GDPR Focus: Article-by-Article Analysis of EU Data Protection Law and Regulation

GDPR Article 83 – Part 3: Non-Compliance with Authority Orders and Member State Discretion

by

admin
in

You can access the official legal text of GDPR Article 83 via the European Union’s legal database at eur-lex.europa.eu

Article 83(6)

“Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20,000,000 EUR, or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.”

This provision targets organizations that defy official orders issued by a supervisory authority (like a national data protection authority). These orders are defined in Article 58(2) and include:

  • Warnings or reprimands
  • Orders to comply with data subject requests
  • Orders to rectify, restrict, or erase data
  • Suspension of data flows to third countries
  • Withdrawal of certification
  • Temporary or definitive limitations on processing

If a controller or processor fails to comply with any of these, they face the highest tier of administrative fines under GDPR:

  • Up to €20 million, or
  • Up to 4% of global annual turnover, whichever is higher

Why This Is Treated So Seriously

Ignoring a supervisory authority’s order is seen as:

  • A direct challenge to regulatory enforcement
  • A sign of non-cooperation and bad faith
  • A threat to the integrity of the GDPR framework

This is why it’s placed in the same penalty tier as violations of core principles (Article 83(5)).

Example Scenario

Let’s say a company is ordered by the authority to:

  • Stop processing personal data unlawfully collected without consent
  • Notify affected individuals of a breach
  • Delete data transferred to a third country without safeguards

If the company refuses or delays compliance, it can be fined under Article 83(6)—even if the original violation was already fined separately.

Link to Article 83(2) The phrase “in accordance with paragraph 2” means that before imposing the fine, the authority must consider the ten criteria listed in Article 83(2), such as:

  • Severity of the violation
  • Intentional vs. negligent behavior
  • Cooperation with the authority
  • Previous infringements
  • Categories of data affected

This ensures the fine is proportionate and contextualized.

Article 83(7)

“Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.”

This paragraph introduces a national discretion clause. It allows EU Member States to decide:

  • Whether public authorities and bodies in their jurisdiction can be fined under the GDPR
  • To what extent such fines can be imposed (e.g., full, partial, or exempt)

This provision does not override the general enforcement powers of supervisory authorities under Article 58(2), which include issuing warnings, reprimands, and orders to comply.

Key Concepts Explained

“Without prejudice to the corrective powers…”

This phrase means that supervisory authorities still retain their full range of enforcement tools under Article 58(2), such as:

  • Warnings and reprimands
  • Orders to comply with data subject requests
  • Orders to suspend or restrict processing
  • Orders to notify data breaches

So even if a Member State prohibits or limits fines for public bodies, authorities can still use non-financial corrective measures.

 “Each Member State may lay down the rules…”

This is a delegation of power to national governments. It recognizes that:

  • Public authorities (e.g., tax offices, police, courts, schools) may operate under different legal and budgetary constraints
  • Some Member States may choose to exempt them from fines to protect public budgets
  • Others may allow fines but cap them or apply them only in cases of gross negligence or repeated violations

Practical Examples

  • Germany: Public authorities are generally not subject to administrative fines under the German Federal Data Protection Act (BDSG), except in certain cases
  • France: The CNIL (French DPA) can impose fines on public bodies but often uses warnings and compliance orders instead
  • Sweden: The Swedish DPA has fined public authorities, including municipalities, for GDPR violations

This clause reflects the principle of subsidiarity in EU law: Member States retain control over how GDPR enforcement applies to their own public sector. It also ensures that GDPR enforcement remains flexible.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *