilities. The DPO reports directly to the highest level of management of the controller or processor.

Collection and processing

Collection and processing in Albania

The Data Protection Law provides the following definitions:

A “controller” means the natural or legal person and any public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 5(8)).

A “processor” means the natural or legal person and any public authority which processes personal data on behalf of the controller (Article 5(18)).

Principles for the lawful processing of personal data (Article 6)

Personal data shall be:

processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up to date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the “integrity and confidentiality principle”).

The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability principle”).

Lawfulness of processing of personal data (Article 7)

Processing shall be lawful only if and to the extent that at least one of the following applies:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Lawfulness of processing of sensitive data (Article 9)

Processing of sensitive data is prohibited.

The processing of sensitive data is permitted if appropriate measures are implemented to protect the fundamental rights and interests of data subjects and only in cases where:

the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where the applicable legislation provides that the prohibition on processing sensitive data cannot be waived by consent from the data subject;
processing is necessary for the fulfilment of a specific obligation or right of the controller or of the data subject in the field of employment, social security and social protection, including obligations and rights arising from a collective agreement, in accordance with the applicable legislation in these areas, provided that the fundamental rights and interests of the data subject are guaranteed;
processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is incapable of giving consent due to his / her health condition or when his / her right to act has been removed or restricted;
processing is carried out in the course of the lawful activity of a not-for-profit political, philosophical, religious or trade union organization, provided that the processing relates only to members or former members of the organization or to persons who have regular contact with it in the context of its activity, and that the personal data are not disseminated outside the organization without the consent of the data subjects;
processing relates to personal data which are manifestly made public by the data subject and the processing is necessary for the pursuit of a legitimate interest;
processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
procesecessary for archiving purposes in the public interest, for historical, research, scientific or statistical purposes, subject to legal provisions.

Lawfulness of processing of data related to criminal offences and convictions (Article 10)

Processing of personal data relating to criminal convictions and offences or security measures related thereto is carried out only under the control of competent authority or when the processing is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects. The judicial status register is maintained under the control and supervision of the Ministry of Justice, in accordance with the legislation in force.

Processing of data for specific purposes:

Processing of personal data and freedom of expression (Article 43)

To balance data protection with freedom of expression and information, exceptions to the Data Protection Law can be applied for journalistic, academic, artistic, and literary purposes, provided:

The data is necessary for preparing journalistic, academic, literary or artistic materials for publication;
The data is only used for the specified purpose;
The publication serves the public interest;
Applying the Data Protection Law would hinder the purpose;
The processing does not harm the fundamental rights of data subjects.

If these exceptions are applied, personal data should only be retained for as long as needed for the publication and can be shared with those involved in its creation, other potential publishers, or for legal purposes.

Additionally, when publishing, the controller must ensure minors, crime victims, or individuals claiming harm are not identifiable without consent or court approval, except when the victim is a public figure related to their role

Exceptions do not apply to processing data about minors or certain other legal provisions.

Processing of personal data and access to information in the public sector (Article 44)

The right to personal data protection is balanced with the right of access to official documents and information, as outlined in the applicable legislation. Public access to information, is not restricted by personal data protection laws for public authorities or individuals exercising state functions, unless other fundamental rights (such as the right to life or physical integrity) require specific protection of their data.

Processing of personal data for archiving, research, and statistical purposes (Article 45)

The processing of personal data, including sensitive and criminal data, for archiving in the public interest, or for historical, research, scientific, or statistical purposes, is considered a legitimate interest of the controller, unless the data subject’s interests or fundamental rights and freedoms, which require protection of their personal data, take precedence.

Personal data collected for any purpose may be further processed for archiving purposes, historical research, or scientific and statistical purposes.

This processing must be carried out with appropriate safeguards to protect the rights and freedoms of the data subject. These safeguards include, but are not limited to:

Technical and organizational measures taken by the controller in compliance with Data Protection Law, especially principles of data minimization or pseudonymization, to achieve the processing purpose. If the purpose can be achieved by processing anonymized or pseudonymized data, that method should be used;
Pseudonymization of data, and where possible, anonymization before transferring data for further processing;
Specific safeguards to ensure that data is not used for decisions or actions concerning the data subject, unless the data subject has expressly given consent.

Exemptions from certain data subject rights may apply if exercising those rights would significantly hinder or prevent the achievement of the processing purpose. The controller bears the burden of proving that the exercise of these rights would cause such an obstacle to the purpose.

Processing of personal data and direct marketing (Article 46)

See Electronic marketing.

Related resources

Transfer

Transfer in Albania

General principles (Article 39)

Personal data that is being processed or will be processed after transfer may only be transferred to a foreign country or international organization or further transferred from one foreign country or international organization to another, if adequate protection for the data is guaranteed at the destination, or if specific safeguards are in place specifically for such transfer.

Transfers required by foreign court or administrative authority decisions will only be recognized or enforced if they are based on an international agreement, such as a mutual legal assistance treaty, in effect between the requesting third country and Albania, and without violating the other transfer criteria outlined in the Data Protection Law.

Transfer of data based on an adequacy decision (Article 40)

Personal data may be transferred to foreign countries or international organizations if the recipient is located in a country, territory, or sector within a foreign country, or belongs to an international organization that ensures an adequate level of data protection. The adequacy of the data protection level for a country, territory, sector, or international organization is determined by a decision of the Commissioner.

Pursuant to the Decision of the Commissioner No. 8, dated 31 October 2016 the following states have an adequate level of data protection:

European Union member states;
European Economic Area states;
Parties to the Convention No. 108 of the Council of Europe “For the Protection of Individuals with regard to Automatic Processing of Personal Data”, as well as its 1981 Protocol, which have approved a special law and set up a supervisory authority that operates in complete independence, providing appropriate legal mechanisms, including handling complaints, investigating and ensuring the transparency of personal data processing;
States where personal data may be transferred, pursuant to a decision of the European Commission.

Transfer of data in the absence of an adequacy decision (Article 41)

In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or international organization only if appropriate safeguards are in place, and if enforceable data subject rights and effective legal remedies are available for the data subjects.

If appropriate safeguards are not in place, the transfer may only occur if one of the following conditions is met:

the data subject has explicitly consented to the proposed international transfer, after having been clearly informed of the possible risks of such transfer;
the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically incapable of giving consent, or their right to act has been removed or restricted;
the transfer is necessary for important reasons of public interest;
the processing is necessary for the establishment, exercise or defence of a right, obligation or legitimate interest before a court or public authority;
the transfer is made from a register that is open for consultation by law and provides information to the general public, provided that the transfer includes only certain information and not entire sections of the register.

Where a transfer could not be based on any of the above, a transfer may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the Commissioner and the data subject of the transfer and on the compelling legitimate interests pursued.

Related resources

Security

Security in Albania

General responsibility of the controller (Article 22)

The Data Protection Law requires controllers to implement appropriate technical and organizational measures, based on the nature, scope, context, and purposes of the processing, as well as the potential risks to individuals’ rights and freedoms. These measures must be regularly reviewed and updated as necessary.

Data protection by design and by default (Article 23)

Controllers should consider technological developments, implementation costs, and the specific circumstances of the processing when determining safeguards, such as pseudonymization, to protect data subjects’ rights.

Controllers must ensure that, in a predetermined manner, only the personal data necessary for each specific purpose is processed, including limiting the data collected, its accessibility, and storage period. Security measures must prevent unauthorized access to personal data and maintain the confidentiality, integrity, availability, and resilience of processing systems and services.

Measures to ensure the security of processing (Article 28)

The controller and the processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, where applicable:

Pseudonymization and encryption of personal data;
The ability to ensure the confidentiality, integrity, availability, and resilience of the processing systems and services;
The ability to restore the availability and access to personal data within a reasonable time in the event of a physical or technical incident;
A process for regularly testing, reviewing, and assessing the effectiveness of the technical and organizational measures to ensure the security of the processing.

The level of security shall be in compliance with the nature of personal data processing. The Commissioner has established additional rules for personal data security by means of Decision No. 6, dated 05 August 2013 “On the Determination of Detailed Rules for the Security of Personal Data”.

Related resources

Breach notification

Breach notification in Albania

Controller’s notification to the Commissioner (Article 29)

In the event of a personal data breach, the controller must notify the Commissioner as soon as possible, and no later than 72 hours after becoming aware of the breach. Notification is not required if the breach is unlikely to result in a risk to the rights and freedoms of data subjects. If the notification is not made within the 72-hour timeframe, the controller must provide an explanation for the delay.

The notification to the Commissioner must include, at a minimum:

A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records involved;
The name and contact details of the DPO or another relevant contact point;
A description of the likely consequences of the personal data breach;
A description of the measures taken or proposed to address the breach, including, where applicable, measures to mitigate its potential adverse effects.

If all of the required information is not available at once, it may be provided in stages, as soon as possible.

The controller must document all personal data breaches, including the details, impact, and corrective actions taken, to enable the Commissioner to verify compliance. The Commissioner shall respond to the notification in line with their authority. The Commissioner may also instruct the controller to notify the affected data subjects of the personal data breach if the breach is likely to pose a high risk to their rights and freedoms, and if the controller has not already done so, as outlined in the section below.

Controller’s notification to the data subjects (Article 29)

The controller must inform data subjects if the risks to their rights and freedoms resulting from the data breach are likely to be high, by providing the information as outlined in the notification to the Commissioner above. However, notification to data subjects is not required in the following cases:

The controller has implemented appropriate technical and organizational protective measures, such as encryption, which were applied to the personal data affected by the breach;
The controller has taken additional steps to reduce the risk of harm to the rights and freedoms of data subjects;
The controller publishes the notice or takes other similar actions to notify data subjects of the breach in a uniform and effective manner, where notifying each individual data subject would impose a disproportionate burden on the controller.

Processor’s notification to the controller (Article 29)

The processor shall notify the controller immediately after becoming aware of any personal data breach.

Related resources

Enforcement

Enforcement in Albania

The Commissioner is the competent authority for the supervision and enforcement of Data Protection Law. The Commissioner is responsible, inter alia, for:

Ensuring that data subjects can exercise their rights, including providing them with information and advice on these rights;
Investigating the compliance of personal data processing activities with the Data Protection Law, either proactively or in response to a complaint;
Reviewing complaints filed by individuals or non-profit entities, organizations, or associations representing individuals, in cases of alleged violations of the Data Protection Law;
Evaluating the responses provided by competent authorities to data subjects’ requests regarding their rights of access, rectification, or erasure;
Imposing administrative sanctions and penalties, and overseeing their enforcement.

Administrative offenses related to the processing of personal data may result in a fine of up to ALL 2,000,000,000 (approximately EUR 20,300,000), or, in the case of a company, up to 4% of its total annual global turnover from the previous financial year, whichever amount is greater.

The Commissioner shall issue a directive outlining the rules regarding the imposition of administrative sanctions, which will be based on the guidelines established by the European Data Protection Board.

The sanctioned subject may appeal the fine in court within the deadlines and according to the procedures that regulate the administrative trials.

Electronic marketing

Electronic marketing in Albania

Electronic and direct marketing under the Data Protection Law

The Data Protection Law does not explicitly refer to electronic marketing; nevertheless, it will apply to most electronic marketing activities since they typically involve personal data, like an email address that includes the recipient’s name.

Personal data may be processed for direct marketing purposes as a means of communicating with identifiable individuals to promote goods or services. This includes advertising membership in organizations, soliciting donations, and any direct marketing activities, which also cover any preparatory actions taken by the advertiser or a third party to facilitate such communication (Article 46(1)).

The most common legal grounds for the processing of data for direct marketing are:

The legitimate interests of the controller

Processing for direct marketing purposes, whether carried out by the controller or by third parties, may be based on legitimate interests, provided that the interests of the protection of data subjects are not overridden. This also applies to the use of data obtained from publicly accessible sources for direct marketing purposes.

The consent of the data subject

When relying on consent, it is essential to adhere to the requirements set by Data Protection Law. Notably, when personal data is processed for direct marketing purposes, the data subject has the right to object at any time, without needing to provide a reason, to the processing of their personal data for such purposes, including profiling insofar as it relates to them (Article 19(2) and Article 46(4)).

Furthermore, the controller must be able to demonstrate that the data subject has given consent for the processing of their personal data. If consent is provided in the context of a written statement that includes other matters, the request for consent must be clearly distinguishable from the other information. It should be presented in an intelligible and easily accessible format, using clear and plain language (Article 8(2)). In the context of direct marketing, marketing consent forms should include clear opt-in mechanisms, such as checking an unchecked consent box or signing a statement, rather than just accepting terms and conditions or assuming consent based on actions like visiting a website.

The processing of a minor’s personal data based on consent, in the context of online goods or services directly offered to them, is lawful only if the minor is at least 16 years old. If the minor is under 16, the processing is lawful only if consent is given or authorised by the minor’s parent or legal guardian, and only to the extent that it is given or authorised by them (Article 8(6)).

The processing of sensitive data for direct marketing purposes is carried out with the explicit consent of the data subject (Article 46(3)).

The Commissioner has issued an Instruction no. 06, dated 28 May 2010 “On the correct use of SMSs for promotional purposes, advertising, information, direct sales, via mobile phone”. This instruction emphasizes the importance of the prior consent given by the data subject.

Electronic and direct marketing under the Electronic Communications Law

According to Law 54/2024 “On electronic communications in the Republic of Albania” (“Electronic Communications Law”), natural or legal persons who possess the email addresses of their customers for their products or services may use these addresses for direct marketing of similar products or services only if they have obtained the explicit consent of the customers to be contacted for marketing purposes. Additionally, they are required to provide customers with a simple and free way to opt out of the use of their email address for marketing purposes at any time. It is also prohibited to send SMS or email messages for direct marketing purposes if the sender’s identity is concealed or if a valid address is not provided, through which the recipient can request the cessation of such communications (Article 165 “Unsolicited communications”).

Online privacy

Online privacy in Albania

Online privacy under the Data Protection Law

The Data Protection Law does not include specific regulations for cookies or location data. However, location data and online identifiers (which include cookies) are considered identifying factors for data subjects. As such, the general data protection provisions outlined in the Data Protection Law also apply to online privacy.

Apart from the general data protection principles applied mutatis mutandis, the Data Protection Law contains few specific provisions regarding online privacy. These include:

Right to rectification and erasure (Article 15(2)(dh))

The data subject has the right to request the erasure of personal data relating to them from the controller. The controller is required to erase the personal data as soon as possible, and in any case, no later than 30 days from the receipt of the request, if the data was collected in the context of online provision of goods or services.

The right to be forgotten (Article 16)

When the controller has made personal data public and is required to erase it, they must take reasonable steps, including technical measures, to notify other controllers processing those data that the data subject has requested the removal of any link, copy, or reproduction of the personal data, considering the applicable technology and implementation costs. Additionally, at the data subject’s request, operators of internet search engines must remove outdated information from search results based on the data subject’s name if that information, although no longer current, significantly harms the data subject’s reputation.

In order to provide some clarifications on the notion of cookies and their use, the Commissioner has defined the cookies in an online dictionary as some data stored on the computer, which contain specific information. This rudimentary definition is further complemented by a short explanation which states that cookies allow any server to know what pages have been visited recently, just by reading them.

The Commissioner has also released an opinion (which is somewhat outdated and non-binding for data controllers) regarding the protection of personal data on the websites of both public and private entities. In this opinion, the Commissioner highlights the obligations of data controllers under the Data Protection Law, as well as the rights of data subjects, which must also be observed in the context of online personal data collection:

The right to be fully informed and to give their approval if a website (or an application) processes their data;
The right to keep their online communications secret (including email, the computer’s IP or modem No.);
The right to be notified if their personal data are compromised (data has been lost or stolen, or if their online privacy is likely to be negatively affected);
The right to request that their personal data to be excluded from data processing for direct marketing if they have not given their consent.

Additionally, in this opinion, the Commissioner stresses the importance of public and private controllers drafting and publishing privacy policies on their websites, including, among other things:

The identity of the controller;
The information collected from the users, specifying the category of personal data;
Specific policies regarding cookies and other technologies that allow data controllers to gather information on the users that use the website and to notify the latter about their use.

Online privacy under the Electronic Communications Law

The Electronic Communications Law defines “location data” as any data processed in an electronic communications network, indicating the geographical position of the terminal equipment of a user of the electronic communications network.

Location data may only be processed when they are made anonymous or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service.

The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service.

Users or subscribers shall be given the possibility to withdraw their consent for the processing of location data other than traffic data at any time. Users or subscribers must continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication.

Processing of location data must be restricted to persons acting under the authority of the provider of the public communications network or publicly available communications service or of the third party providing the value added service, and must be restricted to what is necessary for the purposes of providing the value added service (Article 163 of the Electronic Communications Law).

Related resources

Key contacts

Data protection lawyers in Albania

Flonia Tashko

Partner

Tashko Pustina

Tirana

Email Full bio

Alban Shanaj

Partner

Tashko Pustina

Tirana

The Commissioner is the competent authority for the supervision and enforcement of Data Protection Law. The Commissioner is responsible, inter alia, for:

Ensuring that data subjects can exercise their rights, including providing them with information and advice on these rights;
Investigating the compliance of personal data processing activities with the Data Protection Law, either proactively or in response to a complaint;
Reviewing complaints filed by individuals or non-profit entities, organizations, or associations representing individuals, in cases of alleged violations of the Data Protection Law;
Evaluating the responses provided by competent authorities to data subjects’ requests regarding their rights of access, rectification, or erasure;
Imposing administrative sanctions and penalties, and overseeing their enforcement.

The sanctioned subject may appeal the fine in court within the deadlines and according to the procedures that regulate the administrative trials.

Last modified 28 January 2025

Violation of the provisions of Law No. 18-07 is punishable by imprisonment and / or a fine.

Article 47 to 74 of the law No. 18-07 provide that non-compliance with the Data Protection Law is punishable by a fine ranging from 20,000 DZD to 1,000,000 DZD and / or imprisonment between two months and five years.

Last modified 20 January 2025

Data protection

As mentioned above, the competent authority for the enforcement of Data Protection Law is the APD. However, considering that the APD was recently created, the level of enforcement is not significant at this stage.

Electronic communications

INACOM regulates and monitors compliance with the Electronic Communications and Information Society Services Law, and issues penalties for its violation. Presently, INACOM’s level of enforcement is not yet significant.

Last modified 30 December 2021

There are several enforcement mechanisms:

The data protection authority may enforce the legal provisions and regulations on data protection, imposing fines in case of violation.
Violation of data protection rules may constitute a crime subject to prison terms imposed by criminal courts.
Court actions may be brought to have access to personal data and to request their correction, suppression, confidentiality or updating.

Last modified 28 January 2025

The authorized body for the protection of personal data is entitled to:

check, on its initiative or on the basis of an appropriate application, the compliance of the processing of personal data with the requirements of this Law;
apply administrative sanctions prescribed by law in the case of violation of the requirements of this Law;
require blocking, suspending or terminating the processing of personal data violating the requirements of this Law;
require from the processor rectification, modification, blocking or destruction of personal data where grounds provided for by this Law exist;
prohibit completely or partially the processing of personal data as a result of examination of the notification of the processor on processing personal data;
keep a register of processors of personal data;
recognize electronic systems for processing of personal data of legal persons as having an adequate level of protection and include them in the register;
check the devices and documents, including the existing data and computer software used for processing data;
apply to court in cases provided for by law;
exercise other powers prescribed by law;
maintain the confidentiality of personal data entrusted or known to it in the course of its activities;
ensure the protection of rights of the data subject;
consider applications of natural persons regarding the processing of personal data and deliver decisions within the scope of its powers;
submit, once a year, a public report on the current situation in the field of personal data protection and on the activities of the previous year;
conduct researches and provide advice on processing data on the basis of applications or coverages of processors or inform on best practices on processing of personal data;
report to law enforcement bodies where doubts arise with regard to violations of criminal law nature in the course of its activities.

Last modified 20 January 2025

National Ordinance Person Registration

Pursuant to article 20 of the National Ordinance person registration, the individual violating the provisions of the national ordinance person registration can be punished with a maximum fine of Afl.10.000. (USD. 5586.59).

GDPR

The GDPR holds a variety of potential penalties for businesses.

For example, article 77 of GDPR states that:

“Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating him or her infringes this Regulation.”

Additionally, article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.”

Penalties

Compensation to Data Subjects. One penalty that may be imposed is compensation to, as stated in article 82 of the Regulation, “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation” for the damage they’ve suffered.

Fines

Article 83 of GDPR specifies a number of different fines that may vary based on the nature of the infraction, its severity, and the level of cooperation that “data processors” (i.e. you) provide to the “supervisory authority.” Less severe infringements may incur administrative fines of up to 10,000,000 Euros or 2% of your total worldwide annual turnover for the preceding year (whichever is greater), while more severe infractions may double these fines (20,000,000 or 4% annual turnover).

Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only guidelines in article 84 of GDPR are that “Such penalties shall be effective, proportionate and dissuasive” and that “Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”

Last modified 10 February 2025

The Information Commissioner is responsible for the enforcement of the Privacy Act and will investigate an act or practice if the act or practice may be an interference with the privacy of an individual and a complaint about the act or practice has been made. Generally, the Information Commissioner prefers mediated outcomes between the complainant and the relevant organization. Importantly, where the Information Commissioner undertakes an investigation of a complaint which is not settled, it is required to ensure that the results of that investigation are publicly available. Currently, this is undertaken by disclosure through the OAIC website of the entire investigation report.

The Information Commissioner may also investigate any "interferences with the privacy of an individual" (i.e. any breaches of the APPs) on its own initiative (i.e. where no complaint has been made) and the same remedies as below are available. With a number of large scale, high profile data breaches occurring in Australia recently, the Information Commissioner appears to be adopting a more proactive and more publicised approach to investigation and enforcement action. The Information Commissioner's proactive approach to enforcement will be enhanced by the measures in the Privacy Act Amendment Act, which includes the ability to issue infringement notices in relation to some civil penalties (see below) and hold public inquiries into privacy matters.

After investigating a complaint, the Information Commissioner may dismiss the complaint or find the complaint substantiated and make declarations that the organization rectify its conduct or that the organization redress any loss or damage suffered by the complainant (which can include non-pecuniary loss such as awards for stress and / or humiliation). The maximum penalties that may be sought by the Information Commissioner and imposed by the Courts for serious interferences with the privacy of individuals are the greater of (i) AUD$ 50 million, (ii) three times the benefit of a contravention, or (iii) (where the benefit cannot be determined) 30% of domestic turnover. As a result of the Privacy Act Amendment Act, a lower civil penalty of up to AUD$ 3.3 million (using current penalty units) will apply for non-serious interferences with privacy.

The Privacy Act Amendment Act also allows the Commissioner to issue infringement notice, which will result in payment of civil penalties, for specific breaches of the APPs. These are breaches which are considers to be administrative in nature, and include non-compliant privacy policies, failure to provide appropriate opt-out mechanisms for direct marketing and failure to deal with correction requests.

Last modified 20 January 2025

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. The Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. Under EU case-law regarding competition, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. It is not yet clear whether this will translate directly to GDPR enforcement.

Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide turnover of the preceding year, whichever is the higher, apply to infringement of:

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Supervisory authorities also enjoy broad investigative and corrective powers (Article 58) including the power to undertake on-site data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

Right to claim compensation

The GDPR provides for specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" because of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss. These claims can be made at any competent court.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Furthermore, individuals may lodge a complaint to a supervisory authority (Article 77).

All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Austria regulation

In Austria, the Austrian Data Protection Authority is responsible for the enforcement of the GDPR. Pursuant to Section 11 DSG, the Austrian Data Protection Authority is obliged to impose administrative fines pursuant to the Article 83 GDPR in an adequate way. The Authority should in particular also apply the measures pursuant to Art 58 GDPR in case of first time breaches, in particular the possibility to issue warnings instead of imposing fines.

The fines under the GDPR are imposed under Austrian administrative criminal law. The Austrian administrative criminal law in general does not allow authorities to impose fines against a legal entity, but provides only for the liability of natural persons; in cases where violations are committed by a legal entity, the liable persons are either statutory representatives (directors) or persons appointed as responsible persons for adherence with specific administrative laws. However, the DSG provides a possibility to impose fines against legal entities, in the following cases:

A violation of GDPR or DSG is committed by a natural person who has power (1) to represent the legal entity or to make decisions on behalf of the legal entity; or (2) has supervisory powers in the legal entity and has committed this offence either alone or as a part of an organ of the legal entity (eg, management board)
An employee of the legal entity violates the provisions of GDPR or DSG and the violation was possible due to insufficient supervision or control by a person by a natural person that has power to (1) represent the legal entity; (2) or to make decisions on the behalf of the legal entity; or (3) has supervisory powers in the legal entity, provided the violation is not subject to criminal law.

The possibility to impose fines against a legal entity or a responsible natural person, as appropriate. If the fine is imposed against a legal entity, the Authority is required to identify a particular natural person whose violations are to be attributed to said entity; the responsible natural person may not be fined for the same breach.

Public bodies cannot be fined for violations of GDPR or DSG.

Last modified 20 January 2025

If the rights of a data subject are breached as a result of the illegal collection and processing of personal data, inadequate protection of such data, or non-compliance with the statutory requirements, the data subject may claim for compensation of material and moral damages sustained by him/her through the local court.

Last modified 15 February 2022

The DPC of The Bahamas is largely responsible for the enforcement of data protection in the jurisdiction. Section 15(1) states that the DPC may investigate or cause to be investigated whether any of the provisions of DPA have been contravened by a data controller or a data processor in relation to an individual when an individual has complained of a contravention of any DPA provisions or where he may otherwise be of the opinion that a contravention make have occurred. Enforcement measures the DPC can utilize include enforcement notices (Section 16 DPA), prohibition notices (Section 17 DPA), information notices (Section 18 DPA), and in rare instances bringing and prosecuting summary offences under DPA (Section 28 DPA).

Aside from its statutory functions, the DPC is also tasked with educating the public of data protection issues and trends and providing assistance in data breach remediation.

In accordance with Section 29(1) DPA, penalties for a person guilty of an offence under DPA are liable on summary conviction to a fine not exceeding $2,000.00 Bahamian Dollars; or on conviction on information, to a fine not exceeding $100,000.00 Bahamian Dollars. Further, Section 29(2) provides that where a person is convicted of a DPA offence, the court may also order that any data material which appears to the court to be connected with the commission of the offence to be forfeited or destroyed and any (relevant) data to be erased.

Last modified 28 January 2025

The Authority can issue orders to stop violations, including emergency orders and fines. Civil compensation is also allowed for any individual who has incurred damage arising from the processing of their personal data by the data controller, or arising from the data protection officer's violation of the PDPL Appeals can be made against decisions of the Authority.

The PDPL also carries a range of criminal penalties and administrative fines for violating certain provisions.

Criminal penalties of imprisonment of not more than one year and / or a fine between BHD 1,000 to BHD 20,000, can be issued against any individual who:

processes sensitive personal data in violation of the PDPL;
transfers personal data outside Bahrain to a country or region in violation of the PDPL;
processes personal data without notifying the Authority;
fails to notify the Authority of any change made to the data of which they have notified the Authority;
processes certain personal data without prior authorization from the Authority;
submits to the Authority or the data subject false or misleading data to the contrary of what is established in the records, data or documents available at their disposal;
withholds from the Authority any data, information, records or documents which they should provide to the Authority or enable it to review them in order to perform its missions specified under the PDPL;
causes to hinder or suspend the work of the Authority's inspectors or any investigation which the Authority is going to make; and / or
discloses any data or information which they are allowed to have access to, due to their job or which they used for their own benefit or for the benefit of others unreasonably and in violation of the provisions of the PDPL.

Last modified 20 January 2025

There is no enforcement mechanism. Appropriate relief may be sought through courts of law having jurisdiction in the matter.

Last modified 3 January 2024

Where the Commissioner is satisfied that a data controller or a data processor has contravened or is contravening this Act, the Commissioner may serve him an "enforcement notice".

In deciding whether to serve an enforcement notice, the Commissioner must consider whether the contravention has caused or is likely to cause any person damage or distress.

Last modified 28 January 2024

According to Data Protection Law, NPDPC supervises the processing of personal data by operators and authorised persons. In the case of a breach of personal data legislation, NPDPC has the right to issue a demand to eliminate the detected violations and / or to terminate personal data processing in the information resource (system). Term for elimination and / or termination is set by the NPDPC, but shall not be longer than six months.

Violation of personal data protection legislation may result in civil, criminal and administrative liability. If the violation has led to moral damages, the violator may be required by the court to reimburse such damages.

Administrative Offences Code of Republic of Belarus stipulates specific sanctions for personal data processing violations, including:

intentional illegal collection, processing, storage or transfer of personal data of an individual or violation of his / her rights related to the processing of personal data may cause a fine up to 50 base units; intentional distribution – up to 200 base units (since 1 January 2025 one base unit equals BYN 42, approx. EUR 12);
non-compliance with requirements on data protection measures implementation may cause a fine ranging from 20 to 50 base units for legal entities.

