The sanctioning regime provided by Regulation (EU) 2016/679 on the protection of personal data

Abstract: In the public space and in the debates among professionals, the new general data protection regulation, which is to be applied from May 25th 2018, is debated more and more conjunctively with the news brought by this European Union legislative act, but especially regarding the new sanctioning regime. We analyse the questions that arise concerning the violations to be sanctioned, the classification of sanctions and their amount, the deliberate nature of the violation and the effective procedural safeguards, in accordance with the general principles of European Union law and the CFSP. During the analysis we identify answers to these questions and, last but not least, underline the competence of the Member States as well as the role of the national supervisory authorities regarding to the sanctioning regime provided for by the Regulation.

 Keywords: Regulation (EU) 2016/679 (GDPR); the protection of personal data; corrective powers; administrative fines; sanctioning regime; the competence of the Member States; national supervisory authorities. 

  1. Short Introduction

Both in the public space and in the discussions amongst professionals, the subject of the enforcement, starting with 25 May 2018, of the new General Data Protection Regulation[1], hereafter the Regulation, or GDPR, is more and more pregnant.

It is already widely known that the Regulation does not constitute a novelty in the field of protection of natural persons with regards to processing of personal data, nor in the field of free flow of personal data, and that, before 2016, these fields were regulated at the scale of the European Union through a Directive[2], transposed by the member states in their national legislations. We consider that the main interest of this new legislative act is given not necessarily by the fact that the regulation is susceptible to induce significant transformations in the field of personal data protection, but especially through the main novelties aiming at the sentencing regime, qualified, from the point of view of the amount of the administrative penalties, as being very severe.

We hereby analyse the subsequent questions which arose, concerning the infringements which will be sanctioned, the qualification of the sanctions and their amount, to the conditions aiming at the individualization of the administrative fines, as well as to the efficient procedural safeguards, in accordance with the general principles of the European Union’s law and with the Charter of Fundamental Rights of the European Union. Within this analysis we will identify several responses to these questions, and, last but not least, we will underline the competence of the Member States, as well as the tasks and competences of the competent independent supervisory authority with regards to the sentencing regime provided for in the Regulation.

Also, the conclusions of the analysis will make reference both to the necessity of the knowledge and respect of the new provisions in the field of personal data protection, particularly in order to avoid new sanctions as those established in the regulations, as well as to the necessity of the professionalization of such an important field.

  1. General considerations regarding GDPR

Since the enforcement of the Lisbon Treaty[3], the right to personal data protection became a fundamental right within the European Union’s legal order, inclusively by conferring to the Charter of Fundamental Rights of the European Union an equal juridical value with that of the treaties, the Charter regulating both the Right to respect for private and family life[4], as well as the right to protection of personal data[5].

We showed in the introduction that the regulation itself does not constitute a novelty in this field and that this establishes both provisions concerning protection of natural persons with regards to personal data protection, and provisions concerning the free flow of personal data. We should also mention that, from its very first article, the Regulation institutes the rule according to which it „ protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”, but also the rule according to which “The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data”. The new Regulation has at its core these two main fields which intertwine and between which it must exist proportionality and a reasonable balance, in such a manner that the purpose of the Regulation to be achievable. Besides, the regulation provides expressly in its preamble the fact that the main goal it is to adapt and to update the principle and objectives previously set by the directive, so as to put them in accordance with the technological advancements.

Taking into consideration the fact that the recent doctrine[6] analysed the path taken at the scale of the European Union’s institutions, from the Directive to the Regulation, in order to regulate the protection of personal data[7], we will not further detail these aspects. We will emphasize nevertheless both general and specific considerations which differentiate the Directive from the Regulation.

Hence, according to the provisions of art. 288 and 289 of TFEU, both the directive and the Regulation are legislative acts adopted by the European Parliament and by the Council of the European Union. Given that the directive is mandatory for each recipient member state with regards to the expected result, leaving to the national authorities of the member states the competence with regards to the form and the means through which its provisions are transposed in the national legislation of a member state, multiple interpretation and application of the national norms have risen, in such a manner that at the level of the Member States of the European Union it was created an irregular application regime, and the Court of Justice of the European Union (CJEU) was demanded to verify this type of aspects.

