FORMAL ANSWER

A data controller that has breached GDPR is subject to administrative liability (decisions of the President of the Polish DPA may include financial penalties, as well as various orders aimed at ensuring compliance with GDPR) and civil liability (the data subject has the right to compensation for material or non-material damage resulting from a breach of GDPR). Furthermore, any person who unlawfully processes personal data or obstructs an inspection of compliance with data protection provisions is subject to criminal liability under the Personal Data Protection Act. The final type of liability is disciplinary liability of an employee who breaches personal data protection rules. An employee who has committed such breaches may be subject to a warning, reprimand or even dismissal for cause.

PRACTICAL ANSWER

The President of the Polish DPA may impose a financial penalty of up to EUR 20 million or 4% of turnover for the most serious breaches, including breaches of data processing principles, data subject rights, or failure to comply with orders of the supervisory authority, and for other breaches — up to EUR 10 million or 2% of turnover, whichever amount is higher. In addition to financial penalties, the President of the Polish DPA may issue orders relating to the restoration of compliance with GDPR, and may even order that processing be restricted to storage only, which can halt business processes and be more severe than a financial penalty.

Furthermore, an employee who breaches GDPR should also expect compensatory liability in the event of a claim, criminal liability in the event of a report to the prosecutor, or disciplinary liability in the event of failure to comply with internal policies and procedures.

MORE:

• You can find more information in the article: High administrative penalties under GDPR — we are not scaremongering, we are reminding you