Businesses could face heavy fines for breaching GDPR rules

GDPR compliance - Fondia

It is no news anymore that courts in other EU countries are imposing fines running into millions of euros for breaches of GDPR. So far, fines for data protection breaches have not received much attention in Estonia. This is because the laws in force in Estonia to date have imposed obstacles both to the liability of legal persons and to the size of the fine.

An amendment to the Estonian Penal Code entered into force on 1st of November, making it easier to sanction businesses for GDPR violations.

What exactly changed?

1.       Easier to sanction a company for GDPR violation

The previous rules made the liability of the legal person dependent on the actions of the natural person. The amended law provides that a company is also liable if the infringement is due to a lack of supervision or inadequate work organization. A legal person can be held liable for failure to act in a situation where it is under a legal duty to act.

This means that a company could be fined for not having the necessary data protection documentation, overview of processing activities, insufficient security measures.

2.       Potential fines become significantly higher

The new law abolishes the upper threshold for fines for data protection breaches and instead of the current fine of up to €400 000, the Data Protection Inspectorate will have the power to impose fines of up to €20 million or up to 4% of a company's global annual turnover in the previous financial year, whichever is higher.

3.       Proceedings may take longer

An important change also relates to the statute of limitations for GDPR infringements, which has been raised from two to three years, giving the Data Protection Inspectorate more time to investigate violations.


What does this mean for business?

With the new fines and the extension of corporate liability, breaching GDPR requirements will become significantly more costly for businesses. As a result, all businesses should take GDPR compliance even more seriously and bring their processes, documentation and monitoring into compliance.

The new regulation can apply to GDPR breaches committed on or after 1 November 2023 or which have continued since that date.

If you have any questions or need help with GDPR compliance, please do not hesitate to contact us. Fondia's data protection experts are ready to provide advice and practical guidance to prevent breaches and avoid potential fines.