NPDPC announced plans to increase liability for violations of data protections laws, but no changes have been adopted yet.

The Criminal Code of Republic of Belarus envisages criminal liability for the following breaches:

unlawful collection or provision of information relating to the private life and (or) personal data of another person without his / her consent (depending on the circumstances like volume on gravity) causing substantial harm to the rights, freedoms and legitimate interests of a citizen a person could be sentenced to community work, a criminal fine, arrest, or the restriction or deprivation of liberty for up to two years. For the unlawful distribution – restriction or deprivation of liberty for up to three years with the criminal fine. Higher liability may apply if offence relates to the victims performing public functions; failure to comply with measures to ensure the protection of personal data by a person who processes personal data, which has inadvertently resulted in their dissemination and causing serious consequences a person could be sentenced to a criminal fine, deprivation of the right to occupy certain job positions or perform certain activities, corrective work for up to one year, arrest, or the restriction of liberty for up to two years or deprivation of liberty for up to one year.

Last modified 20 January 2025

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

Fines are split into two broad categories.

The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Belgium regulation

In addition to the GDPR, the Data Protection Act introduces a specific procedure for actions for injunctions that can be initiated by the data subject or by the Data Protection Authority (DPA).¹ These claims should be brought before the President of the Court of First Instance except when the personal data is processed in criminal investigations or procedures². There is no single court territorially competent to hear these claims.³

The Data Protection Act also contains a legal basis that allows a body, organisation or non-profit organisation to represent the data subject upon its request when it:

was founded in accordance with Belgian law;
has legal personality;
has statutory objectives of public interest;
has been active in the area of the protection of personal data for at least 3 years.⁴

In addition, an interested third party can appeal measures of the Inspection Service, intervene in proceedings before the Litigation Chamber and appeal decisions of the Litigation Chamber.⁵ An interested third party is any natural or legal person who was not a party to the proceedings before the Litigation Chamber but who suffers a personal, direct, certain, actual and legitimate prejudice as a result of a decision of the Litigation Chamber or the Inspection Service.⁶

The DPA can impose administrative fines under article 83 of the GDPR,⁷ but public authorities, their agents and authorised representatives are exempted insofar they are not offering goods or services on the market.⁸ A supervisory authority can exercise the corrective measures set out in article 58.2 GDPR but with regard public authorities, only over the categories enumerated in the Data Protection Act.⁹

The DPA can also impose penalty payments to incentivize the infringer to respect a judgement, for which it has published a policy.¹⁰

Depending on the infringement and the infringer, the controller, processor, competent public authority or their agent can be subjected to criminal sanctions, such as criminal fines between 800 EUR – 160.000 EUR and a publication of the judgement.¹¹

The DPA consists of 6 different Committees.

The First-line Service checks the admissibility of the complaints,¹² before referring them to the Inspection Service¹³ or the Litigation Chamber.¹⁴ The First-line Service can also start mediation proceedings where necessary.¹⁵ The admissibility criteria are not merely formal in nature, but also substantive since the legislative reform introduced by the Act of 25 December 2023. Admissibility criteria complaint to be assessed by First-line Service are as follows:¹⁶

Complaint written in an official language;
Explanation of the facts and indications for the identification of the relevant processing activities;
Competence of the DPA;
Plaintiff's procedural interest;
Proof of mandate if filed in the name and on behalf of another person;
Contact details of the controller;
Prior exercise of data subject rights if possible;
Existence of other pending proceedings for the same facts.

The Inspection Service of the DPA enjoys investigation powers, such as to identify persons, interview persons, conduct written interrogations, conduct on-site investigations, consult information systems and copy the data they contain, consult information electronically, seize or seal goods or computer systems and demand the identification of the subscriber or the normal user of an electronic communication service or of the electronic means of communication used¹⁷. Additionally, the inspector-general and the inspectors of the inspection committee may order the temporary suspension, restriction or freezing of the data processing activities that are the subject of an investigation if this is necessary to avoid a serious, immediate and difficult to repair disadvantage.¹⁸They can also request further information.¹⁹

The Litigation Chamber can inter alia follow-up on a complaint but also propose a settlement, formulate warnings and reprimands, order compliance with data subjects’ requests to exercise their rights, order the suspension of cross-border data flows and can also impose periodic penalty payments and / or administrative fines.²⁰

The Litigation Chamber can also take interim decisions.²¹

Starting from 25 April 2025, decisions on the merits no longer need to be taken by a panel of three members but can be taken by a single judge.

Specific provisions according to Art. 85 to 87 and Art. 89 GDPR

The legislator has made use of the opportunity offered by the GDPR to provide exemptions or derogations from certain obligations when the processing is carried out for journalistic purposes and the purposes of academic, artistic or literary expression. For those purposes, the Data Protection Act exempts the controller not only from respecting certain data subjects’ rights under the GDPR but also some obligations of the controller (e.g. notification in case of breaches, transfer requirements, etc) and the investigative powers of the DPA.²²

The Data Protection Act also introduces two regimes for the derogations relating to the processing for archiving, scientific or historical research purposes or statistical purposes:

general safeguards requiring among others register, information²³, contractual²⁴ and security requirements; or
compliance with a code of conduct²⁵

The Data Protection Act does not include other derogations relating to employment.

Footnotes

1. Art. 211 par. 3 Data Protection Act.
2. Art. 209 Data Protection Act.
3. Art. 209 par. 2 Data Protection Act.
4. Art. 220 par. 2 Data Protection Act.
5. Art. 71, 90, 98 and 108, par. 3 DPA Act.
6. Art. 108, par. 3 DPA Act.
7. Art. 101 DPA Act.
8. Art. 221 par. 2 Data Protection Act.
9. Art. 221 par. 1 Data Protection Act.
10. Policy on penalty payments of the Litigation Chamber of the DPA.
11. Art. 222 et seq Data Protection Act.
12. Art. 22, par. 1, 1° DPA Act.
13. Art. 76 and 85, 6° Internal Rules of Procedure of the Data Protection Authority.
14. Art. 92, 1° DPA Act.
15. Art. 22, par. 1, 2° DPA Act
16. Art. 60 DPA Act.
17. Art. 66 DPA Act.
18. Art. 70 DPA Act.
19. Art. 76 DPA Act.
20. Art. 95 DPA.
21. Art. 94 DPA Act.
22. Art. 24 Data Protection Act.
23. Art. 193 Data Protection Act.
24. Art. 194 Data Protection Act.
25. Art. 187 Data Protection Act.

Last modified 31 December 2024

The data protection laws empower the authorities to impose various sanctions depending on the severity of the infringement. However, the level of enforcement remains quite low due to resource limitations and the fact that this field of law is still new to the administration and business and data subjects.

The Authority may issue a warning to a data controller who fails to comply with the obligations arising from the Digital Code. It may also give formal notice to the data controller to put an end to the non-compliance within a set period of time, which may not exceed eight (08) days.

The following constitute serious infringement of the Digital code:

unfairly collecting personal data;
communicating personal data to an unauthorized third party;
collecting sensitive data, data relating to offences or to a notional identification number, without complying with the legal conditions;
collect or use personal data in such a way as to cause a serious breach of fundamental rights or of the privacy of the individual concerned;
prevent the Authority's services from carrying out an on-site inspection, or obstruct such an inspection.

Where the data controller fails to comply with the formal notice, the Authority may impose the following sanctions, in accordance with the principle of adversarial proceedings:

a pecuniary penalty, except in cases where processing is carried out by the State;
an injunction to cease processing personal data;
a final or temporary withdrawal of the authorization granted in application of the provisions of the Digital Code;
blocking of certain personal data.

The amount of the fine is proportionate to the seriousness of the breaches committed and to the benefits derived from the breach.

For the first breach, it may not exceed XOF fifty million (50,000,000). In the event of repeated breaches within five (05) years of the date on which the penalty previously imposed became final, it may not exceed XOF one hundred million (100,000,000) or, in the case of a company, five percent (5%) of sales excluding tax for the last financial year closed, up to a maximum of XOF one hundred million (100,000,000).

Where the Authority has imposed a fine that has become final before the criminal court has given a final ruling on the same or related facts, the latter may order that the fine be deducted from the fine imposed.

Sanction by the data protection Authorities may be appealed before the competent administrative court.

Last modified 20 January 2025

Once fully in force, PIPA will make provision for investigations and inquiries by the Privacy Commissioner and for a range of remedial orders that may be imposed by the Commissioner. It also provides for a claim for compensation for financial loss or emotional distress for failure to comply with the legislation (subject to a reasonable care defence). In addition, PIPA makes provision for criminal offences and penalties (including imprisonment) for misuse of personal information. In addition, a breach of the common law duty of confidentiality may give rise to a claim for, among other things, damages and/or an injunction. These remedies are to be sought through, and enforced by, the Bermuda courts.

An individual convicted of an offence under PIPA will be liable to a fine of up to BMD 25,000 and/or to imprisonment for up to two years. An organisation convicted of an offence under PIPA will be liable to a fine of up to BMD 250,000. Proceedings can be brought against company directors and other officers in a personal capacity.

Last modified 28 January 2024

Any individual or entity who believes they have been unduly or illegally prevented from accessing, objecting to, or requesting the deletion or rectification of personal data registered via physical, electronic, magnetic, or computerized means, whether in public or private files or databases, may file a constitutional legal action known as a 'Private Protection Action'. In particular if the data at issue impacts the individual's fundamental right to personal or family privacy, or concern their image, honor, and reputation.

Last modified 24 January 2022

Personal Data Protection Act BES

Pursuant to the Personal Data Protection Act BES the committee is authorized to impose an order under administrative coercion to enforce the obligations laid down by or pursuant to the Personal Data Protection Act BES.

GDPR

The GDPR holds a variety of potential penalties for businesses.

For example, article 77 of GDPR states that:

Additionally, article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.”

Penalties

Fines

Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only guidelines in article 84 of GDPR are that “Such penalties shall be effective, proportionate and dissuasive” and that “Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”

Last modified 10 February 2025

The DPA enforces the DP Law. The DPA is authorized and obliged to monitor implementation of the DP Law, both ex officio, and upon a third-party complaint. If the DPA finds that a particular person or entity processing personal data acted in violation of data processing rules, it may request that the controller discontinue such processing and order specific measures to be carried out without delay.

When acting upon the complaints, the DPA may also issue a decision by which it can order blocking, erasing or destroying of data, adjustment or amendment of data, temporary or permanent ban of processing, issue warning or reprimand to the controller. The decision of the DPA may not be appealed; however, a party may initiate administrative dispute before the Court of BiH.

The DPA can initiate a misdemeanor proceeding against the respective data controller before the competent court, depending on the gravity of the particular misconduct and the data controller’s behavior with respect to the same. The offenses and sanctions are explicitly prescribed by the DP Law, which includes monetary fines for a controller in the amount between €2,550 and €51,100, as well as for the controller's authorized representative in the amount between €100 and €7,700.

The Draft Data Protection Law, although still not as strict as the GDPR, foresees fines which are significantly higher than the ones foreseen by the Current Data Protection Law. Specifically, the Draft Data Protection Law introduces fines in the amount of up to BAM 200,000 (approx. EUR 100,000) or 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher).

Breach of personal data protection regulations represents a criminal offense of unauthorized collection of personal data by all criminal codes applicable in BiH (Criminal Code of BiH, Criminal Code of the Republic of Srpska, Criminal Code of the Federation of BiH and Crimes Code of Brčko Distrikt). Prescribed sanctions are monetary fines (in amount to be determined by the court) or imprisonment up to six (6) months (Criminal Code of BiH; Criminal Code of the Federation of BiH; Criminal Code of the Brčko Distrikt) or up to one (1) year (Criminal Code of the Republika Srpska).

Last modified 20 January 2025

As mentioned earlier, the Commission is the competent authority that is tasked with protection of personal data through effective application and compliance with the DPA.

Last modified 20 January 2025

The LGPD provides for penalties in case of violations its provisions. Data processing agents that commit infractions can be subject to administrative sanctions, in a gradual, single or cumulative manner, including a fine, simple or daily, of up to 2% of the revenues of a private legal entity, group or conglomerate in Brazil, up to a total maximum of R$50 million per infraction.

Other sanctions can include:

Warning
Publicizing of the violation
Blocking the personal data to which the infraction refers to until its regularization
Deletion of the personal data to which the infraction refers
Partial suspension of the database operation to which the infringement refers for a maximum period of six (6) months, extendable for the same period, until the processing activity is corrected by the controller;
Suspension of the personal data processing activity to which the infringement refers for a maximum period of six (6) months, extendable for the same period;
Partial or total prohibition of activities related to data processing.

Although the LGPD became effective September 18, 2020, the penalties provided by the law were only enforceable from August 1, 2021. On October 29, 2021, the ANPD published the Regulation of the Inspection Process and the Sanctioning Administrative Process, which establishes the procedures applicable to ANPD’s inspection process and the rules to be observed during the administrative sanctioning process. On February 24, 2023, the ANPD published the Regulation of Dosimetry and Application of Administrative Sanctions, which provides for the parameters of calculation of the above penalties. Until the present moment, the ANPD has only imposed one administrative sanction regarding violations to the LGPD by a private entity. Therefore, the level of enforcement activity is still uncertain.

Public authorities (such as consumer protection bodies and public prosecutors) are also entitled to monitoring data protection matters and to applying penalties based on the LGPD obligations and other applicable laws. Additionally, data subjects may file lawsuits if any of the rights provided by the LGPD are violated. Under the law, a controller or processor that causes material, moral, individual, or collective damage to others is liable to individuals for such damages, including through a class action.

Exceptions to the obligation to remedy a violation exist only if:

The agent (ie, controller or the processor) did not carry out the data processing
There was no violation of the data protection legislation in the processing, or
The damage arises due to exclusive fault of the data subject or a third party

Last modified 28 January 2024

A breach of the DPA constitutes a criminal offence. Upon conviction, violators may be subject to a fine of up to US$100,000, imprisonment of up to five years, or both. A body corporate is punishable on conviction to a fine of up to US$500,000.

The Information Commissioner has broad investigative and corrective powers under the DPA, including the power to request and obtain information from parties subject to the law and to issue orders to carry out specific remediation activities.

The DPA provides for a private right of action where data subjects suffer damage or distress due to a breach of the DPA by a public or private body.

In addition, the DPA explicitly provides for personal liability in respect of offences committed by a body corporate where the offence is proven to have been committed with the consent or connivance of, or to be attributable to neglect on the part of, any director, secretary, or similar officer, or any person purporting to act in such capacity. Where the affairs of a body corporate are managed by its members, this personal liability also applies to the acts and defaults of a member in connection with the member’s function of management.

Last modified 28 January 2025

At present no enforcement authority.

It is anticipated that under the PDPO the Responsible Authority will administer and enforce the PDPO and will have the powers to do any of the following:

issue directions to organizations to:
- stop collecting, using or disclosing personal data in contravention of the PDPO;
- destroy personal data collected in contravention of the PDPO; or
- provide access to or correct personal data.
impose a financial penalty of up to BND1 million or 10% of the annual turnover of on an organization for negligent or intentional breach of the PDPO.

Last modified 3 January 2024

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Bulgaria regulation

The functions of supervision and control of the compliance with the GDPR in Bulgaria are shared between the Commission for Personal Data Protection and the Inspectorate to the Supreme Judicial Council, the latter having competence only with regards to data processing by courts, prosecution offices and criminal investigative bodies in their capacity as judicial authorities.

The competences of the Commission are further defined by reference to art. 57 and 58 of the GDPR. Apart from performing the powers under the GDPR, the Commission is also entitled to:

analyze and carry out overall supervision and ensure compliance with the GDPR, the Personal Data Protection Act and the legislative acts in the area of personal data protection;
issue secondary legislation in the area of personal data protection;
ensure the implementation of the decisions of the European Commission on the protection of personal data and the implementation of binding decisions of the European Data Protection Board;
participate in international cooperation between data protection authorities and international organizations on personal data protection issues;
participate in the negotiation and conclusion of bilateral or multilateral agreements on matters within its competence;
organize, coordinate and conduct training in the field of personal data protection;
issue administrative acts related to its authority in the cases provided for by law;
adopt criteria for the accreditation of certification bodies;
bring proceedings before the court for breach of the GDPR;
issue mandatory instructions, give instructions and recommendations regarding the protection of personal data;
impose coercive administrative measures.

The internal Rules of Procedure of the Commission further clarify its tasks, procedures and rules for work of its administration, as well as rules for the proceedings before the Commission.

The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding administrative sanctions, but directly refers to the amounts of fines and pecuniary sanctions set out by the GDPR and the respective criteria for their determination. The Personal Data Protection Act specifies that all sanctions shall be imposed in the BGN equivalent of the EUR amounts set by the GDPR.

For other violations under the Personal Data Protection Act the data controller / data processor shall be subject to a fine or a pecuniary sanction of up to BGN 5000.

A complaint against a decision of the Commission may be withdrawn until the expiry of the period for appealing the said decision. Otherwise, the Commission's decisions are subject to appeal before the Administrative Court Sofia within 14 days of receipt. Decisions of the Administrative Court are subject to appeal before the Supreme Administrative Court which decisions are final.

In case of a violation of his / her rights under the GDPR and the Personal Data Protection Act, every data subject is entitled to refer the matter to the Commission for Personal Data Protection within six months of becoming aware of the breach, but no later than two years from the date of the violation. In addition, data subjects shall be entitled to appeal the actions and acts of the data controller / data processor directly before the administrative courts or the Supreme Administrative Court, except where there are pending proceedings before the Commission for the same matter if a decision regarding the same breach has been appealed and there is not yet a court decision in force. The transfer or distribution of computer or system passwords which results in the illegitimate disclosure of personal data constitutes a crime under the Bulgarian Criminal Code (promulgated in the State Gazette No. 26 of April 2, 1968, as amended periodically) and the penalty for such a crime includes imprisonment for up to seven years.

Last modified 27 December 2024

The law empowers the CIL to impose various sanctions depending on the severity of the infringement. However, the level of enforcement remains quite low due to resource limitations and the fact that this field of law is still new to the administration and business and data subjects.

The CIL may, directly or through an expert authorized for this purpose, carry out checks and controls on any processing of personal data.

However, if the data controller initiates the inspection, he or she must pay the inspection fees, the amount of which is set by order of the Minister of Finance.

On completion of its checks and inspections, the CIL may impose the following administrative sanctions on offenders, without prejudice to criminal prosecution:

a warning;
formal notice;
injunction to cease data processing;
blocking of certain personal data;
lump-sum fines;
withdrawal of authorization.

The amount of the fine is proportionate to the seriousness of the breaches committed and to the benefits derived from the breach.

The sanctions provided for by law are imposed on the basis of a report drawn up by one of the members of the CIL, appointed by the Chairman. This report is sent to the data controller, who may submit observations and be represented or assisted at a hearing before the CIL.

The amount of the fixed fine provided for by law is proportionate to the seriousness of the breaches committed and the benefits derived from the breach. For the first offence, the fine is one percent of sales excluding tax for the last financial year for which the accounts have been closed. In the event of a repeat offence, the fine is five percent of sales excluding tax for the last financial year for which the accounts have been closed. Fixed-rate fines are recovered as receivables from the State.

Financial penalties may also be imposed on any data controller, ranging from XOF five million (5,000,000) to XOF one hundred million (100,000,000).

Sanction by the data protection Authorities may be appealed before the competent administrative court.

Last modified 20 January 2025

The relevant sector specific agency or regulator is generally authorized to enforce violations of confidentiality requirements.

Last modified 17 January 2024

Since there are no regulatory or enforcement authorities that are specifically tasked with handling, overseeing or implementing personal data protection matters in Cambodia, the enforcement of the data protection would generally fall under the auspice of authorities across various sectors:

the Ministry of Commerce;
the Ministry of Post and Telecommunications; and
the Ministry of Interior.

Last modified 20 January 2025

The Law No. 2024/017 of 23 December 2024 on the protection of personal data is too recent.

The Decree implementing the provisions of the law is not yet adopted.

Other Ministerial Order are still awaited.

Consequently, we have not identified any significant application decisions for the time being.

Last modified 6 January 2025

Canadian privacy regulatory authorities have an obligation to investigate complaints, as well as the authority to initiate complaints.

Under PIPEDA, a complaint must be investigated by the Commissioner and a report will be prepared that includes the Commissioner’s findings and recommendations. A complainant (but not the organization subject to the complaint) may apply to the Federal Court for a review of the findings and the court has authority to, among other things, order an organization to correct its practices and award damages to the complainant, including damages for any humiliation that the complainant has suffered.

Under PIPA Alberta and PIPA BC, an investigation may be elevated to a formal inquiry by the Commissioner resulting in an order. Organizations are required to comply with the order within a prescribed time period, or apply for judicial review. In both BC and Alberta, once an order is final, an affected individual has a cause of action against the organization for damages for loss or injury that the individual has suffered as a result of the breach.

In Alberta and BC, a person that commits an offence may be subject to a fine of not more than CA$100,000. Offences include, among other things, collecting, using and disclosing personal information in contravention of the Act (in Alberta only), disposing of personal information to evade an access request, obstructing the commissioner, and failing to comply with an order.

Similarly, under the Quebec Private Sector Act, an order from the CAI must be complied with within a prescribed time period. An individual may appeal to the judge of the Court of Quebec on questions of law or jurisdiction with respect to a final decision.

The Quebec Private Sector Act, as modified by Bill 64, introduced a regime of steep fines and administrative penalties in case of non-compliance. The maximum penalties range between CA$5,000 and CA$100,000 in the case of individuals, and up to between CA$15,000$ and CA$25 million or 4% of worldwide turnover for the preceding fiscal year for organizations. This new penalty regime represents a significant change with the previous Quebec regime, under which the maximum penalties were limited to CA $20,000. While enforcement action by the CAI has been limited since the adoption of Bill 64, enforcement action is expected to increase, with the CAI progressively showing signs of increased enforcement action in recent months.

There are also statutory privacy torts in various provinces under separate legislation, and Ontario courts have recognized a common-law cause of action for certain privacy torts. In Quebec, a general right to privacy also exists under the Civil Code of Quebec and the Charter of Human Rights and Freedoms. Organizations may face litigation (including class action litigation) under these statutory and common-law torts, as well as under the general regime of civil liability in Quebec, in addition to any enforcement or claims under Canadian Privacy Statutes.

Last modified 26 January 2023

Enforcement of the Data Protection Law is done by the data protection authority – CNPD.

Moreover, the Data Protection Law sets out criminal and civil liability as well as additional sanctions for breaches of the provisions of said statute.

Civil liability

Any person who has suffered pecuniary or non-pecuniary loss as a result of any inappropriate use of personal data has the right to bring a civil claim against the relevant party.

Criminal liability

The DPL provides that all of the following constitute criminal offences:

a failure to notify or to obtain the authorization of the DPA prior to commencing data processing operations that require such authorization
provision of false information in requests for authorization or notification
misuse of personal data (ie processing personal data for different purposes than those for which the notification / authorization was granted)
the interconnection of personal data without the authorization of the DPA
unlawful access to personal data
a failure to comply with a request to stop processing personal data.

These offences are punishable with a term of imprisonment of up to 2 years or a fine of up to 240 days.

Additional sanctions

The DPL also lays down sanctions that can be imposed in addition to criminal and civil liability, namely:

a temporary or permanent prohibition on processing data
the advertisement of a sentence applied to a specific case
a public warning or reproach of a data controller.

Last modified 16 January 2025

A breach of the DPA constitutes a criminal offence, punishable on conviction to a fine of up to CI$100,000 (approx. US$125,000), imprisonment for a term of up to 5 years, or both.

In addition, the DPA empowers the Ombudsman to issue monetary penalty orders of up to CI$250,000 (approx. US$300,000) where the Ombudsman is satisfied on a balance of probabilities that there has been a serious contravention of the law by a data controller and the contravention was of a kind likely to cause substantial damage or substantial distress to a data subject.

Investigative and corrective powers

The Ombudsman is given wide investigative and corrective powers under the DPA, including to require the provision of information and to issue orders to carry out specific remediation activities.

Right to claim compensation

The DPA specifically provides for individuals to bring private claims against data controllers: any person who suffers damage by reason of a contravention by a data controller of any requirement of the DPA has a cause of action for compensation from the data controller for that damage.

Personal liability

The DPA explicitly provides for personal liability for offences committed by a body corporate where the offence is proven to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, any director, secretary or similar officer or any person purporting to act in such capacity. Where the affairs of a body corporate are managed by its members, this personal liability also applies to the acts and defaults of a member in connection with the member's functions of management.

Last modified 28 January 2025

The ANSICE have enforcement powers including:

Investigative powers: The ANSICE can conduct investigation to discover facts and evidences of the violation of the Act;
Administrative fines for infringements of the Data Protection Act;
Non-compliance with the ANSICE instructions / decisions can lead to the following sanctions:
- a warning;
- an injunction to put an end to defaults within the time limit set by the ANSICE; or
- a provisional withdrawal of the authorisation granted for a period of three months at the expiry of which the withdrawal becomes final.

In case of urgency, the ANSICE can:

interrupt a processing for a duration that cannot exceed three months.
lock certain kinds of data for a duration that cannot exceed three months; or
rohibit, provisionally or definitively, data processing that does not comply with the Act.

Additionally, the Act has the power to issue a temporary or permanent ban. The ban does not require a court order.

(Article 8 of Act No. 006/PR/2015 on the creation of the National Agency for Computer Security and Electronic Certification and Article 81 of the Act)

Last modified 6 January 2025

Since there is no special data protection authority in Chile, data protection violations must be challenged with a Constitutional Protective Action obased on an alleged violation of the constitutionally guaranteed right to protection of personal data, or with an action before the ordinary civil courts. In addition, the PDPL provides for a special type of action in the event that a controller fails to respond in a timely manner to a request to assert data subject rights ('Habeas Data').

With the entry into force of the Pro-Consumer Law (see in the section on Authority), and the competency thereby granted to the consumer protection agency SERNAC, consumers can lodge complaints alleging the violation of the data protection law to this authority. The SERNAC cannot impose fines, but may initiate and participate in judicial proceedings and collective voluntary proceedings.

Last modified 28 January 2023

Possible enforcement of, and sanctions for, a data protection breach in the PRC will depend on the specific data protection laws and regulations breached. Sanctions in relation to data protection breaches are scattered across various different laws and regulations, and the measures described below may not be comprehensive in all situations, as additional laws or regulations may be applicable depending on the industry or type of information at hand.

Taking the PIPL by way of example, it provides a range of sanctions, including (inter alia):

enforcement notices and warnings;
administrative fines of up to (for the most serious offences) 5% of the previous year's annual revenue (unclear if local or
global revenue) or up to RMB million, and confiscation of unlawful income. Note the PIPL imposes much higher fines than
under other existing data privacy regulations);
cessation of processing;
suspension of apps and / or services;
suspension of business;
suspension of management / officials role;
criminal sanctions (for certain offences, and under relevant criminal laws);
civil claims; and
social credit score or equivalent business credit files may be affected.

While the PIPL has now introduced higher fines, we anticipate that in practice the operational and contractual risks faced by organisations not complying with the PRC's data privacy framework — alongside increasing reputational risks — remain very significant and should be managed very carefully.

Last modified 20 January 2025

Since privacy and proper maintenance of personal data are fundamental constitutional rights in Colombia, every citizen is entitled to pursue protection before any Colombian judge, via constitutional action. Any judge may order a private or public entity to modify, rectify, secure or delete personal data if it is kept under conditions that violate constitutional rights. Constitutional actions can take up to ten days to be resolved and an order issued and failure to comply may result in imprisonment of the legal representative of the violating entity.

The Criminal Code of Colombia sets out in section 269F that anyone who, without authorization, seeking personal or third party gain, obtains, compiles, subtracts, offers, sells, interchanges, sends, purchases, intercepts, divulges, modifies or employs personal codes or data contained in databases or similar platforms, will be punishable by 48 to 96 months of prison, and a fine of approximately USD 26,700 to USD 267,000.

Finally, since SIC is an administrative and jurisdictional authority, it is allowed to investigate (as mentioned above), request information, initiate actions against private entities, and impose fines up to approximately USD 534,000, and order or obtain temporary or permanent foreclosure of the company, entity or business.

Last modified 28 January 2024

Here are some relevant decisions from the ARTCI:

Decision No. 2024-1002 – GCB Cocoa Trading Côte d’Ivoire
Decision No. 2024-1001 – GCB Cocoa Trading Côte d’Ivoire
Decision No. 2024-0999 – GCB Cocoa Côte d’Ivoire
Decision No. 2024-0998 – GCB Cocoa Côte d’Ivoire
Decision No. 2024-0997 – GCB Cocoa Côte d’Ivoire
Decision No. 2024-0996 – Ministry of Technical Education, Vocational Training and Apprenticeship and KAYDAN GROUP
Decision No. 2023-0981 – OCEANA
Decision No. 2023-0881 – Capital Asset Management West Africa
Decision No. 2023-0970 – NSIA Banque CI
Decision No. 2023-0964 – Blommer Chocolate Company

Last modified 6 January 2025

PRODHAB has begun to enforce the obligations established under the Laws. Individuals may file their claims directly with PRODHAB, which may initiate an administrative procedure against the database manager.

In 20122, PRODHAB received more than 272 complaints (the second highest number in history) regarding potential breaches to data protection regulations.

Last modified 28 January 2025

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Croatia regulation

The Croatian Personal Data Protection Agency is the enforcement body in Croatia competent for matters related to privacy and personal data. Its decisions may be challenged by initiating administrative litigation at the competent administrative court.

Administrative fines may not be imposed to public authorities and bodies.

Last modified 16 January 2025

The competent authority for the enforcement of Data Protection rules is the Ministry of Communications, in coordination with the Ministry of Interior, Cuban Central Bank, and other authorities.

Last modified 16 February 2022

National Ordinance Personal Data Protection

Pursuant to article 54 the responsible party who acts in contravention of the provisions of or pursuant to Article 4(3) may be penalized by the Curaçao committee of data protection with a financial penalty in the maximum amount of Naf. 10,000.00 (USD. 5,714.29. 2).

GDPR

The GDPR holds a variety of potential penalties for businesses.

For example, article 77 of GDPR states that:

Additionally, article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.”

Penalties

Fines

Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only guidelines in article 84 of GDPR are that “Such penalties shall be effective, proportionate and dissuasive” and that “Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”

Last modified 10 February 2025

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Cyprus regulation

According to the Law, the Council of Ministers may, upon a recommendation of the Commissioner, issue regulatory administrative acts (secondary legislation) in order to effectively enforce the GDPR and applicable national law.

Further, the Law provides that the Commissioner for the Protection of Personal Data shall impose administrative fines in accordance with Article 83 of the GDPR. Further, the Law provides that an administrative fine imposed to a public authority or body, which relates to non-profitable activities shall not exceed EUR 200,000.

The Law provides, inter alia, that breaches of, inter alia, Articles 30, 31, 33, 34, 35, 42 and of Chapter V of the GDPR, shall constitute a criminal offence which may result in the imposition of imprisonment up to three years and / or monetary fine up to EUR 30,000 or imprisonment up to five years and / or monetary fine up to EUR 50,000, depending on the breach.

Where the data controller or processor is a company or a group of undertakings, then the person indicated as such in its article of association will be held liable for breaches of the GDPR and / or the national law. In case of public authorities or bodies, the head of such authority or the person who is effectively exercising the administration of such authority will be held liable for such breaches.

Last modified 21 February 2022

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Last modified 16 January 2024

No known cases as the Law is relatively new.

Administrative sanctions may apply and decided by the APD. Fines range from USD 3,000 to USD 70,000 for the entity that breached the Digital Code.

Last modified 6 January 2025

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

Fines are split into two broad categories.

The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide turnover of the preceding year, whichever is the higher, apply to infringement of:

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR provides specific provisions for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" because of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Denmark regulation

The DPA is responsible for the supervision of all processing operations covered by the Danish Data Protection Act.

The DPA can request any information provided necessary for the DPA’s operations including decision-making on whether the Danish Data Protection Act and the GDPR apply or not.

The DPA and its personnel can without a court order request access to premises from which processing of personal data is performed.

The DPA’s decisions are final and not subject to recourse (but may be brought before the courts in accordance with the rules for civil law suits).

The DPA may investigate data processing occurring in Denmark and the legality thereof, despite the processing being subject to foreign law.

The DPA may publish its findings and decisions.

Any person suffering material or nonmaterial damage due to non-legal data processing can claim damages.

Unless a higher penalty is impeded, processing deemed unlawful under the Danish Data Protection Act, is sanctioned with a fine or prison for up to six months.

In general, the GDPR aims to sanction with fines which are effective, reasonable and have preventive effect. More specific, certain violations can be sanctioned with a fine of a maximum of EUR 10,000,000 or 2% of the total annual turnover (if a company). Other types of violations can be sanctioned with a fine of a maximum of EUR 20,000,000 or 4% of the total annual turnover (if a company).

The statute of limitation period is five years.

Last modified 16 January 2025

Since there is no special data protection authority in the Dominican Republic, data subjects have the right to institute habeas data proceedings to obtain information about the data held that refers to the relevant data subject.

The DPL expressly recognizes the right of data subjects to recover damages for violations of their right to privacy and the integrity of their personal data. Additionally, the DPL provides criminal sanctions (including fines and imprisonment ranging from six months to two years) which may result from violating the DPL.

Law No. 310-14 Which Prohibits the Sending of Commercial Unsolicited Messages (SPAM), enacted on August 8, 2014 ('SPAM Law No. 310- 14',) also provides criminal sanctions for fraudulently obtaining personal data from public websites for commercial purposes (including imprisonment ranging from six months to five years, and fines from 1 to 200 times the minimum wage).

Although the National Institute for the Protection of Consumer Rights, "Pro Consumidor" cannot impose fines or administrative sanctions but conciliation and arbitration processes between users, consumers and suppliers can be initiated before them.

Last modified 28 January 2025

In case of non-compliance with the provisions set forth in the Law, its regulations, guidelines and directives and regulations issued by the Personal Data Protection Authority, the Personal Data Protection Authority shall issue corrective measures with the purpose of preventing the infringement from continuing and the conduct from occurring again, without prejudice to the application of the corresponding administrative sanctions.

Corrective measures may consist of, among others:

The cease of the treatment, under certain conditions or deadlines.
The disposal of the data; and,
The imposition of technical, legal, organizational or administrative measures to ensure proper handling of personal data.

The Personal Data Protection Authority, within the framework of this Law, will dictate, for each case; the corrective measures, which are classified into minor infringements and serious infringements.

Penalties for minor infringements will impose an administrative sanction of a fine between 0.1% and 0.7% calculated on the turnover corresponding to the financial year immediately prior to the imposition of the fine.

Penalties for serious infringements will impose an administrative sanction of a fine between 0.7% and 1% calculated on the turnover corresponding to the financial year immediately prior to the imposition of the fine.

In addition to the previously mentioned fines, the Personal Data Protection Authority may apply provisional measures of protection or precautionary measures such as:

Seizure.
Withholding.
Sale Prohibitions.
Shutdown of establishments.
Activity suspension.
Decommissioning of products, documents, or other goods.
Eviction of individuals.

Last modified 28 January 2025

Right to Raise Complaints

Pursuant to Article (33) of the Law, the data subject and any relevant person, has the right to submit a complaint in relation to:

Infringement or breach of the right of protection of personal data.
Failure to enable the data subject to exercise his/her rights.
The decisions issued by the DPO of the processor or controller in relation to the requests submitted to him/her.

Judicial Control Powers

The Centre’s employees, who are appointed by a decision of the Minister of Justice upon the proposal of the Minister of Telecommunications and Information Technology who is the competent minister in this regard, shall have judicial control powers in relation to violations of the Law.

Penalties

Failure to comply with the provisions of the Law, shall be penalized with imprisonment and/or fines that can reach up to EGP 5,000,000 (five million Egyptian pounds).

Last modified 19 January 2024

No specific Enforcement Authority has been created. However to the extent of its capabilities and within the legal framework of our criminal jurisdiction, the General Attorney’s Office can prosecute any crime related with the use of personal data as regulated in the laws of the matter.

Last modified 28 January 2024

The enforcement process applied to determine and impose the sanctions is adjusted to the principles, rules and norms of administrative procedure at the request of an audience by the interested party. During the audience, other enforcement measures can be adopted by the sanctioning organ to ensure compliance of the final resolution and to secure the application of the sanctions. However, these measures have a provisional character (art.45).

Where the infringement is committed in a public file, the sanctioning organ has to pass a resolution ordering the dismissal or correction of the infringement, as well as propose the application of disciplinary proceedings against the offenders (art.45).

The resolution of the sanctioning organ is elevated to a higher authority, which must then verify and determine the applicable sanctions against the infringement.

Last modified 6 March 2025

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Estonia regulation

Estonian law does not recognize administrative fines. This is also reflected in Recital 151 of the GDPR, stating that since the Estonian legal system does not allow for administrative fines as set out in the GDPR, the rules on administrative fines may be applied in Estonia in such a manner that the fine is imposed in misdemeanor proceedings if the applicable rules allow for the imposition of fines that are effective, proportionate and decisive.

Under the PDPA, the DPI may impose fines in misdemeanor proceedings of up to 20,000,000 euros or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Nevertheless, Estonia has been among the EU Member States imposing the lowest GDPR fines across the EU. This has been due to constraints arising from misdemeanor procedural law, which has resulted in virtually no misdemeanor fines being imposed for GDPR violations. Currently, most infringements have been dealt with in state supervision proceedings (i.e. administrative proceedings) which does not allow for the imposition of fines.

With regard to administrative proceedings, the DPI may issue precepts to data controllers and processors to order them to stop the infringing activities.

Upon failure to comply with a precept of the DPI, DPI may impose a non-compliance levy pursuant to the procedure provided for in the Substitutional Performance and Non-Compliance Levies Act. The upper limit for a non-compliance levy is 20,000,000 euros or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Further, if the precept issued by the DPI is not fulfilled, the DPI may turn to a superior agency, person or body of the processor of personal data for organization of supervisory control or commencement of disciplinary proceedings against an official.

Against the background of constraints arising from misdemeanor procedural law described above, the Estonian legislator initiated, in 2019, a draft law amending the Penal Code (which is also applicable to misdemeanor proceedings), in order to allow for more effective and decisive implementation of fines as required under EU law. The new law has now entered into force (as of 1 November 2023). The main changes that are relevant for the GDPR enforcement are the following:

the statute of limitations for misdemeanor offences resulting from breaches of the GDPR has been prolonged from 2 years (which was the case prior to 1 November 2023) to 3 years, enabling the DPI to investigate potential infringements for a longer time;
the general part of the Penal Code now explicitly states that the upper threshold of 400,000 euros for misdemeanor fines will not apply if lex specialis foresees fines that are calculated on a different basis and in a different amount, allowing to impose higher misdemeanor fines than 400,000 euros. Prior to the legislative amendments, the Penal Code stated that the maximum misdemeanor fine that could be applied under law was 400,000 euros. The interplay between the referred provision as lex generalis and the provisions implementing the GDPR fines as lex specialis has been unclear to this date and has not been interpreted by the courts within more than the 5 years that the GDPR has been applicable (and in offence proceedings, i.e., misdemeanor and criminal proceedings, such discrepancies in law must be interpreted in a way that is favorable to the person under investigation);
the general provision regarding a legal person’s misdemeanor liability now states that a legal person is held liable if an infringement has been committed either: (a) by any natural person according to instructions given by the legal person’s body, its member, a senior official or a competent representative; or (b) due to the insufficient work organization or lack of supervision by the legal person. It is also clearly stated in the law that if a legal person is obliged to act under the law, the legal person is responsible for its inactions or omissions irrespective of whether or not a natural person was also obliged to act. Prior to the legislative amendments, the Penal Code stated that a legal person could be held accountable only for an act that was committed in the interest of the legal person by its body, a member thereof or by a senior official or competent representative. Meaning that in misdemeanor proceedings arising from breaches of the GDPR, the DPI had to identify a natural person who has acted in the interests of a legal person and that this natural person has committed an act that fulfils all the criteria of a punishable offence.

The respective legislative amendments now significantly simplify imposing fines on legal person. Fines can now be applied based on these rules for such GDPR infringements that have been committed from 1 November 2023 onwards or that have continued from 1 November 2023 onwards.

As a stand-alone aspect from the above, the PDPA further specifies that the DPI is entitled to apply certain special state supervision measures to carry out the necessary state supervision, in addition the DPI is entitled to use the measures specified in Article 58 of the GDPR. The DPI may make enquiries to electronic communications undertakings about the data required for the identification of an end-user related to the identification tokens used in the public electronic communications network, except for the data relating to the fact of transmission of messages, unless identification of an end-user is otherwise impossible.

Last modified 16 January 2025

Ethiopian courts are responsible for enforcing data protection and privacy provisions in the law.

Last modified 12 January 2023

None.

Last modified 31 January 2023

No applicable laws.

Last modified 3 January 2024

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Finland regulation

In Finland, the Data Protection Ombudsman and the Deputy Data Protection Ombudsmen supervise compliance with GDPR and the Finnish Data Protection Act. In addition, an Expert Committee provides statements on significant questions and matters related to data processing upon the request of the Data Protection Ombudsman.

The Data Protection Ombudsman may order a data controller or data processor to comply with certain articles of the GDPR as well as Section 18 of the Data Protection Act, which covers the Data Protection Ombudsman’s right to receive necessary information, and impose a default fine to make the order more effective. However, the default fine may not be imposed on a natural person due to them not complying with the section on the Data Protection Ombudsman’s right to receive information if the person is suspected of a crime and the information is related to the alleged crime.

Administrative fines defined in article 83 of the GDPR will be issued by a sanction board within the Office of the Data Protection Ombudsman. The sanction board consists of the Data Protection Ombudsman and the two Deputy Data Protection Ombudsmen and the decision shall be made as a majority decision. Finland has decided to use the provided national leeway and the Act regulates that the administrative fines cannot be issued to:

state authorities;
state-owned businesses;
local authorities;
independent public institutions;
organs operating in connection with the Parliament;
the Office of the President of the Republic; or
the Evangelical Lutheran Church of Finland or the Orthodox Church of Finland or the parishes, associations of parishes or other bodies thereof.

In addition, criminal sanctions can ensue from breaches of data protection laws in Finland as the Criminal Code of Finland 39/1889 (Rikoslaki) includes several data processing, data privacy, confidentiality and data security related offences or crimes. Finland has also introduced a punishable offence, the data protection offence, to the Criminal Code of Finland based on the GDPR. If the controller or data processor commits a data protection offence, the punishment is a fine or up to one year of imprisonment. The Criminal Code also states that the prosecutor is obligated to hear the Data Protection Ombudsman before bringing charges against a controller or data processor for a data protection offence.

Last modified 4 January 2023

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions, including criminal penalties (see below).

In May 2023, the EDPB issued Guidelines 04/2022 on the calculation of administrative fines under the GDPR.

Investigative and corrective powers

Since 24 January 2022, the CNIL can investigate and use corrective powers following the simplified sanction procedure (Article 22-1 of the Law). This accelerated procedure can be used when a case does not present a specific issue (e.g. there is an established case law on the issue, the factual and legal issues are considered as simple). In such case, the CNIL can pronounce one or more of the following measures: warning, injunction to bring the processing into compliance including a penalty payment of up to €100 per day of delay, and / or an administrative fine of up to €20,000. Sanction decisions issued pursuant to the simplified sanction procedure are not published.

For example, in 2023, the CNIL has pronounced 24 sanctions under the simplified sanction regime for a total amount of 229 500 euros. Various breaches have been sanctioned (eg. lack of cooperation with the CNIL or failure to implement appropriate security measures).

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Criminal offences

In France, criminal penalties, which can go up to 5 years of prison and EUR 300,000 fine for natural persons and EUR 1,500,000 for legal persons, may apply for several privacy-related offences, such as:

Failure to apply appropriate security measures;
Failure to notify the French supervisory authority of a data breach where required;
Unlawful disclosure of personal data.

Additionally other special laws provide for criminal penalties (eg. violations of the secrecy of correspondence under Article 226-15 of the French Criminal Code).

Last modified 5 January 2025

Until 19 december 2023, we have not identified any notable enforcement decision issued by the APDPVP pertaining to the Law.

Last modified 6 January 2025

The Personal Data Protection Service monitors the lawfulness of data processing in Georgia. The main fields of activities of the Personal Data Protection Service in the field of data protection are:

provide consultations on matters related to data protection;
review applications related to data protection;
examine (inspect) the lawfulness of data processing;
inform the public on the data protection status in Georgia, and important events related thereto, and ensure the raising of awareness among the public.

Review of applications of data subjects by the Personal Data Protection Service

The Personal Data Protection Service is obliged to review the applications of data subjects regarding data processing and to take the measures provided for by the legislation of Georgia. Within 10 days after receiving a data subject’s application, the Personal Data Protection Service shall take a decision on the measures to be taken, and inform the applicant thereof. The Personal Data Protection Service shall be authorized to carry out an inspection in order to study and investigate the circumstances related to a data subject’s application. Any processor and / or controller is obliged to transfer the relevant material, information and / or documents to the Personal Data Protection Service upon request.

The period for reviewing an application of a data subject by the Personal Data Protection Service shall not exceed 2 months. On the basis of a grounded decision of the Personal Data Protection Service, the period of review of an application of a data subject may be extended for not more than 1 month. The Personal Data Protection Service shall be authorized to suspend the review of a data subject’s application on the grounds of a request for additional material, information and / or documentation, of which the data subject shall be informed. The review of the data subject’s application shall continue where such grounds no longer exist. The period of suspension shall not be included in the period provided for herein.

The Personal Data Protection Service shall be authorized to take a decision on data blocking before the review of the data subject’s application is completed. Despite the blocking of data, the data processing may continue if it is necessary to protect the vital interests of a data subject or a third party, or for the purposes of the security and defense of the State. After reviewing the application of a data subject, the Personal Data Protection Service shall take a decision on one of the measures provided for the Law (see below), and inform the data subject and a processor and / or a controller thereof in accordance with the procedure and within the time frame specified by the legislation of Georgia.

Inspection by the Personal Data Protection Service

The Personal Data Protection Service shall be authorized to carry out, on its own initiative or based on an application of an interested person, an inspection of any controller and / or processor. A decision to carry out an inspection provided for herein shall be taken by the Head of the Personal Data Protection Service.

Inspection by the Personal Data Protection Service involves:

determining compliance with the principles of data processing and the existence of legal grounds for data processing;
checking the compliance of organizational and technical measures and procedures implemented for data security with the requirements of the legislation of Georgia;
the checking of the lawfulness of data transfer to another state and international organization;
checking compliance with the rules and requirements of the Law and other normative acts with respect to data protection.

During an inspection, the Personal Data Protection Service shall be authorized to request from any institution, natural and / or legal person, documents and / or information, including information containing state, tax, banking, commercial, professional secrets and / or data, as well as materials and / or documents and / or information describing operative and investigative activities and criminal investigations, which constitute state secrets and are necessary to carry out the inspection within the scope determined herein.

A controller and / or a processor is obliged to provide any material, information and / or document to the Personal Data Protection Service immediately, within not later than 10 working days, if a response to the request for information requires:

finding and processing information in another institution or structural unit, or consulting with the said institution or unit;
searching for and processing a significant volume of information / documents.

The Personal Data Protection Service shall be authorized to extend the period referred right above by not more than 10 working days based on a substantiated application of a controller and / or a processor.

The Personal Data Protection Service shall be authorized to visit any institution and organization for inspection and to obtain any document and information, including information containing state, tax, banking, commercial, professional secrets and / or data, as well as materials and / or documents and / or information describing operative and investigative activities and criminal investigations, which constitute state secrets, irrespective of their content and mode of storage. As in case of applications (as stated above), taking into account the results of an inspection, the Personal Data Protection Service shall be authorized to apply the appropriate measures (see below).

An employee of the Personal Data Protection Service is obliged to secure information containing any kind of secret and not to disclose the secret information that he / she has become aware of in the course of performing his / her official duties. Such obligation shall survive after the termination of the powers of an employee of the Personal Data Protection Service.

Consultation and implementation of educational activities by the Personal Data Protection Service

If requested, the Personal Data Protection Service is obliged to provide consultations to state authorities, municipal bodies, other public institutions, legal entities under private law, and natural persons on any issue related to data processing and data protection. Also, the Personal Data Protection Service shall carry out educational activities on issues related to data processing and data protection.

Application of measures by the Personal Data Protection Service

If the Personal Data Protection Service identifies a violation of the Law or another normative act regulating data processing, it shall be authorized to apply one, or simultaneously more than one, of the following measures:

require the remedy of any violations and shortcomings related to data processing in the manner and within the period specified by it;
require the suspension or termination of data processing, if the measures and procedures implemented by a controller or a processor for ensuring data security do not comply with the requirements of the legislation of Georgia;
require the termination of data processing, the blocking, erasure, destruction or depersonalization of data, if it believes that the data are being processed in violation of the legislation of Georgia;
require the termination of data transfer to another state and international organization, if the data transfer is being carried out in violation of the legislation of Georgia;
provide written advice and recommendations to a controller and / or a processor in the case of a minor violation of the procedures related to data processing;
impose administrative liability on an offender.

A controller and / or a processor is obliged to fulfil the requirements of the Personal Data Protection Service within the period determined by the latter, and to inform the Personal Data Protection Service thereof.

If a controller and / or a processor fails to comply with the requirements of the Personal Data Protection Service, the Personal Data Protection Service shall have the right to apply to a court, a law enforcement body and / or a state institution supervising (regulating) the respective area, as provided for by the legislation of Georgia.

If the Personal Data Protection Service identifies an administrative offence, it shall be authorized to draw up an administrative offence report and, accordingly, to impose administrative liability on a controller and / or a processor in accordance with the Law and the Administrative Offences Code of Georgia.

If, in the course of performing its activities, the Personal Data Protection Service believes that there are elements of a crime, it shall inform the authorized state body thereof as provided for by law.

Compliance with the decisions of the Personal Data Protection Service in the area of data protection shall be mandatory and may only be appealed in a court according to the procedure established by law.

As for the liabilities:

Criminal liability

Illegal acquisition, storage, use, dissemination, or other provision of access to information reflecting private life or personal data that causes significant harm is punishable by a fine, corrective labor for up to two years, or imprisonment for up to three years.

Illegal use or dissemination of information reflecting private life or personal data via a published work, the internet (including social networks), mass broadcasting, or other public communication, which causes significant harm, is punishable by a fine, corrective labor for up to two years, or imprisonment for up to four years.

The actions described in Paragraph 1 or 2 above, committed:

for personal gain;
repeatedly,

are punishable by a fine or imprisonment for up to five years.

The actions described in Paragraph 1, 2, or 3 above, committed by an individual responsible for protecting such information or data due to their professional position, duties, or other circumstances, or by abusing their official position, are punishable by imprisonment for a term of four to seven years and may also include disqualification from holding a position or performing activities for up to three years, or without such disqualification.

Criminal liability under Paragraph 1 (acquisition, storage) does not apply to individuals who transfer the acquired / stored information to investigative authorities and provide information about committed / anticipated criminal actions through this means.

A legal entity committing actions specified under this Article is punishable by a fine, revocation of the right to perform activities, or liquidation and a fine.

Administrative liability

There are various fines imposed upon controller / processor when breaching their obligations stipulated in the Law (chapter X) ranging from GEL 500 (app. USD 177) to GEL 10,000 (app. USD 3,500).

Also, the Law introduces circumstances mitigating liability for an administrative offence. The following circumstances shall be considered as mitigating the administrative liability for an administrative offence:

terminating an unlawful act and remedying the damage caused as a result of the administrative offence, and / or taking appropriate organizational and technical measures for the prevention of similar offences in the future;
the commission of an administrative offence by a minor;
the sincere repentance of an administrative offence and cooperation with the Personal Data Protection Service;
other circumstances, such as the nature of the administrative offence and the degree of charges against the offender, which are considered as mitigating circumstances by the Head of the Personal Data Protection Service during the resolution of the case.

The obligation to submit evidence of the existence of circumstances mitigating administrative liability determined herein shall rest with a controller / processor.

Furthermore, there are circumstances aggravating liability for an administrative offence. The following circumstances shall be considered as aggravating administrative liability for the administrative offences:

the repeated commission of the same administrative offence within 1 year, for which an administrative penalty has already been imposed on a controller / processor / third party;
processing large quantities of data subjects’ data in violation of the requirements of this Law, or a risk thereof;
processing minors’ data in violation of the requirements of the Law;
the commission of an administrative offence for financial or other gain;
the commission of an administrative offence on the grounds of discrimination.

Civil liability

Civil claims (e.g. for monetary compensation) can be brought by individuals, depending on the actual consequences the breach of the Data Protection Law caused to the remedy-seeking individual.

Last modified 6 January 2025

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Germany regulation

In October 2019 the German data protection authorities published guidelines for calculating administrative fines against ‘business undertakings’ under Article 83 GDPR. However, since the final version of the Guidelines 04/2022 on the calculation of administrative fines under the GDPR of the EDPB was adopted in May 2023, the German guidelines are no longer relevant.

Enforcement powers

There are no German specific enforcement powers except for the German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für Datenschutz und Informationsfreiheit – "BfDI") competent for federal authorities and certain sectors (see Authority for details).

Administrative powers

German law provides for administrative fines of up to 50,000 EUR for the violation of German specific requirements for the processing of personal data in the context of consumer loans (Sections 30 and 43 BDSG).

Criminal offences

The BDSG provides for several offences which can result in prosecution of, imprisonment, and criminal penalties being imposed of / on individuals. The offences under the BDSG include:

transferring personal data to a third party or otherwise making them accessible if done deliberately and without authorization for commercial purposes and with regard to the personal data of a large number of people which are not publicly accessible;
processing without authorization, or fraudulently acquiring, personal data which are not publicly accessible if doing so in return for payment or with the intention of enriching oneself or someone else or harming someone.

Additionally other special laws provide for criminal offences (e.g. violations of the secrecy of telecommunications constitutes a criminal offence under the German Criminal Code (Strafgesetzbuch – StGB)).

Last modified 16 January 2025

Where the Commission is satisfied that a data controller has contravened or is contravening any of the data protection principles, the Commission shall serve the data controller with an enforcement notice to require the data controller to do any of the following:

to take or refrain from taking the steps specified within the time stated in the notice;
to refrain from processing any personal data or personal data of a description specified in the notice;
to refrain from processing personal data or personal data of a description specified in the notice for the purposes specified or in the manner specified after the time specified.

A person who fails to comply with an enforcement notice commits an offence and is liable on summary conviction to a fine of not more than one hundred and fifty penalty units or to a term of imprisonment of not more than one year or to both. A penalty unit is equivalent to GHS 12 (approximately USD 2.20).

Further, an individual who suffers damage or distress through the contravention of the data protection obligations by a data controller is entitled to compensation from the data controller for the damage or distress notice.

In October 2020, the Data Protection Commission announced its implementation of an Enhanced Registration and Compliance Software to streamline the registration and renewal process for Data Controllers. There was also announced an extension of the transitional period under the Act during which existing Data Controllers were required to register with the Commission by six months (from 1st of October 2020 to 31st March 2021). During this period, it is reported that defaulting Data Controllers will be required to pay only the current year’s registration fee, with all fees for previous years (up to 2012) in which they were to register but defaulted, waived. Pursuant to the Act however, such extensions of the transitional period are required to be made by a Legislative Instrument, however our checks show that no Legislative Instrument has been passed for this purpose.

A penalty unit is equivalent to GHS12 (approximately USD11.6 as at 22 December 2023).

The Data Protection Commission requires all large data controllers¹ to have a certified data protection supervisor who has undergone training with the Commission. Where a data controller is renewing their license with the Commission, they are required to provide a Gap Analysis report which shows how the data controller has complied with the law and requirements of the Commission as well as areas for improvement. The Gap Analysis is usually done by the data protection supervisor; however, this can be done by a third party who has been certified by the Data Protection Commission. As part of the gap analysis, the data controller will be required to produce a data protection policy, a data protection impact assessment, a data retention policy, an incident report plan, as well as a breach report which should include all breaches no matter the magnitude. Data Controllers are also required to provide regular training, at least once every year, for anyone that deals with personal information on behalf the data controller.

Footnotes

1: Primary criterion: Data controllers with an annual turnover of GHS 5 million (approximately USD 430,337) and above; or minimum of 250 members or staff. Secondary criterion: Specialist industries no matter their turnover; specifically, upstream and midstream petroleum companies, telecommunication companies or operators (Class 1 license operators), banking / financial institution, credit bureaus, insurance companies, mining companies except quarries, members of groups of companies no matter their turnover which has one associate or subsidiary qualifying as a large data controller.

Last modified 19 January 2024

Fines

The Gibraltar GDPR empowers the Information Commissioner to impose fines of up to 4% of annual worldwide turnover, or £17.5 million (whichever is higher).

Fines are split into two broad categories.

The highest fines (Article 83(5)) of up to £17.5 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

The Information Commissioner is not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

The information Commissioner also enjoys a wide investigative and corrective powers (Article 58) including the power to undertake on-site data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

Right to claim compensation

The Gibraltar GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the Gibraltar GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with the Information Commissioner (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

The DPA04 sets out the specific enforcement powers provided to the GRA pursuant to Article 58 of the GDPR, including:

information notices – requiring the controller or processor to provide the GRA with information;
assessment notices – permitting the GRA to carry out an assessment of compliance;
enforcement notices – requiring the controller or processor to take, or refrain from taking, certain steps; and
penalty notices – administrative fines.

The Information Commissioner has the power to conduct a consensual audit of a controller or a processor, to assess whether that organisation is complying with good practice in respect of its processing of personal data.

Under Schedule 15 of the DPA04 the Information Commissioner also has powers of entry and inspection. These will be exercised pursuant to judicial warrant and will allow the Information Commissioner to enter premises and seize materials.

The DPA04 creates two new criminal offences in Gibraltar law: the re-identification of de-identified personal data without the consent of the controller and the alteration of personal data to prevent disclosure following a subject access request under Article 15 of the GDPR. The DPA04 retains existing Gibraltar criminal law offences, e.g. offence of unlawfully obtaining personal data.

The DPA04 requires the Information Commissioner to issue guidance on its approach to enforcement, including guidance about the circumstances in which it would consider it appropriate to issue a penalty notice, i.e. administrative fine.

The DPA04 also allows the Information Commissioner to publish statutory codes of practice on direct marketing and data sharing.

Last modified 19 January 2024

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

Fines are split into two broad categories.

The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

Any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss;
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Greece regulation

Administrative fines

The HDPA may impose administrative fines in accordance with article 83 para. 4 and 5 of the GDPR. The acts of the HDPA through which administrative fines are imposed, constitute enforceable deeds and shall be served to the data controller, the data processor or their representatives. Such fines shall be collected according to the Public Income Collection Code.

It is worth noting that the largest fine issued to date by the HDPA amounts to EUR 20 million whilst the total value of all fines issued to date amounts to over EUR 36 million.

Penalties

In exercise of the discretionary powers recognized to Member States by Article 84 of the GDPR, the Greek Data Protection Law stipulates criminal sanctions which may be applied for unauthorized processing:

Any act of unauthorized data processing (i.e. access, disclosure, destruction or damage collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction) may lead to imprisonment of up to 1 year.
If the above mentioned actions relate to special categories of data or data relating to criminal convictions, and offences or related security measures, they are punishable by imprisonment of up to 1 year and penalty payment up to 100.000€. Any person who commits the above actions with intent to obtain unlawful advantage or to cause injury amounting to at least 120.000€, is liable to imprisonment of up to 10 years.
In the event that the above actions threaten democracy or national security, punishment of imprisonment and penalty payment of up to 300.000€ may be applied.

Right to claim compensation

Further to Article 79 (2) of the GDPR, the Greek Data Protection Law establishes procedural rules with regard to the venue where civil proceedings may be initiated. Claims for damages brought by data subjects against data controllers or processors as a result of a GDPR infringement shall be filed before the civil court of the registered seat of the controller / processor or the court in whose district the data subject has his / her habitual residence.

Parallel application of data protection and cybersecurity law

According to Article 27 of the Greek Cybersecurity Law, in case the supervisory authorities of Articles 55 and 56 of the GDPR, including the Hellenic Data Protection Authority, impose an administrative fine, the National Cyber Security Authority shall refrain from the imposition of an administrative fine for a breach of the minimum cybersecurity requirements (established in Articles of 15 and 16 of the Greek Cybersecurity Law), which results from the same conduct that was the subject of the administrative fine imposed by the GDPR supervisory authorities.

However, the National Cybersecurity Authority may in this case apply other enforcement measures.

Last modified 16 January 2025

According to Arts. 61, 62 and 63 of the Law on Access to Public Information, enforcement corresponds to the Superior Authorities of the relevant public offices and in the event the infraction entails criminal responsibility it corresponds to the Prosecutor General’s Office. Arts. 64 to 67 of the Law specifically create criminal figures related to the abuse and misuse of information contained in public records, including Personal Data.

Specifically, Art. 64 of the Law establishes a prohibition to private parties to commercialise personal data without consent. Violation to this provision results in jail from 5 – 8 years and a fine ranging from Q.50,000.00 to Q.100,000.00 and the confiscation of any element employed to execute the crime.

Last modified 21 December 2021

The Authority and the ODPA are responsible for administering and enforcing the DPL 2017 (Section 61(1)(a) DPL 2017).

When investigating a complaint regarding a potential breach of the DPL 2017, the Authority has wide powers to require information and, with appropriate warrants, powers to enter premises and search them (Schedule 7 DPL 2017). It may also conduct and / or require an audit of a controller or processor.

Before making a breach determination or an enforcement order, the ODPA may give the person concerned a written notice of the ODPA's proposals and allow the person time (up to 28 days) to make representations. However, the ODPA may dispense with this requirement if the determination or order needs to be made immediately or without notice in the interests of the data subjects or where the ODPA has reasonable grounds for suspecting that data may be tampered with or that to do so might seriously prejudice any other investigation etc. There is a right to appeal the decision of the ODPA under section 84 DPL 2017.

Following a breach determination, the ODPA may take the following enforcement action:

Reprimand

The DPL 2017 does not specify the conditions upon which a reprimand may be issued. However, it will most likely take the form of a notice issued in combination with an administrative fine or a formal undertaking by the controller or processor to meet future compliance with any part of the DPL 2018.

Warning

A warning may be given where the ODPA determines that any proposed processing or other act or omission is likely to be a breach of the DPL.

Order

This refers to a formal notice of enforcement and can consist of an order to do any or all of the following:

bring specified processing operations into compliance with an operative provision of the DPL 2017, or take any other specified action required to comply with said provision, in a manner and within a period specified in the order
notify a data subject of any personal data breach
comply with a request made by the data subject to exercise a data subject right
rectify or erase personal data
restrict or limit the recipient’s processing operations (which may include restricting or ceasing the processing operation or suspending any transfers to an unauthorised jurisdiction)
notify persons to whom the personal data has been disclosed of the rectification, erasure or temporary restriction on processing

Administrative fines

Whilst the GDPR has the potential to attract administrative fines of up to 4% of annual worldwide turnover or EUR 20 million (whichever is higher), the administrative fines under the DPL 2017 are generally lower (between £5,000,000 - £10,000,000) and can be broadly categorised on four levels.

Level 1

Administrative fines issued against a controller or processor may not exceed £5,000,000 for breaches of section 74(1)(a) – (d) DPL 2017, comprising the following:

failure to make reasonable efforts to verify that a person who has given consent to the processing of a child's personal data (being a child who is under 13 years' old) in the context of offering information society services directly to that child, is duly authorised to give consent to that processing under Section 10(2)(f) DPL 2017
failure to take reasonable steps to inform the data subject of anonymisation (in breach of Section 11(1)(b) DPL 2017)
any breach of the general duties of controllers and processors (except section 31 DPL 2017 – duty to take reasonable steps for compliance) (breach of Part IV DPL 2017)
any breach of a controller's administrative duties including the requirement to designate a representative in the Bailiwick in certain cases and the requirement to register and pay fees to the ODPA (as per Part V DPL 2017)
a breach of the security provisions contained in Part VI DPL 2017
failure to comply with the requirements in respect of data protection impact assessments and prior consultation (except section 46 DPL 2017 – prior consultation required for high-risk legislation) in accordance with Part VII DPL 2017
failure to comply with requirements to designate a DPO (where required) or ancillary duties relating to the DPO's functions in accordance with breach of Part VIII of the DPL 2017.

Level 2

Administrative fines issued against a controller or processor may not exceed £10,000,000 for breaches of section 74(1) DPL 2017, comprising the following (in addition to the Level 1 list above):

breach of any duty imposed on the person concerned by section 6(1) (data protection principles) including lawfulness of processing
breach of any duty imposed on the person concerned under Part III DPL 2017 (data subject rights)
failure to comply with an order by the Authority under section 73(2) DPL 2017 within the time specified in the order
transfer of personal data to a person in an unauthorised jurisdiction in breach of section 55 DPL 2017 (general prohibition of transfers of personal data outside of the Bailiwick to unauthorised jurisdictions)
breach of any provision of any ordinance or regulations made pursuant to the DPL 2017 which imposes a duty on a controller or processor.

Level 3

In addition to the two administrative fines described above, the DPL 2017 imposes a 'cap' on administrative fines of up to £300,000 (unless the fine is less than 10% of the person's total annual global turnover or total global gross income in the preceding financial year).

Level 4

An administrative fine issued against a person must not exceed 10% of the total global annual turnover or total global gross income of that person during the period of the breach in question, for up to 3 years.

Enforcement activity has increased since the implementation of the DPL 2017 and more specifically during the last 12 months. To date, we are aware that two Guernsey controllers have been subject to administrative fine orders for the sum of £80,000 and £10,000 respectively. We are also aware that the ODPA has issued both public and private reprimands on controllers (the severity of which depends on the seriousness of the breach).

Offences / criminal proceedings

In addition to the above, the DPL 2017 imposes criminal sanctions on persons who are found guilty of certain specified offences. Such offences include:

unlawful obtaining or disclosure of personal data
obstruction or provision of false, deceptive or misleading information
impersonation of an Authority official, and
(unless an exception applies) breach of confidentiality by a designated official without the consent of the individual.

Regarding the offence under paragraph (d) above, a 'designated official' shall include a member of the Authority including the Commissioner and any DPO.

Criminal liability can attach to any director or other officer of the organisation including a body corporate, general partner of a limited partnership, foundation official etc. Criminal proceedings may also be instigated against an unincorporated entity in the case of a general partnership, or a committee etc.

Last modified 16 January 2025

Law on cybersecurity and Personal Data Protection sets out administrative, criminal, recidivism and civil liability as well as additional publication of sanctions for breaches of the provisions of said statute.

Last modified 20 December 2021

Article 436 of the 2020 Penal Code addresses breaches of correspondence secrecy, including physical and electronic forms. It penalizes the opening, suppression, delay, or diversion of correspondence, whether it has reached its destination or not, as well as the fraudulent acquisition of its contents. The article also extends to the interception, diversion, use, or disclosure of correspondence transmitted through telecommunications and the installation of devices for such interception. Violators face imprisonment ranging from six months to one year and fines of 25,000 to 50,000 gourdes.

Article 437 of the 2020 Penal Code of Haiti governs the processing of personal data and enforcement by penalizing unauthorized data processing activities. Specifically, it criminalizes conducting or instructing the processing of personal data in violation of formalities prescribed by law, whether due to negligence or intent. The penalties include imprisonment of 1 to 3 years and a fine ranging from 50,000 to 100,000 gourdes, or either of these penalties.

The Penal Code, adopted in 2020, was initially set to come into force 24 months after its adoption, introducing comprehensive provisions to address crimes in the digital domain. However, these provisions are not yet in effect, as the implementation of the reformed Penal Code has been postponed indefinitely. A commission was supposed to review the text following concerns raised by various sectors. To date, no commission has been appointed, leaving the unreformed Penal Code in effect. The current Penal Code lacks provisions addressing crimes in the digital domain or data protection matters. Consequently, the provisions of the 2020 Penal Code remain under review and are anticipated to come into force in the near future.

Last modified 16 January 2025

The Institute for the Access to Public Information may receive complaints about abuses regarding the collection of personal or confidential data.

The Institute will impose corrective measures and establish recommendations for those persons or companies who disclose personal data, sensitive personal data or confidential data without authorization.

Last modified 10 February 2025

The PCPD is responsible for enforcing the Ordinance. Generally, unless a specific offense applies, if a data user is found to have contravened the data protection principles of the Ordinance, the PCPD may issue an enforcement notice requiring the data user to take steps to rectify the contravention. Failure to abide by the enforcement notice is a criminal offense, punishable by a fine of up to HK$ 50,000 and imprisonment for up to two years, as well as a daily penalty of HK$ 1,000 if the offense continues after conviction. In the case of subsequent convictions, additional and more severe penalties apply. There are also certain specific offenses under the Ordinance which are triggered directly without the intermediary step of an enforcement notice. For example:

breach of certain provisions relating to direct marketing is punishable by a fine of up to HK$1 million and imprisonment of up to five years, depending on the nature of the breach; and
disclosing personal data of a data subject obtained from a data user without the data user's consent is an offense punishable by a fine of up to HK$1 million and imprisonment of up to five years, where such disclosure is made with certain intent, or where the disclosure causes psychological harm to the data subject.

Appeals from enforcement decisions of the PCPD may be made to the Administrative Appeals Board.

In addition to criminal sanctions, a data subject who suffers damage by reason of contravention of the Ordinance may also seek compensation from the data user through civil proceedings. The PCPD operates an assistance scheme for data subjects in this regard.

In light of high profile data incidents in recent years, the PCPD may further strengthen its enforcement against breaches of the Ordinance through more frequent compliance checks and publication of investigation reports, as well as increased co‑operation with local and international authorities.

The January 2020 Consultation Paper proposed to confer additional powers on the PCPD to impose administrative fines linked to the annual turnover of the organization, which would, if implemented, result in a significant increase in financial penalties at a much higher amount calculated by reference to annual turnover. The PCPD’s Report issued in February 2023 and the Panel Meeting Summary published in February 2024 also mentioned empowering the PCPD to impose administrative fines linked to annual turnover as an amendment direction.

Doxxing

Under the Amendment Ordinance it is an offence to disclose, without the data subject’s consent, any personal data with an intent to cause harm, or being reckless as to whether harm would or would likely be caused to the data subject or any family member of the data subject.

Depending on the severity of the offence, any person who commits the offence is punishable on conviction with:

a fine at level 6 (i.e. HK$ 100,000) and to imprisonment for 2 years; or
a fine of HK$ 1,000,000 and to imprisonment for 5 years if the disclosure causes harm to the data subject or any family member of the data subject.

The PCPD is also empowered to conduct criminal investigations and commence prosecution for doxxing offences. Among other things:

The PCPD is granted wide powers under the Amendment Ordinance to access documents and information from any person, or require any person to answer questions or provide relevant materials to facilitate an investigation in relation to doxxing offences.
The PCPD may also, with a warrant, enter premises and seize any materials or devices in the premises which may be relevant to the investigation as well as decrypt any material stored in these devices.

As the anti‑doxxing provisions have extra‑territorial effect, the PCPD is empowered to serve cessation notices to operators of electronic platforms including websites and online applications (regardless of whether these operators are based in Hong Kong or outside Hong Kong) where personal data has been disclosed without the individual's consent. The cessation notice will require the recipient of the notice to take steps to remove the doxxing content or restrict the disclosure of personal data which has been made.

Failure to comply with the cessation notice is an offence. Persons contravening the offence will be liable, on first conviction, to a fine at level 5 (i.e. at HK$ 50,000) and to imprisonment for two years. Any subsequent conviction by the same Persons will be subject to a fine at level 6 (i.e. HK$ 100,000) and to imprisonment for two years.

Since the Amendment Ordinance came into force on 8 October 2021 to 31 August 2024, the PCPD commenced 363 criminal investigations and arrested 59 persons in 58 cases for doxxing. The longest imprisonment sentence was eight months. The PCPD also referred 88 cases to the Hong Kong Police Forcefor further follow-up action. In addition, the PCPD has issued over 2,000 cessation notices to 46 online platforms, requesting the removal of approximately 33,500 doxxing messages with a compliance rate of over 96% and approximately 250 doxxing channels being removed.

Last modified 20 January 2025

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Last modified 11 January 2024

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

Advocate General Medina‘s Opinion in Case C-383/23, confirms that when determining whether a group of companies forms an 'undertaking', for the purposes of the GDPR, it should be considered whether the parent company exercises decisive control over its subsidiaries. The criteria for determining this are based on the economic, legal and organisational links between the parent company and its subsidiary, for example, the amount of the participation, personnel or organisational ties, instructions and the existence of company contracts.

When calculating the fine for a GDPR infringement committed by a subsidiary, the supervisory data protection authorities must therefore, take into account the total annual turnover of the entire group, if the group forms an 'undertaking'.

However, when determining the actual fine to be imposed, the concept of 'undertaking' must be used as one relevant element among others, considering specific circumstances of the individual case. Specific circumstances may relate to the decision-making power of the parent company, the scope of the data processing that infringes the rules of that regulation and the number of entities of the undertaking involved in the infringement.

There is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability.

Fines are split into two broad categories.

The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Iceland regulation

Non-compliance with the instructions of the Data Protection Authority regarding a) temporary or definitive limitation including a ban on processing, b) rectification or erasure of personal data or restriction of processing and the notification of such actions to recipients to whom the personal data have been disclosed, or c) suspension of data flows to a recipient in a third country or to an international organization, can lead to daily fines until necessary improvements have been made. Fines can amount up to ISK 200,000 (approximately EUR 1,320) for each day that passes without the Data Protection Authority’s instructions being observed.

Breaches of the DPA and the GDPR can lead to administrative fines that are imposed by the Data Protection Authority. The administrative fines may amount to ISK 100,000 (approx. EUR 660) up to 1,2 billion ISK (approx. EUR 7,900,000), or, in case of a corporation, up to 2% of its annual overall turnover globally in the previous financial year, whichever is higher, when an infringement of the provisions detailed in Article 83(4) of the GDPR has taken place.

The administrative fines may amount to ISK 100,000 to ISK 2,4 billion (approx. EUR 15,850,000) or, in case of a corporation, up to 4% of its annual overall turnover globally in the previous financial year, whichever is higher, when an infringement of the provisions detailed in Articles 83(5)-83(6) of the GDPR, cf. Article 46 of the DPA, has taken place.

Major breaches can also lead to imprisonment up to 3 years and breach of confidentiality of a data protection officer can lead to fines or imprisonment up to 1 year and in severe cases, up to 3 years, cf. Article 48 of the DPA.

Last modified 16 January 2025

Under the IT Act, civil penalties are prescribed. If an entity that possesses, manages or handles any sensitive personal information in a computer resource that it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures, and its negligence causes wrongful loss or wrongful gain to any person, the entity was liable for damages to the affected person(s). In the event of unlawful disclosure of personal information, the IT Act prescribes civil penalties which may extend up to INR 2,500,000 or approximately €27,455 (as at January 6, 2025).

Separately, the Cyber Security Directions have introduced penalty of a term of imprisonment extendable to 1 year or a fine up to INR 10,000,000 or approximately €109,822 (as at January 6, 2025), or both, for failure to provide information to Cert-In or non-compliance with the Cyber Security Directions.

Under the DPDP Act, civil monetary penalties on Data Fiduciaries ranging from INR 50,000,000 or approximately €5,498,135 to INR 2,500,000,000 or approximately €27,490,675 (as at January 6, 2025) have been prescribed for different contraventions. The DPDP Act also provides for a penalty of up to INR 10,000 or approximately €110 (as at January 6, 2025) for the contravention of duties by a Data Principal. The quantum of monetary penalty will be determined by the Board, taking into consideration the following factors:

the nature, gravity, and duration of the breach;
the type and nature of the personal data affected by the breach;
repetitive nature of the breach;
whether the person, as a result of the breach, has realised a gain or avoided any loss;
whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
whether the financial penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and
the likely impact of the imposition of the financial penalty on the person.

The Government of India may amend the penalties that have been prescribed under the DPDP Act by issuing a notification in the future. However, the penalties cannot be modified to exceed double of the amount that has been specified under the DPDP Act currently. Therefore, financial penalty may not be more than INR 500 Crores even after amendment by the Government of India.

Exemptions

The DPDP Act provides for exemptions from the application of certain provisions, which are available to Data Fiduciaries in certain circumstances:

Exemptions for certain Data Fiduciaries or class of Data Fiduciaries, including startups: The Government of India will issue a notification exempting certain Data Fiduciaries or class of Data Fiduciaries, including startups, from certain provisions of the DPDP Act. This notification will be based on the volume and nature of personal data processed. Such Data Fiduciaries will not be required to comply with the following obligations:
- issuing a notice before seeking consent of a Data Principal;
- ensuring the accuracy and completeness of personal data;
- erasing personal data after the purpose for which it was collected is served;
- obtaining verifiable parental consent before processing children’s data and no behavioural tracking of children or targeted advertising directed at children;
- the obligations applying to SDFs; and
- providing a Data Principal with the right to information about their personal data.
Exemptions where personal data is processed for certain specified uses: The DPDP Act exempts entities from complying with the provisions pertaining to obligations of Data Fiduciaries, rights and duties of Data Principals and transfer of personal data outside India in cases where:
- the processing of personal data is necessary for enforcement of any legal right or claim;
- the processing of personal data is necessary to perform judicial or quasi-judicial, regulatory or supervisory functions by a court, tribunal or any other such body entrusted by the law to perform such functions;
- the processing of personal data is necessary in the interest of prevention, investigation or prosecution for offences or contraventions of any law;
- personal data of Data Principals who are not within the territory of India is processed by any person based in India, pursuant to a contract with any person outside the territory of India;
- the processing of personal data is necessary for carrying out mergers, acquisitions and other such transactions between two or more companies which have been approved by a court, tribunal or any other competent authority; or
- the processing of personal data is done in relation to debt-recovery activities.
Exemptions for research and statistical purposes: The DPDP Act will not apply to the processing of personal data which is necessary to carry out research, archiving or statistical activities, provided that the personal data is not being used to take any decision specific to a Data Principal. The Government of India will prescribe the standards in accordance with which such processing is to be carried out. The Draft Rules contain these standards
Exemptions for the Government of India: The DPDP Act will not apply to certain instrumentalities of the Government of India in the interest of sovereignty and integrity of India, security, friendly relations with foreign countries and maintenance of public order. The Government of India will notify the instrumentalities to which this exemption is available.

The Government of India may notify additional exemptions from the provisions of the DPDP Act for any Data Fiduciary or class of Data Fiduciaries in the five years following the implementation of the Act.

Last modified 6 January 2025

Sanctions

In Indonesia, the sanctions for breaches of data privacy are found under the relevant legislation and are essentially fines. Imprisonment may be imposed in severe instances, such as in the event of intentional infringement.

Enforcement by the PDP Agency (administrative sanctions)

Violations of certain articles in the PDP Law are subject to administrative sanctions. These administrative sanctions, which shall be imposed by the PDP Agency, are as follows:

written warning;
temporary suspension of personal data processing activities;
deletion or destruction of personal data; and / or
administrative fines.

With regard to administrative fines, the PDP Law stipulates that the maximum fine is 2% of the concerned party's annual income or revenue. Further provisions on administrative sanctions and the procedures for the imposition of administrative fines will be provided in Government Regulations.

Enforcement by the public prosecutor (criminal sanctions)

Every person is prohibited from unlawfully obtaining or collecting personal data not belonging to themselves, and with the intention of benefiting themselves or another person which may result in the loss for the data subject. Violation of this is subject to maximum imprisonment of five (5) years and / or a maximum fine of IDR 5 billion (±USD 334,000);
Every person is prohibited from unlawfully disclosing personal data that does not belong to themselves. Violation of this is subject to maximum imprisonment of four (4) years and / or a maximum fine of IDR 4 billion (±USD 267,000);
Every person is prohibited from using personal data that does not belong to such person in a manner that contravenes the law. Violation of this is subject to maximum imprisonment of five (5) years and / or a maximum fine of IDR 5 billion (±USD 334,000);
Every person is prohibited from creating false personal data or fake personal data with the intention of benefiting themselves or other persons that may cause harm to other persons. Violation of this is subject to maximum imprisonment of six (6) years and / or a maximum fine of IDR 6 billion (±USD 400,000).

Additional penalties may also be imposed in the form of confiscation of profits and / or assets obtained or proceeds from criminal acts and indemnity payment.

If the criminal act is committed by a corporate entity, the PDP Law stipulates that criminal sanctions will be imposed only in the form of criminal fines. These fines will be imposed on the management, controller, instructor, beneficial owner, and / or the corporation itself. The administrative fines for corporate entities can be up to 10 times the maximum fines for individuals.

Additional criminal sanctions that may be imposed on corporate entities, include:

confiscation of profits and / or assets obtained or proceeds from criminal acts;
suspension of all or part of the business of the corporation;
permanent prohibition on certain activities;
closure of all or part of the business premises and / or activities of the corporation;
fulfilment of the neglected obligation;
payment of compensation;
revocation of licenses; and / or
dissolution of the corporation.

Since the above provisions relate to prohibited conducts related to personal data that shall be enforced by the public prosecutor, these would already have effect since the enactment of the PDP Law.

Enforcement by the KOMDIGI (administrative sanctions)

Considering that there is no specific data protection authority yet formed and operating (which with the recent enactment of the PDP Law is intended to be assumed by the PDP Agency), therefore, reference hereinbelow would still apply, and it is currently still the KOMDIGI that is responsible for monitoring and regulating data protection (in the context of personal data in electronic systems).

The KOMDIGI has the right to request data and information from the electronic system operator (data controller / processor) for the purpose of protecting personal data.

It may also enforce non-complying parties by imposing administrative sanctions in the form of:

written warnings;
temporary restriction / suspension of its business activities;
administrative fines (in coordination with the relevant sector’s regulatory authority). The regulation does not specify the amount of administrative fines or the procedure to impose such fines;
restriction to the access of the electronic system and / or information / data; and / or
the business actor being excluded from certain registration list, and / or
online publication on the website.

The ultimate sanction in MOCI Reg. 5/2020 is the blocking of access to the private electronic system operator’s (PSE’s) electronic systems in Indonesia. Access can be granted again once the private PSE has fulfilled its obligations.

However, as mentioned earlier, it does not rule out the possible enforcement by:

other relevant sector’s regulatory authority (in the event the data controller / processor is subject to a regulated sector) which may also impose certain other administrative sanctions; and / or
the law enforcement agency (prosecutor) if the non-compliance implies a criminal offense, which may subject the accused with imprisonment and / or fines.

Banking Law

Under Article 47 paragraph (2) of the Banking Law, any commissioner, director or employee of a bank or its affiliates who intentionally provides information which has to be kept confidential may be sentenced to imprisonment for not less than two (2) years but not more than four (4) years, and fined at least IDR 4 billion (±USD 267,000) but not more than IDR 8 billion (±USD 534,000).

Capital Market Law

Under the Capital Market Law, the FSA is empowered to impose the following administrative sanctions for breaches of the provisions dealing with data protection. The sanctions include:

A written reminder;
A fine;
Limitations on business;
Suspension of business;
Revocation of business license;
Cancellation of approval; and / or
Cancellation of registration.

Right to file a complaint

The PDP Law provides personal data subjects with the right to file a complaint against automated decision making.

Under the General Data Protection Regulations, an affected individual has the right to file a civil claim to the relevant electronic system operator (data controller / data processor) for losses incurred. On the other hand, it is also provided with the right to make complaints related to data protection infringements to the DITJEN APTIKA within the KOMDIGI if there has been:

no written notification made by the electronic system operator (data controller / processor) to the data subject concerning a data breach; or
losses have been incurred by the data subject due to a data breach.

In addition, the general right to file a complaint is embedded in the Indonesian Civil Code, which provides that any party may claim for civil liability if any loss suffered may be evidenced to be resulting due to another party’s unlawful act.

Last modified 20 January 2025

Iranian courts generally enforce violations through statutorily defined remedies of the applicable law or regulation.

For example, the Cyber Crime Act provides that anyone who, by use of computer or telecommunication means, publicizes or makes accessible another individuals film, pictures or sounds, or personal or family secrets without consent, and causes loss or damage to the individual or violates that person’s dignity will be sentenced to imprisonment between 61 days and six months or fined Rls 1,000,000 to 10,000,000.

Last modified 23 May 2019

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Ireland regulation

Enforcement powers

Part 6 of the DP Act provides the DPC with a wide-range of powers to supervise organisations under its jurisdiction, including:

Powers to handle complaints made (directly or indirectly) to it;
Powers to open and conduct “own-volition” inquiries;
Powers to issue decisions and exercise corrective powers (including administrative fines) provided for in GDPR;
Powers to issue a variety of corrective orders including warnings, reprimands, directions, suspensions or restrictions;
Powers of entry, search, seizure and inspection, including the removal and retention of documents or records;
Powers to issue information and enforcement notices; and
Powers to require an organisation to carry out a report or audit.

Criminal offences

The DP Act provides for several offences which can result in prosecution, imprisonment, and criminal penalties being imposed. Where offences are committed by an organisation, and such offence is committed with the consent, connivance or negligence of a manager, director, secretary or other officer of the company, the individual will be personally liable for the offence, as well as the organisation. The offences under the DP Act include:

an employer or potential employer forcing an individual to make a subject access request;
a processor disclosing personal data without the consent of the controller unless required to do so by law;
obtaining and disclosing, or selling personal data to a third party without the consent of the relevant controller or processor of that data, or in relation to data which were unlawfully disclosed to them;
contravening the provisions relating to the processing of criminal convictions and offences data;
not cooperating with an authorised officer during an investigation, audit or inspection; and
failing to comply with an information or enforcement notice.

Last modified 17 January 2025

IPA has the authority and obligation to supervise compliance and enforce the provisions of the PPL and appoint inspectors to carry out those activities.

