Professional Documents
Culture Documents
A Written Report
BABAN, Neil
CAGAS, James Adrian
CALIO, Lope III
DINGAL, Johanna
ESCOBIDO, Hanna
IGBALIC, Anna Lou
SANTIAGO, Reginald Matt
TALON, Francris
III-MANRESA 2019-2020
Ateneo de Davao College of Law
General Data Protection Regulation 2
Data Protection + Teeth
TABLE OF CONTENTS
I. INTRODUCTION .................................................................................. 3
A. What is GDPR? ................................................................................... 3
B. Historical Background of the GDPR........................................................ 3
C. Data Protection Principles .................................................................... 4
D. Material and Territorial Jurisdiction ....................................................... 4
II. RIGHTS OF THE DATA SUBJECT ....................................................... 12
A. Individual Rights of a Data Subject under GDPR ................................... 12
1. Right to be Informed ..................................................................................................... 13
2. Right of Access ................................................................................................................ 15
3. Right to Rectification ..................................................................................................... 17
4. Right to Erasure or the ‘Right to be Forgotten’ ................................................... 18
5. Right to Restriction of Processing ............................................................................. 19
6. Right to Data Portability ............................................................................................... 21
7. Right to Object ................................................................................................................ 23
8. Rights Related to Automated Decision-Making .................................................... 25
B. Restrictions ..................................................................................... 26
III. ACCOUNTABILITY AND GOVERNANCE ............................................ 29
A. Obligations for Data Controllers and Processors .................................... 29
1. Privacy by Design and Default ................................................................................... 30
2. Data Protection Impact Assessment ........................................................................ 31
3. Designation of the Data Protection Officers .......................................................... 35
4. Codes of Conduct ............................................................................................................ 36
B. Personal Data Breach ........................................................................ 36
IV. PROVISIONS FOR REDRESS ............................................................ 40
A. GDPR as Data Privacy Regulation with Teeth ........................................ 40
B. Remedies, Liabilities and Penalties ...................................................... 41
1. Overview of Procedure.................................................................................................. 41
2. Penalties............................................................................................................................. 43
3. Applications of GDPR ..................................................................................................... 45
V. CONCLUSION ................................................................................... 47
General Data Protection Regulation 3
Data Protection + Teeth
I. INTRODUCTION
A. What is GDPR?
General Data Protection Regulation or the GDPR is a law which is
concerned about the privacy and security of the residents of the European
Union. It regulates the gathering and collecting of data by another person
or entity. It will provide knowledge on the part of the data subject on what
kind of data that the company will use and for what purpose will their data
be used. It also gives the data subject the right to erasure on their personal
data obtained from them.
The data that is regulated by the law are those personal data which
can identify a person, including but not limited to; name, address, phone
number, IP address, sexual orientation, and political opinion. It also covers
persons or entities outside the European Union who collects or gathers data
from the subjects of the EU regardless of their citizenship. Most of it are
those who provide goods and services to the people of Europe.
The person or entities who collects data must show lawful cause on
why the data is obtained and its purpose. The entities who gathers data
from the people of the EU without justifiable cause will be subjected to a
fine or penalty of 20 million euros or more. It does not prohibit these
entities from obtaining data from the people of EU for as long as it was with
the consent of the person or it must be in accordance with the law
What pushed the creation of the GDPR was that the old law was
written before the birth of smartphones which collected massive
1
The history of the General Data Protection Regulation (GDPR). European Data Protection Supervisor. Retrieved
March 04, 2020 from https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-
protection-regulation_en.
General Data Protection Regulation 4
Data Protection + Teeth
Material Jurisdiction
(b) by the Member States when carrying out activities which fall
within the scope of Chapter 2 of Title V of the TEU;
2
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to
an identifier such as a name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural
person. (Article 4, Regulation)
General Data Protection Regulation 6
Data Protection + Teeth
Territorial Jurisdiction
3
Jelinek, A. (2018, November 16). Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - Version
for public consultation. Retrieved March 11, 2020, from
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf
4
The GDPR's Reach: Material and Territorial Scope Under Articles 2 and 3. (n.d.). Retrieved from
https://www.wiley.law/newsletter-May_2017_PIF-The_GDPRs_Reach-
Material_and_Territorial_Scope_Under_Articles_2_and_3
General Data Protection Regulation 8
Data Protection + Teeth
“this Regulation applies to the processing of personal data of data subjects who
are in the Union by a controller or processor not established in the Union, where the
processing activities are related to: (a) the offering of goods or services, irrespective of
whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the
Union.”
