Everyone involved in data protection under the GDPR fears the threat of fines in the event of a breach. In contrast, the other sanctions provided for in the GDPR receive little attention.

Get an overview of possible sanctions and how they can be dangerous to your business here.

Measures taken by the supervisory authorities

The German federal states regulate data protection supervision themselves. The respective data protection and freedom of information commissioners monitor all private bodies in the federal state and all public bodies in the federal state. The federal public bodies are in turn subject to the control of the Federal Data Protection Commissioner.

For the effective protection of data protection, the competent authorities can take appropriate measures. These possibilities for action exist vis-à-vis controllers and processors and are regulated in Art. 58 GDPR.

Request information

Each supervisory authority may order the controller, the processor and, if applicable, the representative of the controller or the processor to provide all information necessary for the performance of its tasks (especially monitoring) (Art. 58 I lit. a GDPR). It is therefore possible that the supervisory authority sends questionnaires that the controller or others must fill out or that position statements are requested.

Investigations, reviews and references

The supervisory authorities may conduct data protection audits, as well as review certifications granted under Art. 42 VII GDPR (Art. 58 I lit. b, c GDPR).

In addition, they can explicitly point out alleged violations of the GDPR to controllers and processors (Art. 58 I lit. d GDPR).

Demand access

If necessary for the performance of its duties, the supervisory authority may even demand access to all necessary personal data and information (Art. 58 I lit. e GDPR). Access to the premises, including all data processing facilities and equipment, of the controller and the processor may also be requested (Art. 58 I lit. f GDPR).

(Warning) and instruction

The supervisory authority may warn a controller or processor that intended processing operations are likely to infringe the GDPR (art. 58 II lit. a GDPR). This is a preventive warning if a planning of the controller is likely to violate data protection law.

If a breach has already occurred, the supervisory authority may warn accordingly (Art. 58 II lit. b GDPR) and instruct to comply with data subjects' requests for data subject rights (Art. 58 II lit. c).

If processes do not comply with the GDPR, the supervisory authority may instruct to remedy this within a set period (Art. 58 II lit. e GDPR) and to notify data subjects accordingly (Art. 58 II lit. e GDPR).

Prohibition, revocation and suspension of transmission

The supervisory authorities could even temporarily or permanently restrict or prohibit processing, revoke (have revoked) or not issue certifications, and order a suspension of transfers to third countries (Art. 58 II lit.f, h, j GDPR).

Correction, deletion and restriction

In addition, the supervisory authorities could bring about the rectification or erasure of personal data or the restriction of processing and the notification of the recipients to whom such personal data have been disclosed (Art. 58 II lit. g GDPR).

Fines and individual measures

Last but not least, Art. 58 II lit. i GDPR lists the most well-known measure: the fine. At the same time, however, it is also regulated here that the supervisory authorities may impose the fine in addition to or instead of the measures mentioned in Art. 58 II GDPR. Thus, a combination is possible.


In the event of a data protection breach, the fine under the GDPR is by no means the only risk. The list of possible measures by the supervisory authorities is very long, comparable to this article. The economic and immaterial risks also remain unnoticed at this point: Damage to image, loss of trust, loss of sales, etc.

These risks can be effectively countered with good data protection management. Include a data protection officer in your company and thus ensure that processing takes place in compliance with the law, is monitored, and all parties involved can always receive expert advice.

Still looking for an external data protection officer? Feel free to contact us!