After a thorough evaluation of the directive and of the jurisprudence of the CJEU in the matter, after several years of debate, at the level of the institutions of the European Union was taken the decision to adopt a regulation in the field of personal data protection, in order to ensure a uniform level of protection for natural persons, but also in order to prevent discrepancies which were impeding the free flow of data within the internal market, and in order to realize an efficient cooperation of the supervisory bodies, as well as for the establishment of equivalent sanctions across all the member states. The regulation, adopted in 2016, provides a two-year enforcement term, in order to give to the member states, their authorities, as well as the controllers the necessary amount of time and the possibility to have a proper preparation, from all the points of view, for its enforcement. The term for enforcement was established for the 25 May 2018.

As opposed to the directive, the Regulation has general applicability, it is mandatory in all its elements and it has direct applicability in all the member states, hence it does not require national transposition laws.

The main novelties adduced by GDPR make reference to: uniformization of the rules; fields of application; consolidation of the right to data protection; extension of the safeguards for some of the existent rights; instituting some new rights;  safeguards for protection of children and for private life online; new regulations in order to give responsibility in an appropriate manner to the controllers and the processors; the Data Protection Officer[8]; the role of the independent supervisory bodies and the sentencing regime.

Although the regulation does not presuppose the adoption of national transposition laws, we underline the fact that, in the case of GDPR, for some member states, the adoption of some national laws for the particularization of some norms which will be further detailed within this analysis, on the ground of some articles from its text, especially with regards to the competence of the member states and the sentencing regime, will be necessary.

We appreciate that, for a rightful understanding of the regulatory intention, but also of the Regulation per se, it is important to correlate the articles from the regulation with the texts of the considerations included in the preamble. In order to define just one of their dimensions, we point out that the regulation contains 99 articles, which are based on 173 considerations.

 III. Tasks and competences of the supervisory authority, as well as the competence of the member states with regards to the sentencing regime

The Regulation dedicates a special chapter (chapter VI) to the independent supervisory authorities, and the texts describing the relationship between the supervisory authority[9] and the sentencing regime are included in art. art. 51, 57 and 58.

In the doctrine it has been opinionated[10] that in this field was attempted the implementation of a similar system with the one in the competition field, both with regards to the national responsible authorities, but especially with the trespassing of the general interest protected at the level of the European Union.

We should also mention the fact that in order to understand the text of art. 51, instituting the rules for the supervisory authority, the text of considerations (117), (118), (119) and (123) from the preamble are of equal importance. Hence, in every member state, it is mandatory to exist one or several independent supervisory authorities, which have as main task the enforcement of the regulation, in order to protect fundamental rights and liberties of natural persons with regards to use of personal data and with regards to the facilitation of the free flow of personal data within the Union. In order to achieve this goal, rules have been instituted according to which these authorities cooperate both in between them, and with the Commission, being expressly underlined the need for full independence to the supervisory authorities of the member states in order to complete all their tasks and to exercise all their powers. Also, the preamble mentions the requirement of direct mutual cooperation in between the authorities, as well as with the Commission, without need of any further agreement between the member states with regards to the respective cooperation or with regards to granting of mutual assistance. We hence appreciate that it is important to make this clarification in order to underline the celerity and flexibility of the procedures, especially in correlation with the situations in which it is necessary to act urgently in order to ensure the protection of rights and liberties of natural persons.

Also, with regards to the competency of the member states, the text of the regulation provides expressly that „Where more than one supervisory authority is established in a Member State, that Member State shall designate the supervisory authority which is to represent those authorities in the Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 63.”[11]. Also, it is provided the obligation of each member state to notify to the Commission, by the enforcement of GDPR, the internal provisions adopted following the enforcement, and, without delay, any subsequent amendment affecting them.

We thus observe that, in this matter, the member states have three categories of particular competencies: competency in designating the national supervisory authority, competency in regulating the cooperation mechanism between supervisory authorities when there are two or more such authorities, as well as the competency of notification of the Commission.

