What exactly changed?
1. Easier to sanction a company for GDPR violation
The previous rules made the liability of the legal person dependent on the actions of the natural person. The amended law provides that a company is also liable if the infringement is due to a lack of supervision or inadequate work organization. A legal person can be held liable for failure to act in a situation where it is under a legal duty to act.
This means that a company could be fined for not having the necessary data protection documentation, overview of processing activities, insufficient security measures.
2. Potential fines become significantly higher
The new law abolishes the upper threshold for fines for data protection breaches and instead of the current fine of up to €400 000, the Data Protection Inspectorate will have the power to impose fines of up to €20 million or up to 4% of a company's global annual turnover in the previous financial year, whichever is higher.
3. Proceedings may take longer
An important change also relates to the statute of limitations for GDPR infringements, which has been raised from two to three years, giving the Data Protection Inspectorate more time to investigate violations.
What does this mean for business?
With the new fines and the extension of corporate liability, breaching GDPR requirements will become significantly more costly for businesses. As a result, all businesses should take GDPR compliance even more seriously and bring their processes, documentation and monitoring into compliance.
The new regulation can apply to GDPR breaches committed on or after 1 November 2023 or which have continued since that date.
If you have any questions or need help with GDPR compliance, please do not hesitate to contact us. Fondia's data protection experts are ready to provide advice and practical guidance to prevent breaches and avoid potential fines.