Breach of the PPL may result in both civil and criminal sanctions, including administrative fines, 15 years of imprisonment, and the right to receive statutory damages under civil proceedings without the need to prove actual damages.

Amendment 13 establishes the possibility for controllers or processors of databases to request IPA preliminary opinions regarding the compliance with the PPL of their databases or data processing practices with the law. Amendment 13 provides IPA with the ability to conduct criminal investigations and to impose monetary sanctions. In addition, Amendment 13 expands the grounds for granting statutory damages without the need to prove actual damages including in the event of failure to register a database, failure to meet the disclosure requirements, failure to comply with a request to access or correct information, etc.

Last modified 25 December 2024

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Italy regulation

The Privacy Code provides that investigations and enforcement actions handled by the Garante.

Last modified 16 January 2025

If the PPC finds any violation or potential violation of the APPI, the PPC may request the business operator to submit a report, conduct on-site inspection and request or order the business operator to take remedial actions. If a business operator does not submit the report and materials, or reports false information they will be subject to a fine of up to JPY 500,000.

If a business operator does not follow an order from the PPC they will be subject to a penalty of imprisonment for up to one year or a fine of up to JPY 1,000,000. If the party that fails to follow such order is an entity, the parties subject to this penalty will be the relevant officers, representatives, or managers responsible for the disclosure and the entity is subject to the fine of up to JPY 100,000,000.

An unauthorized disclosure of Personal Information, for the benefit of the disclosing party or any third party, will be subject to a penalty of imprisonment for up to one year or a fine of up to JPY 500,000. If the party that discloses Personal Information is an entity, the parties subject to this penalty will be the relevant officers, representatives, or managers responsible for the disclosure and the entity is subject to the fine of up to JPY 100,000,000.

Last modified 20 January 2025

In Jersey, the Authority is responsible for the enforcement of the DPJL and DPAJL. Its day-to-day powers are delegated to the Information Commissioner, with the exception of the issuing of public statements and imposing fines.

The Authority has wide powers to require information and to enter and search premises (Schedule 1 DPAJL). It may also conduct and/or require an audit of a controller or processor.

The Information Commissioner may take the following enforcement actions:

Reprimand

The DPAJL does not specify the conditions upon which a reprimand may be issued; however most will likely take the form of a notice, and may be issued in combination with an administrative fine or a formal undertaking by the controller or processor to meet future compliance with any part of the DPJL or DPAJL.

Warning

This sanction applies where it appears to the Information Commissioner that the intended processing or other act or omission is likely to contravene the DPJL or DPAJL. Such warnings may be issued by way of a formal notice in advance of any intended processing.

Order

This refers to a formal notice of enforcement and can order any or all of the following:

Bring specified processing operations into compliance with the DPAJL or DPJL, or take any other specified action required to comply with the same, in a manner and within a period specified in the order
Notify a data subject of a personal data breach
Comply with a request made by the data subject to exercise a data subject right
Rectify or erase personal data
Restrict or limit the recipient’s processing operations, and
Notify persons to whom the personal data has been disclosed of the rectification, erasure or temporary restriction on processing

Administrative Fines

The DPAJL also empowers the Authority to impose administrative fines (Article 26 DPAJL), which may be imposed in addition to any other sanctions.

An administrative fine must not exceed £300,000 or 10% of the person’s total global annual turnover or total gross income in the preceding financial year, whichever is the higher (Article 27(2) DPAJL).

An administrative fine ordered against any person whose processing of data that gave rise to the fine was in the public interest and not for profit must not exceed £10,000 (Article 27(3) DPAJL).

Subject to the above limits, an administrative fine of up to £5 million may be ordered for:

Failure to make reasonable efforts to verify that a person giving consent to the processing of the personal data of a child as required by Article 11(4) of the DPJL (information society services) is a person duly authorized to give consent to that processing
Breach of Article 7 of the DPJL (obligations of joint controllers)
Breach of Part 3 of the DPJL (which includes record-keeping obligations, data protection by design and default, data protection impact assessments, appointment conditions for data processors and breach notification)
Breach of Part 4 of the DPJL (which includes information security obligations and general obligations on processors), and
Breach of Part 5 of the DPJL (which includes obligations relating to data protection officers)

An administrative fine of up to £10 million may be imposed for:

Breach of Part 2 of the DPJL (which includes fundamental duties of controllers, including compliance with the data protection principles, data subject information provisions and rules regarding consent) other than for Articles 7 and 11(4), and
Breach of Part 6 of the DPJL (Data Subject Rights)

Right to claim compensation

The DPJL makes specific provision for individuals to bring private claims against controllers and processors.

Where a controller has breached the transparency and data subject rights provisions of the DPJL, a data subject may ask the Royal Court to make such order as it considers appropriate, which may include:

An award of compensation for loss, damage or distress in respect of the violation
An injunction (including an interim injunction) to restrain any actual or anticipated violation
A declaration that the controller is responsible for the violation or that a particular act, omission or course of conduct on the part of the controller would result in a violation, and
Requiring the controller to give effect to the transparency and data subject rights provisions (unless, in the case of a data subject access request, the Royal Court is satisfied that complying with the request will cause serious harm to a third party's physical or mental health)

Any person who has suffered "loss, damage or distress" as a result of a breach of the DPJL has the right to receive compensation (Article 69 DPJL) from the controller or processor. This means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss. In addition, data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 70). Individuals also enjoy the right to lodge a complaint with the Information Commissioner in relation to any violation of the DPJL that affects him or her (Article 19 DPAJL). Last, all natural and legal persons, including individuals, controllers and processors, have the right to complain to the Royal Court about a decision, or failure to make a decision, of the Authority or Information Commissioner concerning him or her.

Offenses

The DPJL contains the following offenses:

Unlawfully obtaining personal data (Article 71 DPJL)
Requiring a person to produce certain records (Article 72 DPJL)
Providing false information (Article 73 DPJL), and
Obstruction (Article 74 DPJL)

The DPAJL contains the following offenses:

Failing to register with the Authority as a controller or processors (Art.17(6) DPAJL), and
Failing to comply with an order made by the Authority following a breach determination (Article 25(8) DPAJL)

If a company or other organization commits a criminal offense under the DPJL or DPAJL, any partner, director, manager, secretary or similar officer or someone purporting to act in such capacity is personally guilty of an offense in addition to the corporate body if:

The offense was committed with his or her consent or connivance, or
The offense is attributable to any neglect on his or her part

Last modified 16 January 2025

The Cybercrime Unit is the body responsible to deal with any complaints and to assign it to the court.

In general, the court shall enforce the sanctions that are stated in the Cybercrime Law, and any other applicable laws and regulations.

Last modified 11 January 2024

Generally, all state authorities of Kazakhstan, depending on their competences, may consider appeals of individuals and / or legal entities regarding personal data and protection of personal data issues. The Ministry is authorised to take measures against persons who have violated the personal data legislation of Kazakhstan.

Prosecution Authorities of Kazakhstan carry out supervision over compliance with personal data legislation of Kazakhstan and may also take measures on bringing persons who have violated personal data legislation of Kazakhstan to liability. Interested persons may file complaints to the Prosecutor’s Office and the Ministry regarding breach of the legislation in relation to personal data and its protection.

Kazakh law provides for administrative and criminal liability for violation of Kazakh law in relation to personal data and its protection.

Last modified 4 February 2025

The DPC has the duty to ensure the implementation and enforcement of the Act.

The Compliance & Enforcement Regulations set out the complaints handling procedures and enforcement mechanisms in the event of non-compliance with the provisions of the Act. The Regulations provide for the process and procedure of lodging of complaints with the DPC.

The DPC is also required to maintain an up-to-date register of complaints stating the particulars of the complainant and complaint.

Section 62 of the Act

In instances where the DPC is satisfied that any person has violated the provisions of the Act, he has the power to issue penalty notices for up to a maximum of Kenya Shillings Five Million (approximately USD 50,000) or 1% of an undertaking’s annual turnover the preceding year, whichever is lower.

In addition, any act which constitutes an offence under the Act where a penalty is not provided attracts a fine of up to Kenya Shillings Three Million (approx. USD 30,000) or imprisonment for up to 10 years or both a fine and imprisonment.

Under the Data Protection (Compliance & Enforcement) Regulations, 2021 the DPC has the power to issue an enforcement notice where a person fails to comply with the provisions of the Act or the Regulations. A penalty notice is issued where there is failure to comply with the enforcement notice. The penalty notice will contain the reasons why the DPC is imposing a penalty, the administrative fine imposed, how the fine is to be paid and the rights of appeal the decision. The DPC may impose a daily fine of not more than Ksh. 10,000 (approx. USD 100/-) for each penalty identified, until the breach is rectified.

Last modified 6 February 2025

Filing a complaint at IPA

The data is subject is entitled to file a complaint with the IPA, while reserving the right to other administrative and judicial remedies (Article 52). IPA is obliged to notify the data subject on the decision of the complaint, as well as inform the data subject on the possibility of judicial remedy to uphold his/her rights with regards to violation of personal data (Article 52 (2)). However, if IPA fails to inform the data subject on a decision with regards to the complaint within three (3) months of its submission, the data subject shall be entitled to an effective judicial remedy (Article 53 (2)).

Filing a complaint against a Decision of the IPA

Every natural or legal person is entitled to file a complaint at the competent court against a binding decision of the IPA concerning them, by initiating an administrative dispute before the competent court (Article 53).

Right to an effective judicial remedy against a controller or processor

Without prejudice of the right of the data subjects to issue a complaint with the IPA, each data subject shall have the right to an effective judicial remedy in cases where he/she considers that the controllers or processors infringed the rights accorded by the LPPD, as a result of processing of his/her personal data.

With regards to filing complaints as described above, the data subject has the right to engage/mandate a non-profit body, organisation or association which has been established in accordance with the relevant law and is active in the field of personal data protection, to submit the complaint, represent and receive compensation on behalf of the data subject (Article 55 (1)).

Fines

Violations of provisions of LPPD are considered as minor offences/misdemeanours (i.e. kundervajtje, in Albanian) and are punishable by fines.

Fines for violation of provisions of LPPD, may be issued to legal persons, the authorised representative of the legal person or to the person exercising independent activities.

The severity of the fine depends on the identity of the offender, the nature of the violation and the extent of the violation.

IPA is authorised to issue fines to legal persons or to a natural person exercising independent activities, in the amount ranging from EUR 20,000 to EUR 40,000, if they fail to process personal data in accordance with LPPD, including but not limited to the following violations (Article 92 (1)):

he/she processes personal data without any legal basis or without the consent of the data subject as provided by the LPPD;
he/she entrusts an individual task relating to the processing of personal data to another person, without concluding a written contract as required by the LPPD;
he/she processes sensitive personal data in violation of LPPD, or fails to provide the required protection to the sensitive personal data.

A fine ranging from EUR 2,000 to EUR 4,000 shall be imposed on the responsible/authorised representative of the legal person or to the person exercising independent activities (Article 92 (2)).

A fine ranging from EUR 1,000 to EUR 2,000 shall be imposed to the responsible person of a state body, in cases of minor offences with regards to personal data (Article 92 (3)).

A fine ranging from EUR 400.00 to EUR 1,000 shall be imposed to an individual, in cases of minor offences with regards to personal data (Article 92 (4)).

Serious and major violations of legal provisions

In cases where IPA finds a serious and grave violation of the provision of processing of personal data, it may impose a fine ranging from EUR 20,000 to EUR 40,000, or in cases of a company or enterprise it may impose a fine amounting to two percent (2%) of the general turnover of the company/enterprise for the previous fiscal year in compliance with the GDPR (Article 105).

Last modified 4 February 2025

The Data Protection Regulation does not provide specific penalties for breach of prescribed obligations but instead it prescribes to impose penalties and fine as per the CITRA establishing Law, which lays down a range of punishments including imprisonment for a term from one to five years and fine ranging from five hundred Kuwaiti Dinars to twenty thousand Kuwaiti Dinars or a combination thereof.

Violations of the E-Commerce Law are punishable by a maximum of three years imprisonment, and fines of no less than KWD5,000 (US$17,500) for anyone who discloses personal information without proper consent or a court order. The E-Commerce Law also provides for confiscation of tools, programs or devices used for unauthorized disclosure.

Additionally, the Cybercrime Law imposes severe penalties on anyone who unlawfully accesses a computer, its systems, a data electronic processing system, an automated electronic system, or an information network. Such individuals face imprisonment for up to six months and a fine ranging from KWD 500 (approximately $1,625) to KWD 2,000 (approximately $6,500), or either penalty. If the act results in the abolition, deletion, damage, destruction, disclosure, alteration, or republication of data or information, the penalty increases to imprisonment for up to three years and a fine between KWD 3,000 (approximately $9,750) and KWD 10,000 (approximately $32,500), or either penalty, especially if the disclosed data is personal. Furthermore, anyone who illegally accesses an information site or system, whether directly, via the internet, or through other means of information technology, to obtain confidential government data is subject to imprisonment for up to three years and a fine of KWD 3,000 to KWD 10,000, or either penalty. If such access leads to the deletion, damage, destruction, publication, or alteration of the data or information, the penalty increases to imprisonment for up to 10 years and a fine ranging from KWD 5,000 (approximately $16,250) to KWD 20,000 (approximately $65,000), or either penalty, and these penalties also extend to data and information related to clients' bank accounts.

Last modified 4 February 2025

Although the Law on Personal Data has been adopted, there is no enforcement practice of its provisions in place. However, since responsible agency has been appointed (State Agency for Protection of Personal Data), enforcement practice may change after the agency is fully operational.

Last modified 4 February 2025

The enforcing authorities with regard to electronic data protection are:

Ministry of Technology and Communications (MTC);
Economic Police; and
Lao People’s Court.

The Department of Cyber Security does not have by law the authority to issue fine or sanctions.

Last modified 8 January 2025

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define undertaking and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinized carefully to understand the interpretation of undertaking. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called look through liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

The basic principles for processing including conditions for consent
data subjects’ rights
International transfer restrictions
Any obligations imposed by Member State law for special cases such as processing employee data
Certain orders of a supervisory authority

Obligations of controllers and processors, including security and data breach notification obligations
Obligations of certification bodies
Obligations of a monitoring body

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

Any person who has suffered material or non-material damage as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of non-material damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Latvia regulation

Enforcing the decisions provided for in Article 58 of the GDPR in relation to the imposition of a legal obligation, DSI will apply the Administrative Procedure Law. Under the Personal Data Processing Law, DSI is entitled to impose administrative sanctions to the legal entity governed by public law, e.g. state institutions. The liable official for unlawful activities with personal data and failure to comply with the obligations of the controller or processor may be punished up to EUR 1000.

The Personal Data Processing Law imposes a limitation period of 5 years for civil claims on the reimbursement of losses caused by the violations of the GDPR.

Last modified 4 February 2025

Data subjects are entitled to resort to the competent courts, especially to the Judge of Expedite Matters, for matters related to enforcement of their rights under the Law.

There are no administrative enforcement actions.

Public prosecutor and/or data subjects can start legal proceeding for enforcement of the Law.

Last modified 21 December 2022

The Commission is responsible for the enforcement of the DP Act.

The DP Act (section 49) also permits a data subject to institute a civil action for damages in a court having jurisdiction against a data controller for breach of any provision of this Act.

Last modified 20 December 2021

Enforcement is generally by a private right of action, but there are few administrative sanctions under some statutes and regulations, such as regulations governing the financial, insurance and telecommunications sectors, for violation of customer privacy by divulging confidential information without authorization.

Last modified 23 February 2024

It should be noted that recently, the Libyan House of Representatives enacted Law No.5 2022 concerning Combating Cyber Crimes in September 2022. In accordance with this law cybercrime is defined as “every act committed through the use of computer systems, the international information network, or other information technology means in violation of the provisions of this law.”

This law has brought in some form of enforcement regarding breaches of copyright, with fines and prison sentences to be enacted in such a case. The sentence for copyright infringement is a prison sentence of no less than one year, and a fine of no less than 1,000 Dinars.

Furthermore, Law no.6/2022 regarding Electronic Transactions has also bought in some enforcement procedures relating to data protection. Article 79 states ‘Entities collecting personal data according to Article 73 of this law are prohibited from sending electronic documents to the person from whom the data was collected if he explicitly refuses to accept them.

Processing of personal data by the person who collected it is not allowed if he explicitly refuses to accept it. Additionally, processing is not allowed if it causes harm to the individuals from whom the data was collected, or infringes upon their rights or freedoms. The data may also not be used for any other purposes than those agreed upon unless consent is obtained from the data owner.’

Articles 81-84 of this law state:

Article 81

Without prejudice to any stricter penalty stipulated by the Penal Code or any other law, anyone who commits any of the acts stipulated in Articles 79 ….. of this law shall be punished with imprisonment for a period not less than one year and a fine of not less than three thousand dinars and not exceeding ten thousand dinars.

The penalty will be imprisonment and a fine of not less than ten thousand dinars if these acts were committed to disrupt electronic transactions related to the government or military or security institutions or banks.

Article 82

Without prejudice to the individual criminal liability of the perpetrator of the crime, the legal representative of the legal person shall be punished with the same penalties prescribed for the acts committed in violation of the provisions of this law, if it is proven that his failure to perform his duties contributed to the occurrence of the crime.

The legal person shall be jointly responsible for any financial penalties or compensations if the crime was committed on his behalf or in his name or for his benefit.

Article 83

Without prejudice to any stricter penalty stipulated by the Penal Code or any other law, anyone who exploits the weakness or ignorance of a person in electronic operations by compelling him to commit, presently or in the future, in any form, shall be punished with imprisonment for a period not less than one year and a fine not less than five thousand dinars and not exceeding ten thousand dinars, provided that it is proven from the circumstances that this person is unable to distinguish the dimensions of his commitments and obligations.

Article 84

Without prejudice to the rights of bona fide third parties, in all cases, the devices, programs, or means used in committing any of the crimes stipulated in this law or the funds obtained from them shall be confiscated.

It also provides for the closure of the shop or the site where any of these crimes are committed and the cancellation of its license if the crime was committed with the owner's knowledge.

The closure is either complete or for the period determined by the court.'

Last modified 18 January 2024

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

The basic principles for processing including conditions for consent;
Data subjects’ rights;
International transfer restrictions;
Any obligations imposed by Member State law for special cases such as processing employee data; and
Certain orders of a supervisory authority.

Obligations of controllers and processors, including security and data breach notification obligations;
Obligations of certification bodies; and
Obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

Any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Lithuania regulation

In addition to the GDPR, the Data Protection Law sets out administrative fines which can be imposed on public institutions. The State Data Protection Inspectorate has the right to impose an administrative fine:

Up to 0.5% of the annual budget of the institution in the current year or of the total annual revenue received in the previous year but not exceeding EUR 30000 for breach of the provisions referred to in the paragraphs a-c of Article 83(4) of the GDPR;
Up to 1% of the annual budget of the institution in the current year or of the total annual revenue received in the previous year, but not exceeding EUR 60000, for breach of the provisions referred to in the paragraphs a-e of Article 83(5) and Article 83(6) of the GDPR;
When a public authority or body carries on commercial business, according to sections 4-6 of Article 83 of the GDPR.

The statute of limitation is two years from when the offence has been committed, and in case of continued offences, within two years after the offence has been identified.

Last modified 3 February 2025

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

The basic principles for processing including conditions for consent
Data subjects’ rights
International transfer restrictions
Any obligations imposed by Member State law for special cases such as processing employee data
Certain orders of a supervisory authority

Obligations of controllers and processors, including security and data breach notification obligations
Obligations of certification bodies
Obligations of a monitoring body

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

Any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Luxembourg regulation

The CNPD may:

Impose administrative fines as provided for in Article 83 of the GDPR (however, it cannot impose such sanctions with respect to the State or municipalities)
Impose on the controller or processor a penalty of up to five per cent (5%) of its average daily turnover in the previous financial year, respectively during the last financial year closed, as long as such controller or processor does not communicate an information requested by the CNPD pursuant to Article 58(1)(a) GDPR, or as long as such controller or processor does not abide by a corrective measure adopted by the CNPD pursuant to Article 58(2)(c)-(j) GDPR
Impose sanctions (an imprisonment of 8 days or a fine of between EUR 251 and EUR 125,000) against anyone who knowingly prevents or hinders the performance of the CNPD's missions
Order the insertion in full or by extracts of its decisions in newspapers or otherwise, at the expense of the person sanctioned

Last modified 4 February 2025

Violations of the Law are subject to civil liability and administrative and criminal sanctions, including fines and / or imprisonment.

Last modified 19 December 2023

The CMIL has the power to proceed with verifications of any data processing, and, as the case may be, to request a copy of every document that it considers useful in respect of verifications. The CMIL agents are authorised to carry out online inspections and on-site verifications of a data controller or a data processor.

In cases where the CMIL is of the opinion that a data controller or a data processor has contravened the provisions of the Data Protection Law, then it may serve, in accordance with the severity of the violation committed:

warnings and notices to comply with the obligations defined in the Data Protection Law;
notice of withdrawal of the authorisation;
a financial sanction of up to 5% of the last financial year pre-tax turnover (not deducted from tax turnover).

The Data Protection Law provides that any processing of personal data in contravention with its provisions is considered an offence. For example, processing of personal data without prior declaration to or authorisation of the CMIL can result in imprisonment of 6 months to 2 years (Article 62 of the Data Protection Law).

In addition to any penalty, the Court may order the erasure of all or part of the personal data which was the object of the processing considered an offence.

Last modified 4 February 2025

Under the PDPA, the Commissioner is empowered to implement and enforce the personal data protection laws and to monitor and supervise compliance with the provisions of the PDPA. Under the Personal Data Protection Regulations 2013, the Commissioner has the power to inspect the systems used in personal data processing and the data controller is required, at all reasonable times, to make the systems available for inspection by the Commissioner or any inspection officer. The Commissioner or the inspection officers may require the production of the following during inspection:

The record of the consent from a data subject maintained in respect of the processing of that data subject's personal data by the data controller;
The record of required written notices issued by the data controller to the data subject;
The list of personal data disclosures to third parties;
The security policy developed and implemented by the data controller;
The record of compliance with data retention requirements;
The record of compliance with data integrity requirements; and
Such other related information which the Commissioner or any inspection officer deems necessary.

Violations of the PDPA and certain provisions of the Personal Data Protection Regulations 2013 are punishable with criminal liability. The prescribed penalties include fines, imprisonment or both. Directors, CEOs, managers or other similar officers will have joint and several liability for non-compliance by the body corporate, subject to a due diligence defense.

There is no express right under the PDPA allowing aggrieved data subjects to pursue a civil claim against data controllers for breaches of the PDPA.

However, under PCP 01/2020, the Commissioner has proposed to introduce a specific provision stating the right of a data subject to commence civil litigation against a data controller.

Last modified 20 January 2025

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

The basic principles for processing including conditions for consent
Data subjects’ rights
International transfer restrictions
Any obligations imposed by Member State law for special cases such as processing employee data
Certain orders of a supervisory authority

Obligations of controllers and processors, including security and data breach notification obligations
Obligations of certification bodies
Obligations of a monitoring body

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

Any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Malta regulation

The position under the Maltese Data Protection Act, 2018

Appealing against a decision of the Commissioner

Any person against whom an administrative fine has been imposed by the Commissioner may appeal to the Data Protection Appeals Tribunal within 20 days from service of the Commissioner’s decision imposing such fine. An appeal to the Tribunal may be made on any of the following grounds:

That a material error as to the facts has been made
That there was a material procedural error
That an error of law has been made
That there was some material illegality, including unreasonableness or lack of proportionality

Within 2 days of filing an appeal, the Registry of the Tribunal shall:

Serve a copy of the appeal on the Commissioner and request that he or she file a statement on the decision, together with any other information on which the decision was based within 20 days from the date on which the appeal was served
Serve a copy of the appeal on the respondent(s) to the appealed decision, and request the respondent(s) file a reply within 20 days of service of the appeal

Appealing against a decision of the Data Protection Appeal Tribunal

Any party to an appeal before the Tribunal may appeal to the Court of Appeal by means of an application filed in the registry of that court within 20 days from the date on which the decision of the Tribunal was notified.

Fines against a public authority or body

The Commissioner may impose an administrative fine on a public authority or body of up to EUR 25,000 for each violation and an additional EUR 25 for each day during which such violation persists for an infringement under Article 83(4) of the GDPR. The fine that the Commissioner may impose on a public authority or body for an infringement of Article 83(5) or (6) of the GDPR shall not exceed EUR 50,000 for each violation and additionally EUR 50 for each day during which such violation persists.

Any person who knowingly provides false information to the Commissioner when so requested or who does not comply with any lawful request pursuant to an investigation by the Commissioner, shall be guilty of an offence and upon conviction shall be liable to a fine (multa) of not less than EUR 1,250 and not more than EUR 50,000 or to imprisonment for six months.

Actions against a controller/processor

Without prejudice to any other available remedy, a person who believes that his or her rights under the GDPR or the Act have been infringed may file a sworn application in the First Hall Civil Court for an effective judicial remedy and in the same way may also institute an action for damages against the controller or processor who processes personal data in contravention of the provisions of the GDPR or this Act. If the court finds that the controller or processor is liable for damage caused pursuant to Article 82 of the GDPR, the court shall determine the amount of damages including, but not limited to, moral damages, due to the data subject.

Any action under Article 30 of this Act shall be instituted within 12 months from when the data subject became aware or should have reasonably become aware of such a contravention, whichever is earlier.

Last modified 18 January 2024

The DPA 2017 provides the Commissioner with enforcement authority. Where a complaint is made to the Commissioner that the Act or any regulations made under it, has or have been, is or are being, or is or are about to be, contravened, the Commissioner shall:

investigate into the complaint or cause it to be investigated by an authorized officer, unless he is of the opinion that the complaint is frivolous or vexatious; and
where he is unable to arrange, within a reasonable time, for the amicable resolution by the parties concerned of the complaint, notify, in writing, the individual who made the complaint of his decision in relation to it so that the individual may, where he considers that he is aggrieved by the decision, appeal against it to the Information and Communications Technologies (ICT) Appeal Tribunal.

If the Commissioner is of the opinion that a controller or a processor has contravened, is contravening or is about to contravene the DPA 2017, the Commissioner may serve an enforcement notice on the data controller or processor, requiring remedial efforts within a specified time frame.

A person who, without reasonable excuse, fails or refuses to comply with an enforcement notice commits an offense, and, on conviction, is liable to a fine not to exceed 50,000 Mauritian rupees and to imprisonment for a term not to exceed two years.

If the Commissioner has reasonable grounds to believe that data is vulnerable to loss or modification, she may make an application to a Judge in Chambers for an order for the expeditious preservation of such data.

The Commissioner may also carry out periodical audits of the systems and security measures of data controllers or data processors to ensure compliance with data protection principles laid down in the DPA 2017.

Last modified 6 January 2025

Data subjects can enforce their ARCO Rights, when no response is obtained from the data controller via INAI and ultimately the court system.

If any breach of the Law or its Regulations is alleged, INAI may perform an on-site inspection at the data controller’s facilities to verify compliance with the Law.

Violations of the Law may result in monetary penalties or imprisonment, including the following:

INAI may impose monetary sanctions in the range of 100 to 320,000 times the Mexico City minimum wage (currently, MX $88.36, updated every year). Sanctions may be increased up to double the above amounts for violations involving sensitive personal data.

Three months to three years of imprisonment may be imposed on any person authorized to process personal data who, for profit, causes a security breach affecting the databases under its custody. Penalties will be doubled if sensitive personal data is involved.

Six months to five years of imprisonment may be imposed on any person who, with the aim of obtaining unlawful profit, processes personal data deceitfully, taking advantage of an error of the data subject or a person authorized to process such data. Penalties will be doubled if sensitive personal data is involved.

In determining the appropriate sanctions, the INAI will consider:

The nature of the data
The notorious inadmissibility of the refusal of the Data Controller, to carry out the acts requested by the data subject, in terms of this Law
The intentional or unintentional nature of the action or omission constituting the offense
The economic capacity of the data controller, and
Recidivism

The sanctions imposed by the INAI are without prejudice to any further civil or criminal liability.

Last modified 28 January 2024

The NCPDP is responsible for the enforcement of the Law on Personal Data Protection. The NCPDP is entitled to:

carry out checks;
consider complaints from data subjects;
require the submission of necessary information about personal data processing by the data controller;
require the undertaking of certain actions according to the law by the data processor, including discontinuance of the processing of personal data;
file court actions;

Violation of personal data protection legislation may result in administrative liability. The maximum administrative penalty that can be imposed, as at the date of this review, is MDL (Moldovan lei) 15,000 which is about EUR 780.

If the violation has led to material or moral damages, the violator may be required by the court to reimburse such damages.

The NCPDP may also suspend or prohibit the processing of data if the rules on personal data protection are breached.