With regards to the text of art. 57, there are mentioned the task which every supervisory authority has on its territory. These need to be analysed in correlation with the consideration (132) of the preamble, regarding the specific measures to be undertaken by the authorities in order to raise awareness to the public, in particular in the educational context.

Given that both the role of the authorities and their tasks are complex, we chose to emphasize just few of the tasks provided for in the invoked legal act, in order to understand the role of the supervisory authority through the sentencing regime, aiming at: monitoring and enforcement of the regulation;  promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing, especially in relation with activities addressed specifically to children; advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing[12]; promote the awareness of controllers and processors of their obligations under GDPR; handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary; conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority; give advice on the processing operations, when the controller requires it, during the prior consultation, before the processing; respectively, keeping of internal records of infringements of the Regulation and of measures take, especially with regards to the issued warnings and reprimands. Other specific tasks concern the facilitation of the submission of complaints, inclusively by use of electronic forms, as well as the gratuity, for the data subject and the data protection officer, of the performance of tasks by the supervisory authority. Even so, GDPR institutes in the text of art.57 (4) exceptions according to which the authority may refuse to act on the request or may charge a reasonable fee, based on the administrative costs.

We therefore observe the myriad of tasks and we emphasize the necessity that, in order to fulfil them, the supervisory authorities should be allocated by the Member States the necessary resources, both human, financial, logistical and time. We consider that, during the two-year term, instituted for the enforcement of the regulation, the aforementioned resources should have been already allocated, especially the necessity for a professionalization and specialization not only of the personnel of the controller or of the processors, but especially of the supervisory authorities.

The third article of GDPR of a particular importance for our analysis is the article 58, providing the types of powers of the supervisory authorities and whose text needs to be analysed in correlation with the consideration (129) of the preamble. We therefore observe that the supervisory authority has three types of powers: investigative powers, corrective powers and authorisation and advisory powers.

A very important power in the definition of the sentencing regime needs to be emphasized, newly granted to the supervisory authorities, the one of bringing the infringements of the Regulation to the attention of the judicial authorities or, if appropriate, to commence or engage in legal proceedings, in order to enforce the provisions of the Regulation. The consideration (129) of the preamble explains this new power to be exercised and delimitates it from the powers of the prosecutorial authorities, under Member State law, in the sense that it does not affect these powers.

Closely linked to this new power of the supervisory authority, we mention the texts of paragraphs (5) and (6) of art. 58, concerning the competence of the Members States to particularize the text of the Regulation and to provide, by legislative means, this competence, for its own supervisory authority, as well as other supplementary powers except the investigative powers, corrective powers and authorisation and advisory powers.[13]

The exercise of all the categories of powers is accompanied by appropriate safeguards, including effective judicial remedy and due process, in accordance with the Union law. We will analyse, in the following sections, the qualification of the sanctions, the corrective powers, which presuppose, in our opinion, a gradual approach and which make the object of the topic of this study, the general conditions for imposing administrative fees, as well as efficient procedural safeguards.

  1. Classification of the sanctions and competence of the Member States with regards to the establishment of the sentencing regime

The Regulation does not expressly mention a classification of the sanctions, but this classification results for the analysis of the text of art. 83 – General conditions for imposing administrative fines and art. 84 – Sanctions, correlated with the texts of considerations (148), (150) and (151), respectively with considerations (149) and (150) from the preamble[14].

In order to analyse the classification of the sanctions we take into consideration several of the arguments invoked in the preamble, as follows:

(149) „Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.

(151) The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the supervisory authority initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.

(152) Where this Regulation does not harmonise administrative penalties or where necessary in other cases, for example in cases of serious infringements of this Regulation, Member States should implement a system which provides for effective, proportionate and dissuasive penalties. The nature of such penalties, criminal or administrative, should be determined by Member State law.”

