In comparison to the former Data Protection Directive, the GDPR has increased penalties for non-compliance. SAs have more authority than in the previous legislation because the GDPR sets a standard across the EU for all companies that handle EU citizens’ personal data. SAs hold investigative and corrective powers and may issue warnings for non-compliance, perform audits to ensure compliance, require companies to make specified improvements by prescribed deadlines, order data to be erased, and block companies from transferring data to other countries. Data controllers and processors are subject to the SAs’ powers and penalties.
The GDPR also allows SAs to issue larger fines than the Data Protection Directive; fines are determined based on the circumstances of each case and the SA may choose whether to impose their corrective powers with or without fines. For companies that fail to comply with certain GDPR requirements, fines may be up to 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.