In addition to above, the New Data Protection Law introduces revised penalties for violations of data protection rules. Pursuant to the new legal provisions, infringements of statutory data protection norms may result in administrative fines of up to MDL 2,000,000 (approximately EUR 104,339), or, in the case of undertakings, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

These provisions are not yet in effect and will become enforceable as of 23 August 2026.

The New Data Protection Law also establishes a transitional period concerning the application of penalty amounts. During the first three years following the entry into force of these provisions, the penalty amounts will be applied incrementally. The sanctions will gradually increase each year until they reach the maximum amounts specified above.

Last modified 16 January 2025

The CCIN and Monegasque Courts are responsible for enforcing the DPL. If the CCIN becomes aware that a data controller is in breach of the DPL, it can serve an enforcement notice requiring the data controller to resolve the non-compliance. Failure to comply with an enforcement notice is a criminal offense and can be punished on conviction with imprisonment of one month to one year or a fine of between €9,000 and €90,000 or both.

Sanctions remain rare. The CCIN website only mentions one decision of sanction dated July 18, 2017, which was a warning and the fixation of an action plan to implement corrective measures, against a Monegasque company which didn’t submit to the CCIN a request to conduct automated processing of personal data.

Last modified 6 February 2025

Since the adoption of the Data Protection Law, the General Intelligence Agency of Mongolia, as ordered by the Prime Minister of Mongolia, has been organizing and supervising the deletion of non-overlapping body data (i.e. fingerprints), which was collected by, compiled by or registered with any person other than the Data Controller. Deletion of fingerprints concerns (i) Data Controllers with fingerprint data stored at and connected to the "KHUR" system of the state information exchange, (ii) public and private legal entities that register the check-in or work hours of employees using fingerprints without permission, and (iii) those who use fingerprints for the purposes of exercising other rights and obligations.

As set forth in the Data Protection Law, the Ministry of Digital Development, Innovation and Communications and the National Human Rights Commission are responsible for the enforcement of the Data Protection Law and will investigate an act or practice if such act or practice may be (i) a violation of the privacy of an individual and (ii) a complaint about the act or practice have been submitted. Pursuant to the Data Protection Law, the Data Owner can submit a claim to the administrative courts or the competent authority as provided under the relevant laws with respect to its complaint on the data collection, processing and use by the state authority. Complaints on data collection, processing and use by the other Data Controllers can be submitted to the other authorised entity or the Human Rights Commission.

Any breach or violations of the Data Protection Law is subject to sanctions under the Violations Law or the Criminal Code of Mongolia. For instance, use of Personal Data against the lawful purposes or the initial permit provided by the Data Owner is subject to a monetary fine in the amount of MNT 500,000 (approx. USD 145) for individuals and MNT 5,000,000 (approx. USD 1,458) for legal entities. Creation of a condition that results in a breach of freedom and legitimate rights of the Data Owner due to a processing of Personal Data in the electronic form without the human interference will also be a subject to monetary fine in the amount of MNT 500,000 (approx. USD 145) for individuals and MNT 5,000,000 (approx. USD 1,458) for legal entities. Illegal collection, processing and transfer of the Personal Data that is not subject to a criminal liability is subject to a monetary fine in the amount of MNT 2,000,000 (approx. USD 583) for individuals and MNT 20,000,000 (approx. USD 5,832) for legal entities.

Last modified 16 January 2025

The DPA is the competent authority for the DP Law's enforcement. It is authorized and obliged to monitor implementation of the DP Law, both ex officio, and upon a third-party complaint.

When monitoring the DP Law's implementation, the DPA is authorized to pass the following decisions:

Order removal of the existing irregularities within certain period of time;
Temporarily ban the processing of personal data which is carried out in violation of the DP Law;
Order deletion of unlawfully collected data;
Ban transfer of data outside of Montenegro or its disclosure to data recipients carried out in violation of the DP Law;
Ban data processing by an outsourced data processor if it does not fulfil the data protection requirements or if its engagement as a data processor is carried out in contravention to the DP Law.

The DPA's decisions may not be appealed, but an administrative dispute before the competent court may be initiated against the same.

The DPA may also file a request for the initiation of offence proceeding before a competent Montenegrin court. The offenses and sanctions are explicitly prescribed by the DP Law, which includes monetary fines ranging from €500 to €20,000 for a legal entity and ranging from €150 to €2,000 for a responsible person in a legal entity.

There exists potential criminal liability. The unauthorized collection and use of personal data is a criminal offense under the Montenegrin Criminal Code, punishable with a fine (in an amount to be determined by the court) or imprisonment up to one year (i.e. up to three years if committed by a public official / state servant when performing his duties). Both natural persons and legal entities can be subject to criminal liability.

Last modified 16 January 2025

The Data Protection National Commission enforces compliance of the DP Law.

Article 50 to 64 provide that non-compliance with the DP Law is punishable by a fine ranging from DH10,000 to DH600,000 and / or imprisonment between three months and four years.

If the offender is a legal person, and without prejudice to the penalties which may be imposed on its officers, penalties of fines shall be doubled.

In addition, the legal person may be punished with one of the following penalties:

The partial confiscation of its property

Seizure of objects and things whose production, use, carrying, holding or selling is an offense

The closure of the establishment(s) of the legal person where the offense was committed

Last modified 18 January 2024

Under the Electronic Transactions Act, a violation of the data protection duty or the duties of a data processor is subject to a fine of between 30 to 90 minimum wage salaries in effect in the public administration sector, in the absence of a more serious punishment.

The Penal Code (Law no. 24/2019 of December 24, as amended by Law no. 17/2020 of December 23) provides for certain cybercrimes, such as intrusion of automatized database, which is subject to imprisonment of up to two years and corresponding fine. There are also other cybercrimes such as fraud through electronic means and unauthorized use of data resulting in unjust enrichment, which is subject to imprisonment generally from a year up to five years and a corresponding fine. The new Penal Code attempts to bridge the gap by identifying cybercrimes related to data protection which are punishable.

The Cybersecurity Bill also makes provision for fines and sanctions for the violation of its provisions.

However, given that Mozambique does not have specific data protection laws nor a specific authority responsible for overseeing data protection matters, enforcement of data protection-related matters is minimal.

Last modified 16 January 2025

None so far as at December 18, 2024.

Last modified 18 December 2024

There is no enforcement mechanism in place.

Last modified 18 January 2024

As aforementioned, the prevailing laws have not designated Data Protection Authority. Nonetheless, the Privacy Act and Criminal Code provide a complaint mechanism.

Complaint of the offense under the Privacy Act is processed either by filling a plaint at the concerned district court by the concerned person or filling FIR at the relevant police office. In relation to the latter one, the concerned police office through the government office would file a charge sheet in the concerned district court. Such procedure of directly filing a complaint at the concerned district court or police office is determined based on the nature of the offense. In relation to an offense under the Criminal Code, the FIR process as aforementioned is adopted.

Last modified 20 January 2025

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define undertaking and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of undertaking. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called look through liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

Fines are split into two broad categories.

The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

The basic principles for processing including conditions for consent
Data subjects’ rights
International transfer restrictions
Any obligations imposed by Member State law for special cases such as processing employee data
Certain orders of a supervisory authority

Obligations of controllers and processors, including security and data breach notification obligations
Obligations of certification bodies
Obligations of a monitoring body

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

Any person who has suffered material or non-material damage as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of non-material damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Netherlands regulation

On the basis of Article 58(6) GDPR and in addition to the power to impose fines pursuant to the GDPR, the Dutch DPA has the power to impose an administrative enforcement order (last onder bestuursdwang) or an order subject to penalty (last onder dwangsom) to enforce obligations laid down by or pursuant to the Implementation Act.

Last modified 18 January 2024

In New Zealand, the Privacy Commissioner is responsible for investigating a breach of privacy laws. The Privacy Commissioner has powers to enquire into any matter if the Privacy Commissioner believes that the privacy of an individual is being, or is likely to be, infringed. The Privacy Commissioner will primarily seek to settle a complaint by conciliation and mediation. If a complaint cannot be settled in this way, a formal investigation may be conducted so that the Privacy Commissioner may form an opinion on how the law applies to the complaint. The Privacy Commissioner’s opinion is not legally binding but is highly persuasive.

If the Privacy Commissioner is of the opinion that there has been an interference with privacy, the Privacy Commissioner may refer the matter to the Director of Human Rights who may then in turn decide to take the complaint to the Human Rights Review Tribunal. The Tribunal will hear the complaint afresh and its decision is legally binding. It can award damages for breaches of privacy.

The Privacy Commissioner can also issue compliance notices requiring agencies to take certain actions, or stop certain activities, in order to comply with the Act. Compliance notices will describe the steps that the Privacy Commissioner considers are required to remedy non–compliance with the Act and will specify a date by which the agency must make the necessary changes. The Privacy Commissioner can also issue access directions requiring agencies to provide individuals access to their personal information.

It is an offence to:

mislead an agency to access another individual's personal information;
destroy personal information, knowing that a request has been made to access it;
without reasonable excuse, obstruct, hinder, or resist the Privacy Commissioner or any other person in the exercise of their powers under the Act;
without reasonable excuse, refuse or fail to comply with any lawful requirement of the Privacy Commissioner or any other person under the Act;
give false or misleading statements to the Privacy Commissioner;
represent directly or indirectly that a person holds any authority under the Act when they do not hold that authority; or
fail to notify the Privacy Commissioner of a notifiable privacy breach.

The penalty for these offences is a fine of up to NZD 10,000.

Last modified 24 January 2025

Due to the fact that the institution that supervises the application of the norm has not been formally incorporated (Personal Data Protection Directorate), the enforcing of the provisions are not being duly exercised by the government.

Last modified 28 January 2024

As of 21 December 2023, we have not identified any notable enforcement decision issued by the High Authority for the Protection of Personal Data ("HAPDP") pertaining to the Law.

Last modified 6 January 2025

The Commission is saddled with supervisory and enforcement responsibilities in respect of data protection matters in Nigeria. It collaborates with security agencies like the office of the Inspector General of Police to ensure full compliance and enforcement. A data subject who is aggrieved by the decision, action or inaction of a data controller or data processor in respect of their obligations, may lodge a complaint with the Commission. The Commission may investigate any complaint referred to it as long as it does not appear to be frivolous or vexatious. Where the Commission is satisfied that a data controller or data processor has violated or is likely to violate any requirement under the Act or any subsidiary legislation, the Commission may make an appropriate compliance order against that data controller or data processor. The order made by the Commission may include:

warning that certain act or omission is likely to be a violation of one or more provisions under the Act or any subsidiary legislation or orders issued under it;
requirement that the data controller or data processor complies with such provisions, including complying with the requests of a data subject to exercise one or more rights under the Act; or
cease and desist order requiring the data controller or data processor to stop or refrain from doing an act, which is in violation of the Act, including stopping or refraining from processing personal data that is the subject of the order.

If the Commission, after completing an investigation, is satisfied that a data controller or data processor has violated any provision of the Act it:

may make any appropriate enforcement order or impose a sanction on the data controller or data processor; and
shall inform the data controller or data processor, and if applicable, any data subject who lodged a complaint leading to the investigation, in writing of its decision.

An enforcement order made or sanction imposed shall include:

requiring the data controller or data processor to remedy the violation;
ordering the data controller or data processor to pay compensation to a data subject, who has suffered injury, loss, or harm as a result of a violation;
ordering the data controller or data processor to account for the profits realised from the violation; or
ordering the data controller or data processor to pay a penalty or remedial fee.

Applicable remedial fees are as follows:

For data controllers / processors of major importance, the organization can be fined up to 2% of its annual gross revenue or 10 million Naira in the preceding financial year, whichever is greater;
In case of a data controller / processors not of major importance, the organization can be fined up to 2% of its annual gross revenue or 2 million Naira in the preceding financial year, whichever is greater.

Also, a data controller or data processor, who fails to comply with orders made by the Commission commits an offence and is liable on conviction to: (a) a fine of up to the; (i) higher maximum amount, in the case of a data controller or data processor of major importance; or (ii) standard maximum amount, in the case of a data controller or data processor not of major importance; or (b) imprisonment for a term not more than one year or both.

Last modified 18 January 2025

The DPA has supervisory authority over the protection of personal data, as a systemic and independent control over the legality of the undertaken actions during personal data processing. This supervision entails the inspection, assessment, giving direction and imposing measures to data controllers and processors, through supervisors with the DPA.

The supervision may be:

regular (announced supervision, conducted in line with the DPA’s annual supervision program);
extraordinary (unannounced supervision, conducted upon a request, initiative, ex officio or in cases where the supervisors suspect that a breach of the DP Law has occurred); and
control (conducted within six months after the expiration of the deadline for rectifying violations).

The supervisors enforce DP Law violations by ordering data controllers or processors to remedy violations within a specified time period, or by requesting the initiation of a misdemeanor procedure before the Misdemeanor Commission, taking the seriousness of the offense into consideration. Legal entity fines range from up to 2% and up to 4% of the total annual turnover from the previous financial year, with smaller fines of several hundred euros for the responsible persons at the infringer and the data controllers and processors who are natural persons. Additionally, there is a fine in the range between EUR 1,000 to EUR 10,000 for data controllers which are legal entities who do not adhere to the video surveillance requirements. Entities may dispute DPA fines by initiating proceedings before the Administrative Court of the Republic of North Macedonia.

Individuals are also entitled to bring private claims against controllers and/or processors and request compensation of material or non-material damages suffered due to a breach of the DP Law. Individuals also have the right to lodge a complaint to the DPA and right to an effective judicial remedy against a decision (or lack of) of the DPA concerning them.

The Criminal Code of North Macedonia includes a criminal offense for misuse of personal data punishable by a monetary fine or imprisonment of up to one year, as determined by the court.

Last modified 17 January 2024

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Norway regulation

Fines

Fines may be imposed on public authorities. Furthermore the PDA sets out that fines under GDPR will also apply to a breach of GDPR article 10 (processing of data relating to criminal convictions) and 24 (obligation on the controller to implement appropriate technical and organizational measurements to demonstrate that processing is in accordance with GDPR).

Last modified 16 January 2025

For breaches of provisions of PECA 2016 appropriate relief may be sought through courts of law having jurisdiction in the matter. Specifically, for the breach of personal data and identity information, section 16(2) of PECA 2016 authorizes PTA to secure, destroy, block access to, or prevent transmission of such data if an application is made by the data subject.

Other mechanisms of enforcing data protection also require action by data subjects themselves. An individual may file a complaint with the National Response Centre for Cyber Crime (NR3C) of the Federal Investigation Agency (FIA), which is the law enforcement agency authorized under PECA 2016 and its rules.

Sector specific legislation is enforceable by its respective regulatory or governmental authorities.

Additionally, the PDPB, which is yet to be promulgated, would permit the relevant regulatory authority to exercise all powers required to enable the same to enforce the provisions of the PDPB.

Last modified 4 January 2024

ANTAI, through a Directorate created for this purpose, is empowered to sanction data controllers or data processors that are found to have infringed data subject’s rights, in the course of an investigation of complaints filed and proven against them. Sanctions will be subjected to ANTAI, which will set the amounts of the sanctions applicable to the respective violations, according to the seriousness of them, which they will establish from a thousand US dollars (USD 1,000.00) up to ten thousand US dollars (USD 10,000.00).

Last modified 28 January 2024

The current legal regime contemplates the following enforcement mechanisms:

Without the need of a court order, a data subject has the right to (i) access the information and data about themselves, their dependents and/or property and know how such data is used; and (ii) request the correction and suppression of the information Art. 5 and 8 of Personal Credit Data Protection Law). Data controllers and processors must establish simple, fast, accessible and free of charge procedures, to enable data subjects to exercise their rights. However, where the data subject’s efforts in obtaining the above are unsuccessful, it may bring court actions to compel access to personal data and request the correction, suppression or updating of such data; and
Violations against obligations established under the Personal Credit Data Protection Law and the Electronic Commerce Law are subject to fines.

The enforcement authorities for the enforcement of the Personal Credit Data Protection Law are the Central Bank of Paraguay ('BCP') and the National Secretariat of Consumer and User Defense ('SEDECO'). The BCP has authority to further regulate, interpret and enforce the Law (Art. 20 of Personal Credit Data Protection Law).

Last modified 28 January 2025

At a glance

The General Directorate of Sanctions (part of the NDPA) instructs on and resolves, in the first instance, violations and imposes sanctions as well as conducting and develops the research phase according to the applicable legislation.

The General Directorate for the Protection of personal data (also part of the NDPA) resolves in the second and last instance the sanctioning procedure and its decision exhausts the administrative route.

Possible sanctions for breaching data protection standards vary depending on the nature or magnitude of the offense:

The fine applicable to minor infringement ranges from S/ 2,675 to S/ 26,750 (approximately between USD 720 and USD 7,200).
The fine applicable to severe infringements ranges from S/ 26,750to S/ 267,500 (approximately between USD 7,200 and USD 72,000).
The fine applicable to very severe infringements ranges from S/ 267,500 to S/ 535,000 (approximately between USD 72,000 and USD 144,000).

Last modified 26 January 2023

The NPC is responsible for ensuring compliance of the PIC with the Act. It has the power to receive complaints, institute investigations, facilitate or enable settlement of complaints through the use of alternative dispute resolution processes, adjudicate, award indemnity on matters affecting any Personal Information, prepare reports on disposition of complaints and resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any such report. Additionally, the NPC can issue cease and desist orders, impose a temporary or permanent ban on the processing of Personal Information, upon finding that the processing will be detrimental to national security and public interest.

The NPC, however, cannot prosecute violators for breach of the Act for which criminal penalties can be imposed. The Department of Justice is tasked with the prosecution for violations of the Act that are punishable with criminal sanctions.

The following actions are punishable by the Act with imprisonment in varying duration plus a monetary penalty:

processing of Personal Information or Sensitive Personal Information:
- without the consent of the data subject or without being authorized by the Act or any existing law; or
- for purposes not authorized by the data subject or otherwise authorized under the Act or under existing laws;
providing access to Personal Information or Sensitive Personal Information due to negligence and without being authorized under this Act or any existing law;
knowingly or negligently disposing, discarding or abandoning the Personal Information or Sensitive Personal Information of an individual in an area accessible to the public or has otherwise placed the Personal Information of an individual in its container for trash collection;
knowingly and unlawfully, or violating data confidentiality and security data systems, breaking in any way into any system where Personal and Sensitive Personal Information is stored;
concealing the fact of such security breach, whether intentionally or by omission, after having knowledge of a security breach and of the obligation to notify the NPC pursuant to Section 20(f) of the Act;
disclosing by any PIC or PIP or any of its officials, employees or agents, to a third party Personal Information or Sensitive Personal Information without the consent of the data subject and without malice or bad faith; and
disclosing, with malice or in bad faith, by any PIC or PIP or any of its officials, employees or agents of unwarranted or false information relative to any Personal Information or Sensitive Personal Information obtained by him or her.

In August 2022, the NPC issued a Circular on Administrative Fines for data privacy infractions committed by PICs and PIPs.

In January 2024, the NPC amended certain provisions of its 2021 Rules of Procedure including:

clarifying the criteria for filing a complaint, introducing specific provisions for minors, individuals alleged to be incompetent, and non-resident citizens;
recognizing the service of judgments, orders, or resolutions issued by the NPC through electronic systems;
allowing for multiple parties to join or be joined as either complainants or respondents in one complaint;
institutionalizing videoconferencing technology as an alternative venue for mediation proceedings, enabling the remote appearance and testimony of parties beyond NPC premises;
introducing rules on compliance checks. These checks ascertain whether the activities by PICs and PIPs that involve the processing of personal data are carried out in accordance with the standards provided under the DPA, its implementing rules and regulations, and related issuances.

Last modified 20 January 2025

EU regulation

In 2021, the Polish DPA issued seventeen administrative fines. Most of them were connected with a failure of an entity to provide information to or cooperate with the Polish DPA , as well as not having sufficient technical and organisational measures to ensure information security.

The biggest fine of 2021 was imposed on a company that provides comprehensive, integrated media and telecommunications services. Its infringement consisted in the failure to implement appropriate technical and organisational measures to ensure the security of personal data processed in cooperation with a courier service provider. The large number of data breaches involved the loss of correspondence with personal data or the delivery of correspondence to the wrong recipient. The company’s data controller reported the breaches to the supervisory authority and notified the affected individuals two or even three months after they occurred. The company was fined EUR 245,000.

Another fine was issued on 14 October 2021. The Polish DPA had become aware of a data protection breach following a complaint against a bank. It turned out that correspondence sent by the bank through a courier service containing personal data (e.g. first name, surname, PESEL number, home address, account numbers and identification numbers of customers) had been lost. The bank had failed to report the incident to the Polish DPA and provide adequate notice to the data subjects and was fined EUR 78,000.

Another decision was issued against an insurance company for failing to report a personal data breach to the Polish DPA and failing to notify the data subject of the breach. The breach was caused by an employee of a financial intermediary sending an insurance needs analysis and an insurance offer, including data such as first name, surname, PESEL number, city, postal code and information on the subject of the insurance, by e-mail to the wrong recipient. The fine was EUR 35,300.

Another fine resulting from a failure to report a personal data breach to the Polish DPA was imposed on a generator, distributor and retailer of electricity. The breach involved sending an email with an unencrypted, non-password-protected attachment containing the personal data of several hundred people. The sender of the email was an associate of the company, which was fined EUR 30,000.

The last of the major fines imposed in 2021 concerned the National School of Judiciary and Public Prosecution, whose data controller failed to implement sufficient technical and organisational measures related to its training platform website. During a test migration to a new platform, the data of more than 50,000 individuals had been exposed on the Internet. The Polish DPA imposed a fine of EUR 22,200.

Poland regulation

In 2022, the Polish DPA issued ten decisions imposing administrative fines which, similarly to the previous year, concerned the failure to provide information to the Polish DPA, lack of cooperation with the Polish DPA, and the use of insufficient technical and organisational measures to ensure information security.

So far, the highest fine of 2022, i.e. EUR 1,000,000, was imposed on an electricity and gas trading company, which sells electricity and gas to both business and household end users. The company failed to implement appropriate technical and organisational measures, but also did not properly verify its data processor. The Polish DPA found that unauthorised persons had managed to access and siphon off customer data and blamed both the controller and the processor for the personal data breach affecting more than 100,000 individuals for five days. As a result, the processor was also fined EUR 53,000.

Another fine was imposed on a bank which did not report a personal data breach to the Polish DPA in a timely manner, despite the fact that around 10,500 people were affected. In its decision, the Polish DPA emphasised that it was not necessary for the risk to have actually materialised, but the mere fact that it could have, was sufficient. The bank was fined EUR 118,000.

One recent decision concerned a telecoms operator that failed to report a data breach to the Polish DPA within 24 hours in accordance with the provisions of Telecommunications Act. The company’s data controller also did not notify the affected individuals. The breach occurred during the process of concluding a contract, as an email containing a copy of the contract and its annexes was sent to an address incorrectly indicated by the customer. This was not the first time the entity had not notified the Polish DPA of a data breach by the required deadline, which also had an impact on the fine, which was EUR 53,000.

The same telecoms operator is also the owner of a company providing prepaid and postpaid wireless voice, text and data communications services throughout Poland. This case started in 2019 when the Polish DPA imposed a fine of EUR 444,000 for the lack of appropriate technical and organisational measures to ensure the security of the data it was processing. The company lodged an appeal following the decision and as a result the administrative court stated that the Polish DPA should re-assess the amount of the fine. The company had to pay a fine in the amount of EUR 374,00.

In 2023, the Polish DPA imposed a fine of EUR 24 000 on insurance company for failing to report a data breach within the required 72-hour timeframe. The breach involved an unauthorized recipient receiving an email with sensitive personal data, including names, addresses, and insurance details. Despite being aware of the incident, the company did not notify the supervisory authority, leading to the fine. The decision highlights the importance of timely reporting and proper risk assessment to protect individuals' data rights.

In 2024, the Polish DPA imposed an administrative fine of EUR 326 000 on the bank for failing to report a personal data protection breach. The Polish DPA found out about the personal data protection breach at the Bank from the media. It involved the publicising of bank documents contained in a parcel abandoned on one of the housing estates, after it had previously been stolen from a courier company. The Polish DPA emphasized that the risk assessment of an individual's rights or freedoms should be viewed from the perspective of the person at risk, rather than the Controller's interests. Failing to report a data breach to both the affected individuals and the Polish DPA hinders an appropriate response and risk evaluation, potentially leading to serious consequences for the data subjects.

In 2024, the Polish DPA imposed a monetary penalty on an entity whose employee lost a memory stick. The memory stick contained partially encrypted personal data of another controller employee. The lost external data carrier contained unencrypted files with the employee's personal data in terms of name, home address, nationality, gender, date of birth, PESEL number, passport series and number, telephone number, email address, photograph (image) and salary details. In addition, the data medium also contained encrypted financial data files. It was found that the company failed to apply appropriate technical and organisational measures to protect personal data, which violated the principles of integrity, confidentiality and accountability. The controller was fined EUR 56,000.

Last modified 16 January 2025

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

The basic principles for processing including conditions for consent
Data subjects’ rights
International transfer restrictions
Any obligations imposed by Member State law for special cases such as processing employee data
Certain orders of a supervisory authority

Obligations of controllers and processors, including security and data breach notification obligations
Obligations of certification bodies
Obligations of a monitoring body

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

Any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Portugal regulation

CNPD is the supervisory authority responsible for the enforcement of personal data protection laws and regulations in Portugal. Failure to comply with applicable data protection and privacy legal requirements may result in criminal, civil and administrative liability. Law no 58/2019 of 8 August contains provisions related with civil administrative and criminal liability :

(a) The use of personal data in a manner that is incompatible with the purposes of collection, unauthorized access, or deviation of personal data; the vitiation or erasure of personal data; the insertion of false data, the violation of the duty of secrecy and disobedience, constitute crimes punishable by a prison sentence of up to four years or a fine of up to 480 days. In general terms, legal persons and similar entities have criminal liability.

(b) Any person who has suffered damages due to the unlawful processing of personal data or any other act that violates the provisions of the GDPR or of the national law on personal data protection, has the right to compensation from the data controller or the processor for the damage suffered.

From EUR 5,000 to EUR 20,000,000 or 4% of the total worldwide annual turnover, whichever is higher, in the cases of large companies
From EUR 2,000 to EUR 2,000,000 or 4% of the total worldwide annual turnover, whichever is higher, in the case of SMEs
From EUR 1,000 to EUR 500,000, in the case of natural persons

Serious administrative offences shall be punishable with a fine:

From EUR 2,500 to EUR 10,000,000 or 2% of the total worldwide annual turnover, whichever is higher, in the cases of large companies
From EUR 1,000 to EUR 1,000,000 or 2% of the total worldwide annual turnover, whichever is higher, in the cases of SMEs
From EUR 500 to EUR 250,000, in the case of natural persons

However, that local supervisory authority issued the Decision 494/2019 deciding not to apply certain provisions of Law no 58/2019 of 8 aAugust, notably the ones related with the sanctions applicable to the administrative offenses as were considered in contradiction with GDPR. As so, local supervisory authority, will apply the sanctions described in GDPR.

Last modified 17 January 2024

In Qatar, the NCGAA is responsible for the enforcement of the Data Protection Law. Any data subject may submit a complaint to the NCGAA in the case of a violation of the Data Protection Law. The NCGAA will investigate the complaint and, if the complaint is found to be valid, the NCGAA can oblige the data controller or processor to rectify the violation within a specified time period.

The NCGAA can also impose fines of up to 5 million (US$1.4 million) for violations of the Data Protection Law.

Last modified 17 January 2024

In the QFC, the DPO oversees the enforcement of the DPL.

The DPO has, inter alia, the following powers:

To order a data controller or processor to provide information that the DPO requires for the purposes of its performance of its duties;
To carry out investigations and audits;
To issue reprimands or orders to rectify infringements of the DPL and DPR;
To order a data controller or processor to comply with the data subject's requests to exercise its rights under the DPL;
To order a data controller or processor to carry out processing operations in a specified manner; and
To impose penalties and such other corrective measures.

Last modified 17 January 2024

No known cases as far as we know. The Commission is not yet established.

Criminal sanctions apply as well as fines ranging from USD 1,800 to 180,000.

Last modified 23 February 2024

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or €20 million (whichever is higher).

The European Commission intends that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that undertaking should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define undertaking and the case law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinized carefully to understand the interpretation of undertaking. Under EU competition law case law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on subsidiaries in some circumstances (broadly where there is participation or control), under a theory so-called look through liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

Fines are split into two broad categories. The highest fines of up to €20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of any of the following:

The basic principles for processing including conditions for consent
Data subjects’ rights
International transfer restrictions
Any obligations imposed by Member State law for special cases such as processing employee data
Certain orders of a supervisory authority

The lower category of fines of up to €10 million or, in the case of an undertaking, up to 2% of total worldwide turnover of the preceding year, whichever is the higher, apply to infringement of any of the following:

Obligations of controllers and processors, including security and data breach notification obligations
Obligations of certification bodies
Obligations of a monitoring body

Supervisory authorities are not required to impose fines, but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive.

