The GDPR is not a toothless tiger – even though it sometimes looks like one. It provides for various sanctions.
The GDPR provides various instruments for its enforcement:
- Administrative orders of the data protection supervisory authorities (Art. 58 GDPR)
- According to Art. 83 GDPR, fines can be imposed
- According to Art. 82 GDPR, data subjects can claim (also non-material) damages
7.2 Measures of the the data protection supervisory authorities
Art. 58 GDPR provides various instruments for data protection supervisory authorities to enforce compliance with the GDPR. These are not sanctions in the strict sense of the word – e.g., fines or compensation for damages – but the measures imposed can still have a significant impact on the business operations of the email marketer. For example, further processing of data for direct marketing may be ordered to be changed in order to comply with the GDPR.
The Superior Administrative Court of Saarland (OVG Saarlouis), for example, confirmed an order of the data protection supervisory authority which ordered both the use of the data for direct advertising (in this specific case: telephone advertising) and the deletion of this data (OVG Saarlouis, decision of 16 February 2021, file no. 2 A 355/19).
These measures can also be enforced under national administrative enforcement laws. Penalty payments, in particular, come into consideration for this. These periodic penalty payments can be ordered in addition to fines and thus deliver an additional financial risk.
7.3 Sanctions imposed due to GDPR breaches
Pursuant to Art. 83 GDPR, data protection supervisory authorities may impose fines of up to 10 million or 20 million Euro or, in the case of an “undertaking”, up to 2% or 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher. The applicable sanction framework depends on which regulation is violated. For breaches of the admissibility requirement and the transparency obligations, for example, the larger framework applies.
A significant example of a fine imposed in Germany relates, for example, to that levied by the Data Protection Authority for the German state of Baden-Württemberg (LfDI) against the health insurance company AOK Baden-Württemberg, with a decision made on 25.06.2020 amounting to 1,240,000 Euro, which also concerned consents to the use of data for advertising purposes (see https://edpb.europa.eu/news/national-news/2020/baden-wuerttemberg-state-commissioner-imposes-fine-aok-baden-wuerttemberg_en, last visited on 28.10.2022.)
This clearly shows that there is a considerable risk of sanctions in the event of non-compliance with the GDPR provisions.
7.4 Compensation for damages instead of a fine
What is currently more “popular”, and probably also riskier, are claims for damages by data subjects under Art. 82 of the GDPR if their data is used for direct marketing or profiling or analysis in breach of the GDPR. In principle, any breach of the GDPR can lead to a qualification for these claims – the details are still disputed and are currently “before” the ECJ for a decision. But there is a high risk of being held liable. Particularly frequent complaints and claims for damages are made in the case of unauthorised sending of direct advertising, breaches of the proactive information obligations according to Articles 13 and 14 GDPR, and errors in the provision of information according to Art. 15 GDPR. In addition to the question of whether the mere breach or only the “pain and suffering” is a condition, there is much discussion on whether the claim for damages also has a “punitive” component. This can make the claim dangerous. If conceded, high claims for damages for pain and suffering can result from this.
In its judgement on 9.9.2021 (file no.: 2 C 133/21), the German Pfaffenhofen District Court, for example, ruled a non-material claim for damages in the amount of 300 Euro for just one (!) unsolicited email. Although this judgement raises legal questions, it makes clear the risk of corresponding legal proceedings.
A special feature is also the difference to the fine. While a fine only imposes a one-time penalty, in the worst-case scenario, there could be a penalty surcharge for each claim of each data subject plus the lawyer’s fees in each individual case.
The best protection is data protection compliance. But mistakes still happen. Marketing is typically innovative and, therefore, risky, so it is crucial to take the right actions when things go wrong. Because by reacting appropriately to an incident or allegation, the effect of the aforementioned risks can be mitigated.