The nightmare of every data protectionist: a data protection breach has occurred. Everyone immediately thinks of fines and legal proceedings, but what are the real legal risks of a data breach and how can they be avoided?
Sanctions by supervisory authorities
Everyone involved in data protection under the GDPR fears the threat of fines in the event of a breach. In contrast, the other sanctions provided for in the GDPR receive little attention.
An overview of possible sanctions by the respective supervisory authority can be obtained from here.
National sanctions
In addition to the sanctions of the GDPR, criminal provisions of the respective national law are also applicable (opening clause in Art. 84 GDPR).
In Germany, this is where Section 43 of the BDSG came into being. This threatens with two years imprisonment or a fine if unlawful processing is carried out in return for payment or with the intention of causing damage or enrichment. If there is a knowing, unauthorized and commercial trade with non-public data of a large group of persons, there is even a threat of three years.
Risks from competitors
If the processing is unlawful personal data competitors can also take action against it. According to established case law, a civil law warning can be issued against such behavior. This requires a breach of competition law in accordance with the UWG.
Consumer protection associations can also issue warnings against data privacy violations on their own initiative and sue accordingly.
Claims for damages under the GDPR
Data subjects themselves could also be the data processor's undoing. Art. 82 GDPR allows data subjects to sue for damages. The German courts have now also become more amenable to this immaterial damage (as, for example, in the recent Judgment against Scalable due to a data leak to guess).
Summary
With a Data protection violation is the fine is by no means the only risk under the GDPR. The list of legal consequences is very long compared to this article. The economic and immaterial risks also remain unnoticed at this point: Damage to image, loss of trust, loss of sales, etc.
These risks can be effectively countered with good data protection management. Involve a Data protection officer in your company and thus ensure that processing takes place in compliance with the law, is monitored and that all parties involved can always receive expert advice.
Still looking for an external data protection officer? Feel free to contact us!