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Supervisory authorities also enjoy wide investigative and corrective powers including the power to undertake on-site data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

Any person who has suffered material or non-material damage as a result of a breach of the GDPR has the right to receive compensation from the controller or processor. The inclusion of non-material damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf.

Individuals also enjoy the right to lodge a complaint with a supervisory authority.

Data subjects enjoy the right to an effective legal remedy against a controller or processor.

Romania regulation

ANSPDCP is entitled to investigate any breach of the GDPR provisions ex officio or following a complaint filed by a prejudiced data subject. The procedure on how ANSPDCP investigations can be conducted is provided by ANSPDCP Decision no. 161/2018.

Law no. 190/2018 provides specific rules with respect to enforcement. Specifically, ANSPDCP may issue written warnings and apply fines.

Misdemeanours committed by public authorities / bodies can be sanctioned with a fine ranging between RON 10,000 (approx. EUR 2,100) to RON 200,000 (approx. EUR 42,000).

Last modified 17 January 2024

In Russia, the Agency is responsible for the enforcement of data protection rules. The Agency is entitled to:

carry out checks;
consider complaints from data subjects;
demand necessary information about personal data processing by the data operator;
order the data operator to undertake certain actions according to the law, including discontinuance of the processing of personal data;
file court actions;
initiate criminal cases; and
impose administrative liability for violations of data privacy rules.

If the Agency becomes aware that a data operator is in violation of the law, an enforcement notice may be issued, requiring the data operator to correct the violation.

A data operator can face civil or administrative penalties for violation of personal data law. Executives of the data operator responsible for violation of data rules may also face personal liability, including, in some cases, criminal liability. Criminal liability is not often applied, but may be imposed for violations, such as:

Unlawful collection or dissemination of information about a data subject's private life, personal or family secreta, or public dissemination or leak to mass media of such information;
Violation of data subjects’ right so secrecy of correspondence, telephone conversations, postal, telegraphic and other communications; or
Unlawfully accessing legally protected computer information, if this act resulted in the destruction, blocking, modification or copying of computer information, including personal data.

Usually, in the case of violation of data protection law, the Agency will serve an enforcement notice requiring the correction of the violation. In many cases, the Agency and may also impose an administrative penalty and in some cases, may also recommend further actions against the individuals responsible for the violation.

The default administrative fines for most initial violations of data privacy rules are between ₽60, 000 – 150, 000 and ₽300,000 for repeated violations.

There are some specific rules for a breach of rules for written consent. In these cases, the fine for initial offences is between ₽ 300, 000 and ₽700, 000, and for repeated violations ₽1, 000, 000 – ₽1, 500, 000.

For violation of data localization rules, the maximum administrative penalty is currently ₽18, 000, 000 for repeated violations, actual penalties are imposed at lower levels.

The State Duma is considering significantly increasing existing fines and implementing new fines:

Failure to fulfill or untimely fulfillment of the obligation to notify the Agency of the intention to process personal data - from ₽ 100,000 to ₽300,000;
Failure to notify or late notification of the Agency of a leak of personal data. Companies are proposed to be fined up to ₽3, 000, 000 for this violation;
Actions (or inaction) of the data operator causing a leak of personal data would involve a fine for companies between ₽5, 000, 000 and ₽20, 000 000, depending upon the number of affected data subjects, as well as the number of identifiers relating to affected data subjects. For repeated leaks, a fine ranging from 0.1% to 3% of the data operator’s aggregate revenue (in any case it must be not less than ₽15, 000, 000 or more than ₽500, 000, 000); and
It is also proposed to criminalize the unlawful processing of computer information containing personal data, as well as the creation or operation of information resources intended for the unlawful storage or dissemination of such information. Penalties would include fines, compulsory labor and imprisonment.

While there has been a strong negative reaction in industry to the new fines and it would be expected that the proposed bill will be changed, it does appear that higher penalties for data law violations will come into force in the foreseeable future.

Last modified 17 January 2024

The Data Protection Law provides for administrative misconduct sanctioned by administrative fines (article 53) and offences sanctioned by imprisonment and fines (article 56 to 63).

The administrative fines related to administrative misconduct imposed by the NCSA include operating without a registration certificate, failure to designate a personal data officer, failure to respect obligations related to personal data breach (notification, report, and communication) (article 53). The administrative fine is between RWF 2,000,000 to RWF 5,000,000 or 1% of the global turnover of the preceding financial year for corporate body or legal entity.

Any person not satisfied with the administrative sanction taken against them has the right to file an application to the competent court (article 54).

The NCSA is the initial organ in charge of settlement of conflicts arising in relation to the Data Protection Law.

The Data Protection Law provides that the following violations are considered criminal offences (article 56 to 61):

access, collection, use, offer, share, transfer or disclosure of personal data contrary to the Data Protection Law;
re-identification of de-identified personal data contrary to the Data Protection Law;
destruction, erasure, concealment or alteration of personal data contrary to the Data Law Protection Law;
sale of personal data contrary to the Data Protection Law;
collection or process of sensitive personal data contrary to the Data Protection Law;
provision of false information.

Corporate body or legal entity convicted of committing offence(s) is liable to a fine amounting to 5% of the annual turnover of the previous financial year (article 62).

Additional penalties for the offences that the court can order include (article 63):

seizure or confiscation of items used in the commission of any of the offences;
permanent or temporary closure of the legal entity or body or the premises in which any of the offences were committed.

Last modified 17 January 2024

Under the PDPL, the following penalties apply with respect to violations:

Disclosure or publication of sensitive data in violation of the PDPL with intent to harm the data subject or to achieve a personal benefit, is punishable by imprisonment for up to two years and/or a fine up to SAR 3 million;
For other breaches of the PDPL not covered by the previous point, this is punishable by a warning or by a fine not exceeding SAR 5 million. Separately, SDAIA has the power to issue warnings / administrative fines of up to SAR 5 million for any other violation, which is appealable. This is without prejudice to any more severe penalty stipulated in another law.

Note, the competent court may double the penalty of a fine for repeat offenders (even if this results in exceeding the maximum limit(s) set out above, provided that it does not exceed double the limit(s)).

Further, the competent courts may order confiscation of funds obtained as a result of committing violations (without prejudice to bona fide third party rights). The competent courts / committee may also order publication of a summary of the judgement or decision at the violator's expense.

Any person who suffers harm as a result of violation of the PDPL has a right to claim compensation before the competent court for material or moral damage.

Last modified 23 February 2024

The Commission for the Protection of Personal Data has the power to investigate, warn, and sanction. There are three forms of investigations that can be carried out:

onsite inspections;
documentary inspections;
hearing inspections.

The CDP can also send a warning to a controller that does not comply with legal regulations. Six major corporations in 2014/2015 received warnings and notices from the CDP.

In regards to sanctions, The CDP has the power to carry out civil / administrative sanctions and criminal sanctions. When there is a breach the CDP can carry out a civil or administrative sanction by:

a provisional withdrawal for three months of the given authorisations; the withdrawal becomes definitive at the end of the three month period if the breach remains.
fines of between 1 million XOF and 100 Million XOF.
in urgent cases, the CDP can also interrupt the processing of data for a duration that can not exceed three months.
lock certain kinds of data for a duration not exceeding three months.
prohibit processing that does not comply with the regulation.

The CDP can also carry out a criminal sanction consisting of imprisonment between six and seven years; in addition to demanding a fine between 200000 XOF and 10 Million XOF.¹

Footnotes

1: 2008-12 of 25 January 2008 on the Protection of Personal Data, Articles 29-32

Last modified 23 February 2024

The DPA is responsible for the enforcement of the DP Law. Namely, the DPA is authorized and obliged to monitor whether the law is implemented and it conducts such monitoring both on its own accord and based on any complaints it receives. If it establishes, when performing the respective monitoring, that a particular person / entity which processes personal data has acted in contravention to the statutory rules on processing, the DPA shall issue a warning to the particular data controller. It may also issue a decision by which it can, among other things:

Order the data controller to eliminate the existing irregularities within a certain period of time.
Temporarily forbid particular processing.
Order deletion of the data collected without a legal ground.

The DPA's decision cannot be appealed, but an administrative dispute can be initiated against the respective decision before a competent Serbian court.

Depending on the gravity of the particular misconduct and the data controller's behavior with respect to the same, the DPA can initiate an offence proceeding against the respective data controller before the competent court. The offences and sanctions for such are explicitly prescribed by the DP Law. The respective sanctions are fines up to EUR 17,000 for a legal entity and up to EUR 1,275 for a responsible person in a legal entity. Additionally, the DPA is now also able to directly fine controllers and processors in certain situations, with fines in the amount of EUR 850. Prior to the adoption of the DP Law, only the Court of Offences was entitled to impose fines.

Criminal liability is also a possibility since the Serbian Criminal Code prescribes a criminal offence of unauthorized collection of personal data. The prescribed sanctions are a fine (of an amount to be determined by the court) or imprisonment of up to one year (i.e. up to three years if the offence is committed by a public official / state servant when performing his duties). Both natural persons and legal entities can be subject to the respective liability.

Formally speaking, under the Law on Administrative Procedure ('Official Gazette of the Republic of Serbia', nos. 18/2016, 95/2018 and 2/2023), the DPA is also authorized to enforce its orders by threatening a company with a fine of up to 10% of its annual income in Serbia in case it fails to comply with the order. This option has not yet been tested in practice, to the best of our knowledge.

Last modified 17 January 2024

If the Data Protection Commissioner is satisfied that a registered person has contravened or is contravening any of the data protection principles, the Data Protection Commissioner may serve that person with an enforcement notice requiring him to take such steps for complying with the principle or principles in question. In deciding whether to serve an enforcement notice the Data Protection Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress.

An enforcement notice in respect of a contravention of the data protection principle concerning data accuracy may require the user to rectify or erase the data and any other data held by him containing an expression of opinion which appears to the Data Protection Commissioner to be based on the inaccurate data.

If by reason of special circumstances the Data Protection Commissioner considers that the steps required by an enforcement notice should be taken as a matter of urgency, he may include a statement to that effect in the notice.

The Data Protection Commissioner may cancel an enforcement notice by written notification to the person on whom it was served.

Any person who fails to comply with an enforcement notice shall be guilty of an offences; but it shall be a defence for the person charged with an offence under this subsection to prove that he exercised all due diligence to comply with the notice in question.

If the Data Protection Commissioner is satisfied that a registered person has contravened or is contravening any of the data protection principles, the Commissioner may serve the person with a de-registration notice stating that the Data Protection Commissioner proposes to remove from the register all or any of the particulars constituting the entry or any of the entries contained in the register in respect of that person. In deciding whether to serve a de-registration notice, the Data Protection Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress, and the Data Protection Commissioner shall not serve such a notice unless he is satisfied that compliance with the principle or principles in question cannot be adequately secured by the service of an enforcement notice.

Last modified 17 January 2024

Enforcement of the Act is carried out by the Commission, which include giving directions to an organization to do any of the following:

Stop collection, use or disclosure of personal data in contravention of the Act;
Destroy personal data collected in contravention of the Act;
Provide or refuse access to or correction of personal data;
Pay a financial penalty of either up to (i) 10% of an organization’s annual turnover in Singapore for those with annual turnover in Singapore that exceeds SGD 10 million, or (ii) SGD 1 million.

These directions may be registered with the Singapore District Courts so that they may have the force and effect of an order of court.

The Commission issued revised Advisory Guidelines on Enforcement Data Protection Provisions on 1 February 2021.

Further, new criminal offences are in force to hold individuals accountable for egregious mishandling of personal data, including knowing or reckless unauthorized disclosure, unauthorised re-identification of anonymized data, or use of personal data for a gain or to cause harm or loss to another person.

Guidelines published by the Commission indicate how in practice the Commission proposes to handle complaints, reviews and investigations of breaches of the data protection rules under the Act, and to approach enforcement and sanctions. Amongst other things, they set out the Commission's enforcement objectives, and guidance regarding the mitigating and aggravating factors that the Commission will take into account when issuing directions and sanctions (for example, prompt initial response and resolution of incidents; cooperation with investigations; and breach notification). The Commission has in the past couple of years stepped up its efforts to enforce the Act, highlighting the growing risks of non-compliance with the Act in Singapore.

Directions or decisions given are subject to reconsideration by the Commission, upon written application by any aggrieved party.

Directions, decisions or reconsiderations of the Commission may also be subject to appeal to a Data Protection Appeal Committee, unless the direction or decision to be appealed is the subject of an application for reconsideration, in which case such appeal would be deemed withdrawn.

Directions may only be appealed to the High Court and Court of Appeal with regard to the following:

A point of law arising from a direction or decision of the Appeal Committee
Any direction of the Appeal Committee as to the amount of a financial penalty

Any person who has suffered loss or damage directly as a result of a contravention of the Act is also entitled to pursue a private action in court. However, where the Commission has made a decision with regard to the said loss or damage, a right of private action will only be possible after the decision has become final as a result of there being no further right of appeal. The court may grant to the plaintiff all or any of the following:

Relief by way of injunction or declaration
Damages
Such other relief as the court thinks fit

Last modified 23 January 2025

National Ordinance Personal Data Protection

Pursuant to article 60 the responsible party who acts in contravention of the provisions of the National Ordinance Personal Data Protection may be penalized by the Sint Maarten committee of data protection with a financial penalty in the minimum amount of Naf. 1,000 (USD 571.43) maximum amount of Naf. 500,000.00 (USD. 277,777.78).

GDPR

The GDPR holds a variety of potential penalties for businesses.

For example, article 77 of GDPR states that:

Additionally, article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.”

Penalties

Fines

Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only guidelines in article 84 of GDPR are that “Such penalties shall be effective, proportionate and dissuasive” and that “Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”

Last modified 10 February 2025

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

Fines are split into two broad categories.

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Slovak Republic regulation

The Slovak Office has various powers to ensure compliance with the Slovak Data Protection Act and the GDPR.

For example, the Slovak Office is entitled to:

on request, provide information to a data subject in relation to the exercise of her / his rights;
order a controller or a processor to provide the necessary information;
order a data controller to notify a data subject of a personal data breach;
enter the premises of a controller or a processor;
impose a corrective measure or a fine.

Last modified 17 January 2024

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

Fines are split into two broad categories.

The highest fines (Article 83(5) GDPR) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

The lower category of fines (Article 83(4) GDPR) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide turnover of the preceding year, whichever is the higher, apply to infringement of:

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate, and dissuasive (Article 83(1) GDPR).

Fines can be imposed in combination with other sanctions.

It should be noted that the Slovenian Information Commissioner (Informacijski pooblaščenec) can impose fines on the basis of ZVOP-2.

Investigative and corrective powers

Supervisory authorities also enjoy wide investigative and corrective powers (Article 58 GDPR) including the power to undertake on-site data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

Any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1) GDPR) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80 GDPR).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77 GDPR).

All natural and legal persons, including individuals, controllers, and processors, have the right to an effective judicial remedy against a decision of a supervisory authority concerning them or for failing to make a decision (Article 78 GDPR).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79 GDPR).

No general additional requirements are inserted in ZVOP-2.

Last modified 17 January 2024

Any person may submit a complaint to the Information Regulator alleging non-compliance with POPIA. The Information Regulator may also initiate an investigation into interference with the protection of personal information.

Upon receipt of a complaint, the Information Regulator may, inter alia, conduct a pre-investigation or full investigation of the complaint, act as conciliator, refer the complaint to another regulatory body if the Information Regulator considers that the complaint falls more properly within the jurisdiction of the other regulatory body, or decide to take no further action.

The Information Regulator's powers, for purposes of investigating a complaint include the power to summons and enforce the appearance of persons before the Information Regulator to give evidence or produce records or things; enter and search the premises occupied by a responsible party; and conduct interviews and inquiries.

If the Information Regulator is satisfied that a responsible party has interfered or is interfering with the protection of the personal information of a data subject it my issue an enforcement notice prescribing action to be taken by the responsible party to remedy the situation.

A responsible party who fails to comply with an enforcement notice is guilty of an offense and is, liable, on conviction, to a fine or imprisonment (or both) for a period of no longer than ten years (in terms of section 107), or alternatively to an administrative fine (in terms of section 109). Currently, the maximum fine under sections 107 and 109 of POPIA is R10 million.

Section 99 also makes provision for a civil action for damages resulting from non-compliance with POPIA. In order to succeed in such a claim the complainant would need to prove all the elements of a delict: wrongful conduct, causation, fault (intent / negligence) and harm. The data subject would need to prove the quantum of the damages that s/he seeks.

Last modified 17 January 2024

Non-compliance with the PIPA may result in administrative surcharges, administrative fines, corrective orders, and / or criminal punishment.

For example, PIPC, the supervising authority, can issue a corrective order in response to any breach of an obligation not to provide personal information to a third party. Breach of a corrective order leads to an administrative fine of not more than KRW 30 million. Prior to issuing a corrective order, PIPC may take an incremental approach and instruct, advise and make recommendations to the personal data controller. On the other hand, where personal information has been transferred to a third party without the consent of the data subject and in the absence of exceptional circumstances, both the transferor and the transferee (if it received the personal information knowing that the data subject had not given consent) can be subject to criminal sanctions (imprisonment of up to 5 years or a criminal fine of up to KRW 50 million).

Punitive damages

In instances of data breaches caused by the personal data controller's intentional act or negligence, the personal data controller may be liable for up to five times the damages suffered.

Last modified 20 January 2025

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

Fines are split into two broad categories.

The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Spain regulation

NLOPD has established different levels of infringements (very serious, serious and minor) which are linked to different limitations’ periods (3, 2 and 1 year respectively).

EU regulation

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Last modified 22 January 2024

Enforcement of the PDPA is carried out by the Data Protection Authority of Sri Lanka (“Authority”). As an initial step, the PDPA provides that data subjects aggrieved by the decisions of controllers have the right appeal to the Authority. The Authority is empowered to conduct investigations, and to allow or disallow such appeals at its discretion. In the event an appeal is allowed, the controller in question is required to give effect to the decision of the Authority, and inform the action taken in line with such decision, to both the relevant data subject and the Authority.

The Authority is also empowered to conduct inquiries on a complaint made, or otherwise if the Authority believes that a controller or a processor inter alia has contravened, is acting in contravention of or is likely to contravene the PDPA or any other legislation in Sri Lanka relating to processing of personal data.

The Authority has wide powers in conducting inquiries, which includes requiring persons to appear before it, examine persons under oath or affirmation and require the furnishing of information relating to the processing functions of a controller or processor.

Corrective Powers

Upon an inquiry where the controller or processor will be given an opportunity to be heard, the Authority is empowered to issue a binding directive which may include any one or more of the following:

cease and refrain from the activity in question;
take certain measured to rectify the situation;
pay compensation to the person aggrieved.

Administrative Penalties

In the event a controller or processor fails to comply with directives issued by the Authority, the Authority may impose a penalty that will not exceed LKR ten million (10,000,000) for each non-compliance.

In imposing a penalty, the Authority will consider a number of factors, including the following:

the nature, gravity and duration of the contravention;
action taken by the controller or processor to mitigate the damage suffered by data subjects;
the effectiveness of the controller’s data protection management programme;
the degree of co-operation by the controller with the Authority, in remedying the contravention and mitigating any adverse effects;
the categories of personal data affected by the contravention;
whether the controller or processor notified the Authority of the contravention;
previous contraventions by controller or processor;
financial benefits gained or losses avoided by the contravention.

Where a controller or processor has been subject to a penalty on a previous occasion and subsequently does not conform to a directive by the Authority, in addition to the penalty, such controller or processor will be liable to pay an additional penalty of twice the amount imposed as the penalty.

If the payment of a penalty is in default, the Authority may make an ex-parte application to the Magistrate Court of Colombo for an order requiring the payment, which can be recovered as a fine imposed by such court, even if such fine exceeds the amount such courts in its ordinary jurisdiction would impose.

The PDPA however makes provisions for an appeal to the Court of Appeal to a controller or processor that is aggrieved by the imposition of a penalty, which appeal should be referred within 21 working days from the date the notice of the imposition of such penalty was communicated to such controller or processor.

Last modified 3 January 2024

EU regulation

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

Fines are split into two broad categories.

The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Sweden regulation

Fines

Under the Data Protection Act, infringements of Article 10 of the GDPR may render administrative fines. As regards the amount of such fines, the higher of the two levels for legal maximum fines prescribed in the GDPR applies (Article 83(5) of the GDPR). As such, fines may be up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher.

In relation to public authorities, violations of the GDPR may render administrative fines under the Data Protection Act. Fines imposed on public authorities adhere to the system of the two levels of fines depending on the violated Article set out in the GDPR, may amount to maximum SEK 5 000 000 (in relation to the lower level of fines, set out in Article 83(4) of the GDPR) and SEK 10 000 000 (in relation to violations set out in Articles 83(5) and 83(6) of the GDPR).

Moreover, the Data Protection Act regulates procedural matters relating to decisions on administrative fines and how to appeal such decisions made by authorities (for example, the right to appeal to the Swedish Administrative Court).

Right to damages

The right for data subjects to claim damages from a controller or processor under Article 82 of the GDPR also applies to violations of provisions in the Data Protection Act and other Swedish regulations that supplement the GDPR.

Last modified 22 January 2024

Investigations by the FDPIC

The FDPIC may initiate an investigation against a federal body or a private person if there are sufficient indications that a data processing activity could violate data protection regulations. If the data protection regulations have been violated, the FDPIC may issue administrative measures, for instance, the FDPIC may order the modification/suspension/termination of the processing and deletion of personal data or delay or even prohibit the disclosure abroad.

Criminal Sanctions

The FADP provides for criminal liability and fines of up to CHF 250,000, which are primarily directed against the responsible natural person (and not the respective company as under the GDPR). In particular, the following duties are subject to criminal fines in the event of certain wilful violations:

Duty to provide information when collecting personal data and in the case of an automated individual decision;
duty to provide information upon a data subject access request;
duty to cooperate with the FDPIC in the context of an investigation;
duty to meet certain requirements in connection with cross-border data transfers;
duty to meet certain requirements in connection with the assignment of processors;
duty to meet certain minimum requirements for data security;
professional duty of confidentiality;
duty to comply with a ruling issued by the FDPIC or a decision of the appeal courts.

Criminal proceedings must be initiated by the competent cantonal prosecution authority.

Finally, under Swiss civil law the data subject may apply for injunctive relief and may file a claim for damages as well as satisfaction and/or surrender of profits based on the infringement of his/her privacy.

Last modified 22 August 2023

In addition to civil damages, violations of the PDPA, depending on the specific violation, are also subject to administrative sanctions and criminal sanctions and, in some cases, imprisonment.

Civil damages

If a data collector intentionally or negligently violates any provision of the PDPA and such violation causes illegal collection, processing or use of personal data or other infringement to a data subject, the data collector is liable to compensate the data subject for the damages suffered. Compensation may be both monetary and in the form of corrective measures (e.g. to rectify damage to the data subject’s reputation).

Where the victims may not have access to or cannot provide evidence for the amount of actual damage, the minimum amount is NT$ 500 (approx. US$ 18 as at December 10, 2021) and the maximum is NT$ 20,000 (approx. US$ 690 as at December 10, 2021) per violation / per injured party depending on the severity of the infringement. In the case of class actions, the aggregate total compensation to the class as a whole is limited to NT$ 200,000,000 (approx. US$ 6,900,000 as at December 10, 2021). However, one should not necessarily rely on these limits because the maxima do not apply if it can be proven that a higher amount is appropriate. Furthermore, the limits may be circumvented by resorting to general causes of action in tort over and above the specific statutory cause of action created by the PDPA.

Administrative sanctions

A regulatory body may impose administrative fines on a data collector in violation of the PDPA ranging from NT$ 20,000 (approx. US$ 690 as at December 10, 2021) to NT$ 500,000 (approx. US$ 17,300 as at December 10, 2021) per violation. These administrative fines may be imposed repeatedly until the violation is cured. The May 31, 2023 amendment of the PDPA increases the administrative sanctions on a data collector for its violation of data security obligations to up to NT$15,000,000 (approx. US$ 483,900 as at December 18, 2023), and such increase came into effect on June 2, 2023.

Also, the representative, managers or other persons having authority of the data collector which violates the PDPA are subject to the same administrative fines as the data collector itself, unless it is proven that the relevant representative, manager or other person having authority had properly performed his / her duties. There is no definition of representative, manager or other person having authority but generally such terms are understood to refer to the chairman and the general manager of the company.

Criminal sanctions

A person who, with the intention to gain “benefit” for themself or a third party or to “harm” the interests of others, violates certain requirements as set out in the PDPA or conducts a prohibited cross-border transfer of personal data may be punished by up to five years’ imprisonment and / or fines of up to NT$ 1,000,000 (approx. US$ 35,000 as at December 10, 2021). In addition, the acquisition, dissemination, alteration, compromise of the accuracy of, or deletion of personal data with the intent to gain “benefit” for themself or a third party or to “harm” the interests of others, in circumstances which is sufficient to cause damage to others, may also be punished by imprisonment for up to five years and / or fines of up to NT$ 1,000,000 (approx. US$ 35,000 as at December 10, 2021).

Last modified 18 December 2023

Enforcement of Data Protection Law ('DPL') is primary done by the Main Department for the Protection of State Secrets under the government of Tajikistan.

In addition, Tajikistan courts, the Prosecutor’s Office, the Ministry of Internal Affairs and other law enforcement bodies have the authority to ensure compliance and enforce the provisions of DPL within their competence.

Violations of DPL may result in civil, administrative and criminal sanctions, including:

Administrative fines up to approximately USD1,700
Imprisonment of up to 10 years, and
The right to claim compensation of damages, including emotional distress under civil proceedings

Last modified 27 January 2025

The Commission established under the PDPA is mandated to ensure the implementation and enforcement of the provisions of the PDPA. The Commission has investigative and corrective powers including to:

receive, investigate and handle complaints related to alleged contraventions of personal data and privacy of persons; and
investigate and take necessary steps against anything it considers affects the protection of personal data and infringes privacy of individuals.¹

The Commission is empowered to issue an enforcement notice on any person if satisfied that that such person has failed to comply with the provisions of the PDPA. Through this notice, the Commission will specify the provision of the Act which have been contravened, the steps which must be taken remedy or eliminate the infringement, the period within which such measures must be implemented (which cannot be less than 21 days), and any right to appeal.²

Where the person fails to comply with the enforcement notice and the Commission is satisfied to that effect, the Commission can issue a penalty notice requiring the person to pay fine to be specified in the notice. In determining whether to give a penalty notice and the fine payable, the Commission is required to consider the following:

the nature, gravity and duration of the infringement;
the intentional or negligent character of the infringement;
any measures taken by the data controller or processor to mitigate the damage or distress suffered by data subjects, including technical and administrative / organizational measures;
any previous infringements by the data controller or data processor;
the degree of co-operation with the Commission, in order to remedy the infringement and mitigate its possible adverse effects;
the categories of personal data affected by the infringement;
the manner in which the infringement became known to the Commission, including whether the data controller or processor notified the Commissioner of the infringement;
the extent to which the data controller or processor had complied with previous enforcement or penalty notices;
adherence to approved codes of ethics or terms and conditions of registration;
whether a penalty would be effective; and
any other aggravating or mitigating factors applicable to the case, including financial benefits gained, or losses suffered, as a result of the infringement (whether directly or indirectly).

The maximum penalty which the Commission may issue in the enforcement notice is Tanzania Shillings One Hundred Million (TZS 100,000,000, approx. US$ 430,000).³

The Commission may also direct the controller or processor to pay the affected data subject compensation for infringement of the PDPA and there is no ceiling on the amount of compensation which the Commission can award.⁴

Disclosure of personal data without lawful excuse (including obtaining such data or offering such data for sale) is also a criminal offense which on conviction carries a fine and / or imprisonment. For individuals, the minimum fine for a violation is Tanzania Shillings One Hundred Thousand (TZS 100,000, approx. US$43) and the maximum is Tanzania Shillings Twenty Million (TZS 20,000,000, approx. US$ 8,600).

The maximum term an individual may be sentenced for violating a provision under the PDPA is ten (10) years. If found in violation of the PDPA, an individual may be required to both pay a fine and serve a sentence.⁵

For a company or corporation, the minimum fine for a violation is Tanzania Shillings One Million (TZS 1,000,000, approx. US$ 430) and the maximum is Tanzania Shillings Five Billion (TZS 5,000,000,000, approx. US$ 2,150,000).⁶

Footnotes

1: Section 7(c) and (d) of the DPA
2: Section 45(1) and (2) of the DPA
3: Section 46 and 47 of the DPA
4: Section 50 of the DPA
5: Section 60(6)(a) and Section 61 of the DPA
6: Section 60(6)(b) of the DPA

Last modified 25 January 2024

Since the PDPA has fully come into force, there has been approximately 1,048 cases of complaints (including approximately 706 complaints in 2024), and 610 reports of data breach incidents submitted to the Regulator. While there are administrative orders issued, the details of the cases and orders are not publicly available.