Concerning the competence of the Member States to particularize the sentencing regime, the provisions of art. 83 are relevant, according to which, each Member state can lay down, without prejudice to corrective powers of supervisory authorities, the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State, respectively where the legal system of the Member State does not provide for administrative fines, the rules to be applicated in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities, ensuring nevertheless that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities, as well as to the fact that the fines imposed are effective, proportionate and dissuasive.   In these situations, as well, the Member State shall notify to the Commission prior to the enforcement of GDPR and subsequently, without delay, any subsequent amendment affecting them.

As a conclusion for the consideration of the aspects presented therebefore, we classify the sanctions applicable under GDPR in administrative fines provided expressly by the Regulation and fines and other applicable sanctions (including of penal nature) established by the Member States law.

  1. Corrective measures, from issuing warnings to imposing administrative fines or suspension of the data flows

As it was already mentioned, the corrective measures are adopted by the supervisory authority in exercising the corrective powers provided for expressly by the regulation in the text of paragraph (2) of the art. 58. We appreciate that it is not necessary to present the ten corrective measures and that it is far more important to analyse their gradualness, and whether they can be disposed only singularly or cumulatively, respectively if they are hierarchized or not with regards to their enforcement.

It is interesting to observe the verbs and actions used for describing the corrective measures, to issue warnings, to issue reprimands, to order the controller or the processor to comply, to order the controller or the processor to communicate, to impose a limitation, to order the rectification or erasure and the notification, to withdraw a certification or to order the certification body to withdraw a certification or not to issue certification, and it terminated with to impose an administrative fine, and to order the suspension of data flows.

We therefore observe that the Regulation does not realise a hierarchization of these measures by the chosen wording and topic, arranging the corrective measures from those which can be applied in the case of minor infringements to the more severe, in the case of major infringements. Also, it is important to mention that these measures can be individualized for every case, by analysing the specific conditions, as well as the fact that an administrative fine constitutes by itself a corrective measure, may be imposed in addition to or instead of other measures applicated for the exercise of the other corrective powers provided for in paragraph (2) of article 58.

We will hereby observe both the general conditions for imposing administrative fees, as well as the safeguards provided by GDPR in the case of the exercise, by the supervisory authority of the corrective powers.

  1. General conditions for imposing administrative fines

We previously mentioned that art. 83 of the Regulation establishes general condition for imposing of administrative fines and makes reference to the following aspects:[15]

  1. imposing of administrative fines is, in every case, effective, proportionate and dissuasive;
  2. administrative fines are imposed in addition to, or instead of, measures referred to in Art. 58(2);
  3. Whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due, paying attention to several aspects which will be subsequently further detailed;
  4. If a controller or processor, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement;
  5. The quantum of the administrative fines imposed for certain infringements[16] can be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, while for other infringements[17], the administrative fines can be up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher;
  6. each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State;
  7. the exercise by the supervisory authority of its powers takes place with the appropriate procedural safeguards in accordance with Union and Member State law;
  8. Where the legal system of the Member State does not provide for administrative fines, this Article 83 of the Regulation „may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.”[18]

In considering the aforementioned condition, with regards to the aspects to take into account in taking the decision with regards to imposing an administrative fee, as well as the decision with regards to the amount of the administrative fee, it should be emphasized that these are also detailed in the text of art. 83 (2) and aim at:

„(a)  the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b)  the intentional or negligent character of the infringement;

(c)  any action taken by the controller or processor to mitigate the damage suffered by data subjects;

(d)  the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

(e)  any relevant previous infringements by the controller or processor;

(f)  the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

(g)  the categories of personal data affected by the infringement;

(h)  the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

(i)  where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

(j)  adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

(k)  any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.”

We chose to quote the text of this paragraph in order to underline that the individualization of the sanction but also the amount of the administrative fee is strongly linked with the extent of the deliberate character of the infringement, with the previous conduct of the person who made the infringement, with the extent of the negative effects of the infringement and with the amount of the prejudices suffered by the data subject, as well as by the cooperation degree of the responsible of the infringement with the supervisory authority.

 VII. Procedural safeguards

With regards to ensuring and respecting an efficient procedural safeguard system, we should firstly reiterate the new competence of the national authority, as well as the obligation of each member state to provide, by legislative means, the fact that its supervisory authority has the power to initiate or to engage in judicial proceedings, in order to enforce the provisions of the Regulation.