Recently, the Regulator has delegated internal working group / division called "PDPC Eagle Eye" who works together with other competent authorities for prevention and investigation of data breach incidents. However, the information of precedent cases, the investigations, and the Regulator's imposition of penalty are still confidential and not publicly available.

Penalties under the PDPA

There are three types of penalties under the PDPA — civil, criminal and administrative penalties. The amount of penalty will depend on the offence committed. The maximum administrative fine is THB 5,000,000. Punitive damages may also be awarded by the court but this is limited to twice the amount of actual compensation. In the event that the offender is a juristic person, the director, manager or the responsible person may also be criminally liable under the PDPA if the relevant offence(s) resulted from such person's order, action or omission. It is unclear at this early stage what direction the Regulator will take in terms of actual enforcement.

Data Processors who do not comply with their obligations are liable to an administrative fine under the PDPA. There may also be liability under tort law.

Additionally, the Regulator has issued a subordinate regulation under the PDPA, the Notification of the Regulator on the Criteria for Considering the Issuance of Administrative Fine Order by the Expert Committee B.E. 2565 (2022), as amended, under which the severity of the violation or failure to comply with the PDPA shall be determined based on the details of the offense (intentional or gross negligence), the size of the Data Controller or Data Processor's business, the value of damage and severity caused by such wrongdoing, etc. Based on such severity, the expert committee may give notice and order amendment, or impose an administrative fine on the Data Controller or Data Processor.

Exemption from enforcement of certain provisions of the PDPA

The Royal Decree issued on 17 August 2023 exempts certain obligations of Data Controllers under the PDPA in respect of the processing of Personal Data by the listed authorities, such as the National Anti-Corruption Commission, Department of Revenue, Customs Department, Excise Department. However, the exempted Data Controllers must still provide security measures as prescribed by the Regulator to ensure that the exemption does not unreasonably affect the personal data protection principle.

Last modified 6 January 2025

None.

Last modified 15 February 2022

The Office of the Information Commissioner is responsible for monitoring the administration of this Act to ensure that its purposes are achieved.

The Information Commissioner has several broad powers to conduct audits and investigations of compliance with the DPA.

Part V of the DPA (which is not in force) details the penalties for contraventions of the DPA and also makes further provisions for the enforcement of the DPA.

Last modified 26 January 2023

The National Authority for Protection of Personal Data is legally mandated to ensure compliance with the provisions of the Law, but there is no information about cases where sanctions were applied to personal data infringements.

A draft bill on personal data has been considered by the Parliamentary Committee on Rights and Freedoms in the former Tunisian Parliament, which revolutionizes the existing Law, and when adopted, will be in correspond to the European standards for Data Protection, the bill has not yet been passed.

Last modified 27 January 2025

Under the LPPD, for the year 2023, the Board may apply administrative fines up to TRY 13.620.402 per breach in line with the following limitations. The amount of the administrative fines will be updated for 2024 based on the re-evaluation percentage to be published on the Official Gazette.

Non-compliance with the information notice requirements: a fine between TRY 68.083 – TRY 1.362.021 (approx. € 1,850 – € 37,090);
Non-compliance with the data security obligations a fine between TRY 204.285 – TRY 13.620.402 (approx. € 5,560 - € 370,900);
Non-compliance with Data Protection Authority orders / decisions: a fine between TRY 340.476 – TRY 13.620.402 (approx. € 9,271 - € 370,900);
Non-compliance with the Data Controllers’ Registry requirements: a fine between TRY 272.380 – TRY 13.620.402 (approx. € 7,420 - € 370,900); and
Non-compliance with the notification obligation regarding the standard contractual clauses: a fine between TRY 71.965 – TRY 1.439.300 (approx. € 1,960 – € 39,190).

Further, under the Turkish Criminal Code, the following acts are subject to imprisonment:

Persons who illegally collect personal data may be subject to imprisonment for a term of between one and three years. If the personal data is sensitive personal data, the offender may be subject to imprisonment for a term of between one and a half years to four and a half years;
Persons who illegally transfer personal data or make personal data available to the public may be subject to imprisonment for a term of between two and four years;
If any of the above criminal acts are committed by using the advantage or ease of a specific profession, or by a public officer using the authority given to him / her, the sanctions will be increased by 50%;
Those responsible for the deletion of data following the expiry of the retention period, and who fail to do so, can be subject to imprisonment for a term of between one and two years.

Last modified 27 January 2025

General enforcement of the Data Protection Law is performed by the General Prosecutor’s Office. However, any suffered party may file a suit directly to a court.

Last modified 23 December 2022

Investigation and enforcement

The Commissioner has broad investigative powers under the DPR. Those include the power to:

order, by notice in writing, Controllers and Processors to provide any information it reasonably requires for the performance of its duties and functions;
initiate investigations into a Controller’s or Processor’s compliance with the DPR;
it also has the power to access any equipment used to Process Personal Data (such as computers) and to take possession of any relevant documentation or information. The Commissioner must give written notice of the decision to investigate unless it believes that would likely result in the investigation being frustrated;
carry out investigations in the form of data protection audits;
carry out a review on certifications issued pursuant to Section 39 DPR;
notify Controllers and Processors of any alleged contravention; and
obtain, by notice in writing, from Controllers and Processors, access to all Personal Data and to all information reasonably necessary for the performance of its duties and functions.

From an enforcement standpoint, the Commissioner has the power to:

issue and publish directions and warnings and make recommendations to Controllers and Processors that intended Processing operations are likely to contravene the provisions of the DPR;
issue and publish directions and reprimands to Controllers and Processors where Processing operations have already contravened provisions of the DPR;
order Controllers and Processors to comply with an individual's requests to exercise his or her rights pursuant to the DPR;
order Controllers and Processors to bring Processing operations into compliance with the provisions of the DPR, where appropriate, in a specified manner and within a specified period;
order a Controller to communicate a Personal Data Breach to the individual, where it has not done so already;
impose a temporary or permanent limitation (including a ban) on Processing;
order the rectification or erasure of Personal Data or restriction of Processing pursuant to Sections 14, 15 and 16 DPR and the notification of such actions to Recipients to whom the Personal Data has been disclosed, pursuant to Sections 15(2) and 17 of the DPR;
withdraw a certification if the requirements for the certification are not or are no longer met;
impose an administrative fine pursuant to Section 55 of the DPR, in addition to, or instead of, any of the other measures set out under the DPR.

When considering whether to issue a fine the Commissioner will consider the circumstances on a case by case basis. For particularly serious breaches the Commissioner may well issue a fine and issue an order for the infringing party to resolve its infringement moving forwards;

order the suspension of data flows to a recipient inside or outside of ADGM or to an international organisation; and
where appropriate, refer contraventions DPR to the attention of the court and where appropriate, commence legal proceedings, in order to enforce the provisions DPR.

The DPR also provides a mechanism for Data Subjects to lodge complaints with the Commissioner (Section 57 DPR), and bring claims for compensation where they have suffered “material or non-material damage” as a result of a contravention DPR by a Controller or Processor (Section 59 DPR).

Notably the Commissioner has started to publish enforcement decisions, which are available upon the ADGM website.

Last modified 9 January 2024

The Commissioner has general powers to investigate and conduct inspections where it suspects that a Controller or Processor is not operating within the law.

Where it concludes that the Controller or Processor is not acting in compliance with the DPL, it has the power to:

order it to do or refrain from doing any act or thing within such time as may be specified in the direction;
order it to refrain from Processing any Personal Data specified in the direction or to refrain from Processing Personal Data for a purpose or in a manner specified in the direction;
issue an administrative fine in an amount he considers appropriate but not exceeding the amount specified in Schedule 2 in respect of each contravention. The fines range from USD 10,000 to USD 100,000 and there are around 35 in total; and / or
issue a general fine in an amount he considers appropriate and proportionate, taking into account the seriousness of the contravention and the risk of actual harm to any relevant Data Subject.

There is also a process built into the DPL and the DPRs for disputing any action taken by the Commissioner, with an ultimate right to challenge any action in court (Article 63 DPL).

Under the DPL Data Subjects also have the right to bring a claim for compensation where they suffer “material or non-material damage” by reason of any contravention of the law.

The DPL also contains provisions allowing Data Subjects to make compensation claims in relation to contraventions of the data protection law. Under the DPL, court proceedings can be initiated by the Commissioner as well as by Data Subjects.

The Commissioner has recently begun to publish certain limited information on its investigations and enforcement activities, including published decisions on infringements, which are available upon the DIFC website.

Last modified 27 January 2025

The CPQ is responsible for the compliance and enforcement of the HDPR and may delegate its powers and duties to any appropriate committee(s) constituted by it or to appropriate person(s) appointed by it (section 42 HDPR).

The powers, duties and functions of CPQ include: (a) conducting an audit of Patient Health Information when requested by a Licensee for the purpose of ascertaining whether or not the information is maintained in accordance with the HDPR; (b) monitoring the use of Personal Identifiers, and to reporting to the Executive Body from time to time on the results of that monitoring, including any recommendations relating to the need for, or desirability of taking regulatory, administrative, or other action to give protection, or better protection, to the Patient or the Licensee; and (c) monitoring compliance with the HDPR.

CPQ may require a Licensee to produce specified information or documents when requested in writing, in relation to the Processing of Patient Health Information of a complaint about an Interference with Patient Health Information. If the Licensee does not comply with the request, the CPQ may impose a Penalty as set out in a list to be published by the DHCA from time to time (section 42).

It does not appear that the DHCA have produced any further information on the penalties that apply in relation to a breach of HDPR. It is unclear how any breaches of the HDPR will be dealt with in the DHCC.

As noted above, the DHA’s interpretation and application of the HDPR may be relevant to the ultimate enforcement of the HDPR.

Last modified 27 January 2025

The PDPL does not specify penalties, but notes that the Cabinet shall, based on the proposal of the Office General Manager, issue a decision specifying the acts that constitute a violation of the provisions of this Decree Law and the Executive Regulations thereof and the administrative penalties to be imposed.

Despite this there remain possible methods of enforcement of other UAE privacy laws:

Where the unauthorised disclosure of personal data results in a breach of the Penal Code

The Public Prosecutor in the Emirate where:

the party suspected of the breach (‘Offender’) resides; or
the disclosure occurred,

will have jurisdiction over a Data Subject’s complaint.

If after concluding investigations with the police, the Public Prosecutor is satisfied with the evidence compiled, charges may be brought against the suspect.

The case would then be transferred to the Criminal Courts of First Instance. The Data Subject may attach a civil claim to the criminal proceedings before the Courts have ruled on the case.

Pursuant to Article 432 of the Criminal Law, if the Courts find a suspect who by virtue of his profession, occupation, status, or specialisation has access to a secret but discloses such secret in other than the cases permitted by Law, or who uses such secret for his own benefit or the benefit of another person, unless such disclosure or use is authorised by the concerned person, may be penalized by a fine of at least UAE Dirhams 20,000 (the fine is determined by the Courts) and / or an imprisonment for at least one year.

Similarly, pursuant to Article 431 of the Criminal Law a punishment of “a jail sentence and a fine” shall be inflicted on any person who interferes with the right to privacy and family life of individual by:

eavesdropping, or recording, or transmitting, through a device of any type, conversations done privately or by phone or any other device;
taking or transmitting, through a device of any type, pictures of any person in private,

unless legally permitted or with the individual’s consent.

When ruling on the criminal case, the Criminal Courts would usually transfer a civil claim made by the Data Subject to the Civil Courts of First Instance for further consideration. The Data Subject would need to prove the losses he / she has suffered as a direct result of the disclosure of his / her personal data before the Civil Courts in order for damages to be awarded.

Where the unauthorised disclosure of personal data results in a breach of the Cyber Crime Law

The police in each Emirate have developed specialised cybercrime units to handle complaints that relate to breaches of the Cyber Crime Law.

As above, the cybercrime unit in the Emirate where:

the Offender resides; or
where the disclosure occurred,

will have jurisdiction over a Data Subject’s complaint.

The cybercrime unit would investigate the case and decide whether or not to refer it to the Public Prosecutor in the same Emirate. If the case is referred and the Public Prosecutor is satisfied with the findings of the cybercrime unit, charges would be brought against the suspect. The same procedure identified above is then followed before the Courts.

If found guilty of an offence under the Cyber Crime Law, the punishment an Offender can receive varies depending on the nature of the crime. Punishments range from temporary detention, a minimum prison sentence of between six months or one year and / or a fine between AED 150,000 and 5,000,000 (Articles 2, 3, 4, 6, 7, 8 and 45 of the Cyber Crime Law). Notably, Article 13 of the Federal Decree Law No. 34 of 2021 on Combatting Rumors and Cybercrimes provides that “Everyone employs information technology or an information technology method to collect, keep or process personal data and information of the nationals or the residents in the state in violation of the legislations in force in the state shall be sentenced to detention and / or to pay fine of not less than (50,000) fifty thousand Dirhams and not more than (500,000) five hundred thousand Dirhams.” As such, it is likely that this penalty may apply for breaches of the PDPL. If found guilty of an attempt to commit any of the relevant offences under the Cyber Crime Law, the punishment is half the penalty prescribed for the full crime (Article 57).

Where the unauthorised disclosure or transfer of personal data results in a breach of the Central Bank’s Consumer Protection Regulation, Retail Services Regulation or SVF Regulation

The Central Bank may issue administrative and / or financial penalties against Licensed Financial Institutions, SVF Licensees and Payment Service Providers at their discretion. In the case of the Consumer Protection Regulation they may include fines, replacing or restricting the powers of Senior Management or Members of the Board.

Where the unauthorised disclosure of personal data results in a breach of the UAE Telecommunications Law and Policies

Where a licensed telecommunications service provider has breached the law, the subscriber / Data Subject may raise a dispute with the TDRA directly (Article 1.1 of Annex to the TDRA Consumer Protection Regulations 2.0)

At any time during, or at the conclusion of, the TDRA's handling of a complaint, the TDRA may direct the service provider 'to undertake any remedy deemed reasonable and appropriate' (Article 26.16.3 of the TDRA Consumer Protection Regulations v2.0).

Last modified 27 January 2025

Remedial orders

The Personal Data Protection Office is empowered to investigate complaints and make orders requiring a breach or violation of the Act to be remedied, or for compliance with a request of a data subject. The exercise of these powers may be triggered by a complaint or request lodged with the Office by a person aggrieved by actions under the Act or by a data subject seeking to enforce the rights availed under the Act.

Compensation

A person is entitled to apply to a court of law with competent jurisdiction for compensation for damage or distress caused by the actions of a data collector, data controller or data processor in violation of the Data Protection and Privacy Law. The Data Protection Office is not mandated to award compensatory relief.

Sanctions

Fines — The Data Protection and Privacy Act provides for fines as a penalty for the commission of an offence under the Act. Save for the fine imposed on a corporation for non-compliance with Act, the fines provided do not exceed 245 currency points (which is equivalent to UGX 4,900,000). The exception in the case of a violation by a corporation allows a court to order a corporation to pay a fine of up to 2 percent of the corporation’s annual gross turnover.
Imprisonment — A court of law may order imprisonment of a person convicted of any of the offences under the Data Protection and Privacy Act. The imprisonment terms which are provided are limited to a period of 10 years or less. Both imprisonment and payment of a fine can be ordered by court in respect of the same offender upon conviction of an offence.

Last modified 27 January 2025

According to Data Protection Law, the Ombudsman and Ukrainian courts are responsible for overseeing the compliance of personal data protection legislation. Failure to comply with the provisions of Data Protection Law can lead to the penalties prescribed by the law.

Violation of personal data protection legislation may result in civil, criminal and administrative liability.

If the violation has led to material or moral damages, the violator may be required by the court to reimburse such damages.

The Code of Ukraine on Administrative Offenses envisages administrative liability for the following breaches of Ukrainian data protection legislation:

Failure to notify or delay in providing notification to the Ombudsman regarding the processing of personal data or of a change to the information submitted, subject to notification requirements under Ukrainian legislation, or submission of incomplete or false information, which may lead to a fine of up to EUR 153;
Non-fulfilment of legitimate requests (orders) from the Ombudsman or determined state officials of the Ombudsman's secretariat, regarding the elimination or prevention of violations of personal data protection legislation, which may lead to a fine of up to EUR 383;
Non-observance of the established procedure for the protection of personal data which leads to the unauthorized access of the personal data or violation of rights of the data subject, which may lead to a fine of up to EUR 383.

The criminal liability, prescribed by the Criminal Code of Ukraine, envisages fines of up to EUR 383 or correctional works for a term of up to two years, or up to three years of probation supervision or limitation of freedom for the illegal collection, storing, use, elimination, or spreading of confidential information about an individual, or an illegal change of such information.

Last modified 27 January 2025

Fines

The UK GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or GBP 17.5 million (whichever is higher).

It is the intention that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the UK GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position.

Fines are split into two broad categories.

The highest fines (Article 83(5)) of up to GBP 17.5 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by domestic law for special cases such as processing employee data; and
certain orders of a supervisory authority.

The lower category of fines (Article 83(4)) of up to GBP 8.7 million or, in the case of an undertaking, up to 2% of total worldwide turnover of the preceding year, whichever is the higher, apply to infringement of:

obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.

The ICO is not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions. To date, the ICO has issued several fines under GDPR, ranging from GBP 275,000 to GBP 20 million.

Investigative and corrective powers

The ICO also enjoys wide investigative and corrective powers (Article 58) including the power to undertake on-site data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

Right to claim compensation

The UK GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered "material or non-material damage" as a result of a breach of the UK GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with the ICO (Article 77).

All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against a decision of the ICO concerning them or for failing to make a decision (Article 78).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

The DPA sets out the specific enforcement powers provided to the ICO pursuant to Article 58 of the UK GDPR, including:

information notices – requiring the controller or processor to provide the ICO with information;
assessment notices – permitting the ICO to carry out an assessment of compliance;
enforcement notices – requiring the controller or processor to take, or refrain from taking, certain steps; and
penalty notices – administrative fines.

The ICO has the power to conduct a consensual audit of a controller or a processor, to assess whether that organisation is complying with good practice in respect of its processing of personal data.

Under Schedule 15 of the DPA, the ICO also has powers of entry and inspection. These will be exercised pursuant to judicial warrant and will allow the ICO to enter premises and seize materials.

The DPA creates two new criminal offences in UK law: the re-identification of de-identified personal data without the consent of the controller and the alteration of personal data to prevent disclosure following a subject access request under Article 15 of the GDPR. The DPA retains existing UK criminal law offences, eg offence of unlawfully obtaining personal data.

The DPA requires the ICO to issue guidance on its approach to enforcement, including guidance about the circumstances in which it would consider it appropriate to issue a penalty notice, i.e. administrative fine.

The DPA also requires the ICO to publish statutory codes of practice on direct marketing and data sharing (preserving the position under the previous law).

Last modified 6 February 2025

Various entities enforce US national and state privacy laws. Violations of privacy laws and rules are generally enforced by the FTC, state Attorneys General, or the regulator for the industry sector in question. Civil penalties can be significant, particularly for uncooperative or repeat offenders.

In addition, individuals may bring private rights of action (and class actions) for certain privacy or security violations.

Some privacy laws (for example, credit reporting, marketing and electronic communications, video viewing history, call recording and cable communications privacy laws) may be enforced through private rights of action, which give rise to class action lawsuits for significant statutory damages and attorney’s fees, and individuals may bring actions for actual damages from data breaches.

The CCPA provides individuals with a private right of action and statutory damages, in the event of certain breaches of unencrypted personal information, where a business has failed to implement reasonable data security procedures (this applies to most categories of personal information under California’s breach notification law) – this raises significant class action risks. Currently, no other comprehensive state privacy laws contain a private right of action.

In June 2018, Ohio became the first US state to pass cybersecurity safe harbor legislation. Under SB 220, a company that has suffered a data breach of personal information has an affirmative defense if it has ‘created, maintained, and complied with a written cybersecurity program that contains administrative, technical, and physical safeguards to protect personal information that reasonably conforms to an industry recognized cybersecurity framework’ (e.g., PCI-DSS standards, NIST Framework, NIST special publications 800-171, 800-53, and 800-53a, FedRAMP security assessment framework, HIPAA, GLBA).

Last modified 6 February 2025

The URCDP is responsible for the enforcement of the Data Protection Act. In the context of its powers, the URCDP is entitled to:

request the data processor the exhibition of books, documents and files, electronic or not;
summon the data processor before the URCDP in order to provide information;
intervene in the documents and files inspected;
adopt security or protection measures in order to preserve the documentation, including copying the files;
seize or impound the documents and files for six days;
carry out inspections on data processor’s offices;
summon third parties to appear before the URCDP.

The URCDP has the authority to impose penalties against the data processor in the following order: warning, admonition, fines up to USD 60,000, suspension of the data base during five days, and closure of the database.

Last modified 28 January 2024

Currently, under the Code of Administrative Liability illegal collection, systematization, storage, modification, addition, use, provision, dissemination, transfer, depersonalization and destruction of personal data, as well as non-compliance with the localization requirement leads to the imposition of an administrative fine on citizens in the amount of 7 base calculation values (“BCV”) (approx. USD 203) and on officials — in the amount of 50 BCV (approx. USD 1,453).

Repeated violation of data protection rules can lead to criminal liability. Under the Criminal Code illegal processing of personal data leads to the fine in the amount from 100 BCV to 150 BCV (approx. from USD 2,907 to USD 4,360), or deprivation of a certain right for up to 3 years, or correctional labour for up to 2 years.

Furthermore, under Resolution No. 707, non-compliance with localization requirement leads to inclusion of an owner / operator of personal data into the Register of Infringers of the Rights of Personal Data Subjects and blocking access to the information resources (web-sites) of an owner / operator of personal data in Uzbekistan.

Apart from the above, the Personalization Agency can issue binding orders to legal entities and individuals on elimination of violations of data protection requirements.

Last modified 27 January 2025

When it comes to labor matters and records of employees, the Organic Law on Prevention, Conditions and Working Environment ("LOPCYMAT" for its Spanish acronym) sets forth in Article 53 the following rules on certain data and privacy protection:

Section 10: the right of the employees to access information contained on health screenings, as well as the confidentiality of the results with respect to third parties. (According to Article 27 of the LOPCYMAT, disclosure of health results to certain third parties is permitted with the employee's consent. Also, per Article 119 of the LOPCYMAT, failure to comply with the obligation of section 10 may result in a fine ranging from 26 to 75 tax units ("T.U.") for each worker exposed.
Section 11: the confidentiality of employees' personal health data. (According to Article 120 LOPCYMAT, failure to comply with the obligation of section 11 may result in a fine ranging from 76 to 100 T.U. for each worker exposed.
Section 16: the privacy of employee's correspondence and communications, as well as free access to all data and information relating to the employee.
The fines or sanctions for non-compliance according to LOPCYMAT are:
- Article 27: disclosure of health results to certain third parties is permitted with the employee's consent.
- In addition, per Article 119, failure to comply with the obligation of section 10 may result in a fine ranging from 26 to 75 T.U. for each worker exposed.
- Article 120: failure to comply with the obligation of section 11 may result in a fine ranging from 76 to 100 T.U. for each worker exposed.

Last modified 12 December 2022

Subject to specific data protection laws and the regulations breached, the sanctions in relation to data protection breaches are scattered across various different laws and regulations. In general, amongst others, the major type of sanction would be administrative penalty. For example, failure to obtain prior consent of the data subjects on collection, processing and use of their information shall be subject to a monetary fine varying from VND 10 million to VND 20 million (approx. USD 400 to USD 800). In serious cases, according to the Criminal Code, any person who commits illegal use of information on the computer or telecommunications network may be liable to a monetary fine varying from VND 30 million to VND 1 billion (approx. USD 1,200 to USD 40,000) or face a penalty of up to 3 years' community sentence or 6 months - 7 years' imprisonment; and the offender might also be liable to a monetary fine varying from VND 20 million to VND 200 million (approx. USD 800 to USD 8,000) or prohibited from holding certain positions or doing certain jobs for 1 - 5 years.

As of early 2024, the MPS is preparing to promulgate the Draft Decree on Sanctioning. Once this decree takes effect, the MPS will have a basis to start imposing sanctions on non-compliance with the requirements under the PDPD.

This Draft Decree on Sanctioning was first released for public comments in September 2021, and its latest updated version was released to the public for consultation on 2 May 2024. However, the specific timeline for the promulgation of this Draft Sanction Decree is still unknown.

Violators of the PDPD’s regulations, depending on the severity of their violations, may be warned, disciplined, or face administrative penalties or criminal prosecution. Generally, for PDPD-associated violations, the Draft Decree on Sanctioning has proposed a monetary fine of up to VND 1 billion (approx. USD 40,000). Additional penalties, applicable to certain violations, include: (i) deprivation of the right to use licenses for business lines requiring personal data collection; (ii) confiscation of exhibits and means of administrative violations. Remedial measures include: (i) 1-3 months of forcible suspension of processing personal data; (ii) forcible destruction or unrecoverable deletion of personal data; (iii) forcible return of illegal profits obtained from the violations; (iv) public apology; (v) forcible implementation of personal data processing notification measures; (vi) forcible personal data provision; (vii) forcible implementation of personal data correction measures upon receiving a lawful request; and (viii) forcible implementation of personal data protection measures, etc.

Notably, under the Draft Decree on Sanctioning, a penalty of up to 5% of the violating enterprise’s turnover of the immediately preceding fiscal year in the Vietnamese market applies to:

disclosing and misplacing the personal data or cross-border transfer of 5 million or more data subjects who are Vietnamese citizens; and
a second violation of the regulations on:
- personal data protection in marketing and advertising activities; and
- illegal collection, transfer, purchase and selling of personal data.

In addition, the MPS has set up a National Portal of Personal Data Protection to receive reports on violation of the PDPD. With this portal, companies are expected to be more vulnerable to inspection actions in this area, as the portal aims to enable data subjects like employees or clients to easily report on companies’ acts of non-compliance with the PDPD and breach of their personal data.

Last modified 20 January 2025

The DPA sets out various penalties for offences prescribed thereunder. For example in respect of offences relating to the breach of the principles and rules relating to the processing of personal data, the penalty upon conviction is a fine not exceeding one hundred million penalty units[1] or two percent of annual turnover of the preceding financial year whichever is higher where the offence is committed by a corporate body.

Given that the DPA is a new piece of legislation, at the date of this update, we are not aware of any enforcement action taken by the Regulator.

Footnotes

[1] ZMW30,000,000 (at today’s exchange rate of US$1-ZMW27.77 approx. US$1,080,302.49)

Last modified 27 January 2025

The Data Protection Authority is responsible for enforcing the Act and Regulations. The Authority has the following functions:

Regulating personal information processing by establishing conditions for lawful processing;
Promoting and enforcing fair data processing;
Issuing opinions on privacy protection matters;
Submitting administrative acts that violate privacy protection principles to the courts;
Advising the Minister on privacy and access to information;
Conducting inquiries or investigations;
Receiving and investigating complaints;
Conducting research and advising the Minister on international best practices;
Facilitating cross-border cooperation in privacy law enforcement.

Last modified 27 January 2025

Quick links

Data Protection in Albania

Enforcement

Data protection

Electronic communications

National Ordinance Person Registration

GDPR

Penalties

Fines

EU regulation

Fines

Investigative and corrective powers

Right to claim compensation

Austria regulation

EU regulation

Fines

Investigative and corrective powers

Right to claim compensation

Belgium regulation

Specific provisions according to Art. 85 to 87 and Art. 89 GDPR

Footnotes

Personal Data Protection Act BES

GDPR

Penalties

Fines

EU regulation

Fines

Investigative and corrective powers

Right to claim compensation

Bulgaria regulation

Civil liability

Criminal liability

Additional sanctions

Investigative and corrective powers

Right to claim compensation

Personal liability

EU regulation

Fines

Investigative and corrective powers

Right to claim compensation

Croatia regulation

National Ordinance Personal Data Protection

GDPR

Penalties

Fines

EU regulation

Fines

Investigative and corrective powers

Right to claim compensation

Cyprus regulation

Fines

Investigative and corrective powers

Right to claim compensation

EU regulation

Fines

Investigative and corrective powers

Right to claim compensation

Denmark regulation

Right to Raise Complaints

Judicial Control Powers

Penalties

EU regulation

Fines

Investigative and corrective powers

Right to claim compensation

Estonia regulation

EU regulation

Fines

Investigative and corrective powers

Right to claim compensation

Finland regulation

Fines

Investigative and corrective powers

Right to claim compensation

Criminal offences

Review of applications of data subjects by the Personal Data Protection Service

Inspection by the Personal Data Protection Service

Consultation and implementation of educational activities by the Personal Data Protection Service

Application of measures by the Personal Data Protection Service

Criminal liability