We also reiterate the fact that the exercise of the powers linked to imposing administrative fees takes place with the condition of ensuring of appropriate procedural safeguards in accordance with Union and Member State law, in accordance with the Charter of Fundamental Rights of the European Union. These safeguards, which must be appropriate take into account inclusively effective legal remedies and fair trials, are provided for in Chapter VIII of GDPR – Remedies, liability and penalties.

Hence, art. 77 – Right to lodge a complaint with a supervisory authority, which needs to be analysed in correlation with the text of consideration (141) of the preamble, established both the rights of the data subject and obligations for the supervisory authority.

Also, art. 78 – Right to an effective judicial remedy against a supervisory authority, correlated with the text of consideration (143), institutes both the content of the right, as well as the measures for its effective enforcement, respectively the means of action in the case in which the actions are introduced against a decision of a supervisory authority, preceded by an opinion or a decision of the Board, within the consistency mechanism[19].

The right to an effective judicial remedy against a controller or processor is regulated by the text of art. 79 and can be correlated with the text of consideration (145) of the preamble).

Excepting the regulation of these three rights to remedy, we consider relevant for our matter the text of art 82 from the regulation, correlated with the texts of art. (146) and (147) from the preamble, according to which it is acknowledged the right of a person which a material or moral prejudice as a result of processing that infringes the Regulation, as well as to be entitled for compensation from the controller or the processor for the damage. Also, the same article institutes the responsibility of the operator for the damages made by infringements of GDPR, its conditions and limitations, as well as the actions with regards of compensation.

Another very important aspect, regulated as a novelty under GDPR, is constituted by the right of the data subject to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law”[20]. Also, the same article established the possibility for the Member States to provide ex officio anybody, organisation or association of the respective rights (art.77-79).

 VIII. Conclusions

The regulation will be certainly enforced starting with 25 May 2018.

GDPR aimed at the uniformization of the regulation, providing as well as national specific norms. Are the Member States ready? The answer, at least with regard to Romania, is not an affirmative one. We failed yet to identify on the official website[21] of the National Supervisory Authority for Personal Data Processing or in the Parliamentary procedure any draft law in public debate procedure and through which are adopted the aforementioned national specific norms. The time left until the enforcement is short and it should be underlined that, in our opinion, the adoption, by the Government, of an eventual Government Emergency Ordinance in this field would not be of opportunity, and it would not respect the constitutional requirements.

The sentencing regime imposed by GDPR is one of the most severe at the level of the European Union, and it was imposed specifically for leading to a uniform compliance with the provisions of the Regulation. We appreciate that the controllers will have a choice between investing consistent amounts in order to ensure data protection against unlawful processing and for ensuring the free flow of data, in accordance with the provisions of the Regulation, or will invest these amounts for the payment of the eventual administrative fines.

We underline the fact that appropriate procedural safeguards are associated to the corrective measures, in order for the aim of the Regulation to be achieved. We underline, in the context, the right of a data subject to mandate a not-for-profit body, organisation or association to lodge the complaint on his or her behalf and to exercise the rights referred to in Articles 77-79 and 82 of the Regulation on his or her behalf.

Given the architecture of the regulation, but also the way in which the national authorities are enforcing their powers, we appreciate that administrative fees will not be imposed starting with 25 May 2018, but rather other corrective measures. Everything depends on the extent of the of the infringement, with the previous conduct of the person who made the infringement, with the extent of the negative of those who made the infringement, as well as with the conduct of the supervisory authority.

Also, taking into consideration the myriad of tasks of the supervisory authorities, but also of other public organisms, we reiterate the necessity of the Member States to allocate for them the necessary resources, both human and material, in order to ensure their functioning, including for the professionalisation and training of the personnel.

It is not appropriate to tell at this point to what extent the goals of the GDPR will be fulfilled. The answers are to be identified once the enforcement is made, and with the eventual help of national courts and with the help of the Court of Justice of the European Union.

 



* Research associate, „Acad. Andrei Rădulescu” Legal Research Institute of Romanian Academy; Doctor of Juridical Sciences of the University of Bucharest; principal areas of interest: Administrative Law, Constitutional Law and European Law; [email protected]. This paper was presented in the European Conference on Financial Services – ECFS 2017, organized in Brasov, 19-20 October, by the Institute for Financial Studies, University „Petru Maior” Targu-Mures and the Romanian Society for Public and Private Affairs of Targu-Mureș. The author would like to thank  Mr. Bogdan Ţopan for the support offered in translating the article in English. The article was published in Romanian in Curierul Judiciar, no. 1/2018.


[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L119/04.05.2016).

[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L281/23.11.1995).

[3] Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community, signed at Lisbon, 13 December 2007 (OJ C306/17.12.2007), in force since 1 December 2009. The consolidated versions of TEU and TFEU are published (OJ C326/26.10.2012) and can be found inclusively online (http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:C2012/326/01&from=RO).

[4] Please refer to the text of art.7 from the Charter of Fundamental Rights of the European Union.

[5] Please refer to the text of art.8 from the Charter of Fundamental Rights of the European Union.

[6] Please refer to, for example, I. Alexe, C. M. Banu, De la directivă la regulament în reglementarea protecției datelor cu caracter personal la nivelul Uniunii Europene, în I. Alexe, N. D. Ploeșteanu, D. M. Șandru (coord.), Protecția datelor cu caracter personal, Ed. Universitară, București, 2017, p. 14-40; N. D. Ploeșteanu, A. Mariș, Viziunea Regulamentului general privind protecția datelor personale 679/2016(RGDP) într-o societate digitală, în I. Alexe, N. D. Ploeșteanu, D. M. Șandru (coord.), op. cit, p. 77-127. For a detailed analysis on the powers and the role of the Data Protection Authorities: P. Schütz, The Set Up of Data Protection Authorities as a New Regulatory Approach, în vol. S. Gutwirth, R. Leenes, P. de Hert, Y. Poullet, (Eds.), European Data Protection: In Good Health?, Springer, 2012, p. 125.

[7] According to the provisions of art.4 (1) of GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

[8] On the obligation of the controller and of the processor to nominate a Data Protection Officer, as well as concerning its role in the architecture of GDPR, please refer to: I. Alexe, Principalele noutăți privind responsabilul cu protecția datelor, incluse în GDPR, in the process of being published.

[9]According to the provisions of art.4 (21) of GDPR, „supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51.

[10] D. M. Șandru, Regimul juridic al protecției datelor cu caracter personal este în proces de regândire, in I. Alexe, N. D. Ploeșteanu, D. M. Șandru (coord.), op. cit, p. 272-278.

[11] Please refer to the text of art.51 (3) of GDPR.

[12] According to the provisions of art.4 (2) of GDPR, ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

[13] The particularization of these competencies in the Romanian law system is necessary, especially for the controllers: Bird & Bird, Guide to the General Data Protection Regulation, May 2017, p. 47-48 (https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird–bird–guide-to-the-general-data-protection-regulation.pdf?la=en). For the regulation proposal in Ireland, (http://www.justice.ie/en/JELR/Pages/PR17000155). Also, please take into consideration the Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611237).

[14] For differences and former regulation, please refer to: S. J. Golla, Is Data Protection Law Growing Teeth: The Current Lack of Sanctions in Data Protection Law and Administrative Fines under the GDPR, Journal of Intellectual Property, Information Technology and Electronic Commerce Law, Vol. 8, 1/2017, p. 70.

[15] For a list of the sanctions: GDPR in Context: Remedies and Sanctions, elaborated by Matheson.com (http://www.matheson.com/images/uploads/documents/GDPR_in_Context_-_Remedies_and_Sanctions.pdf).

[16] Provided for in art.83 (4).

[17] Provided for in art.83 (5) and (6).

[18] Please refer to the conditions provided in art. 83 (9).

[19] For further details please refer to the procedures provided for in art.63-66 of the Regulation.

[20] For further details, please refer to, art. 89 (1) of the Regulation.

[21] (http://www.dataprotection.ro/)

 

Irina Alexe