Under the first prong, the GDPR explains that having a commerce-
oriented website that is accessible to EU residents does not by itself
constitute offering goods or services in the EU.
5
Jelinek, A. (2018, November 16). Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - Version
for public consultation. Retrieved March 11, 2020, from
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf
General Data Protection Regulation 9
Data Protection + Teeth
6
Jelinek, A. (2018, November 16). Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - Version
for public consultation. Retrieved March 11, 2020, from
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf
General Data Protection Regulation 10
Data Protection + Teeth
RA 10173 GDPR
Material Scope The law applies to the Applies to the
processing of all types processing of personal
of personal data wholly or partly
information and to by automated means,
any natural person or within the scope of
legal entity involved Union law.
in personal
information
processing.
7
The GDPR's Reach: Material and Territorial Scope Under Articles 2 and 3. (n.d.). Retrieved from
https://www.wiley.law/newsletter-May_2017_PIF-The_GDPRs_Reach-
Material_and_Territorial_Scope_Under_Articles_2_and_3
8
Jelinek, A. (2018, November 16). Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - Version
for public consultation. Retrieved March 11, 2020, from
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf
General Data Protection Regulation 11
Data Protection + Teeth
1. Right to Access Personal Data. - Under GDPR, data subjects have the
right to access the data collected on them by a data controller. The data
controller must respond to that request within 30 days (Article 15);
1. Right to be Informed
There is a need for transparency regarding the gathering and use of
data in order to allow EU citizens to exercise their right to the protection of
personal data. Therefore, the General Data Protection Regulation (GDPR)
gives individuals a right to be informed about the collection and use of their
personal data, which leads to a variety of information obligations by the
controller. The law differentiates between two cases: On the one hand, if
personal data is directly obtained from the data subject (Art. 13 of the
GDPR) and, on the other hand, if this is not the case (Art. 14 of the GDPR).
9
Right to be Informed. (n.d.). Retrieved from https://gdpr-info.eu/issues/right-to-be-informed/
General Data Protection Regulation 14
Data Protection + Teeth
In the case that the personal data is not gathered from the data
subject, in exceptional cases there is no obligation to inform. This applies,
if providing the information is either impossible or unreasonably expensive,
the gathering and/or transmission is required by law, or if the data must
remain confidential due to professional secrecy or other statutory secrecy
obligations.
10
Right to be Informed. (n.d.). Retrieved from https://gdpr-info.eu/issues/right-to-be-informed/
General Data Protection Regulation 15
Data Protection + Teeth
understand, and that clear and plain language and, additionally, where
appropriate, visualization be used. Such information could be provided in
electronic form, for example, when addressed to the public, through a
website. This is of particular relevance in situations where the proliferation
of actors and the technological complexity of practice make it difficult for
the data subject to know and understand whether, by whom and for what
purpose personal data relating to him or her are being collected, such as
in the case of online advertising. Given that children merit specific
protection, any information and communication, where processing is
addressed to a child, should be in such a clear and plain language that the
child can easily understand.11
2. Right of Access
Commonly referred to as subject access, it gives individuals the right
to obtain a copy of their personal data as well as other supplementary
information. The GDPR includes a best practice recommendation that,
where possible, organizations should be able to provide remote access to
a secure self-service system which would provide the individual with direct
access to his or her information13.
11
Recital 58, GDPR
12
Recital 60, GDPR
13
Recital 63
General Data Protection Regulation 16
Data Protection + Teeth
The GDPR does not specify how to make a valid request. Therefore,
an individual can make a subject access request verbally or in writing.
Standard forms can make it easier for a subject access request and for the
individual to include all the details that an entity need to locate the
information they want. The GDPR requires that the information provided to
an individual is in a concise, transparent, intelligible and easily accessible
form, using clear and plain language14.
14
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-
regulation-gdpr/individual-rights/right-of-access/
General Data Protection Regulation 17
Data Protection + Teeth
In the Philippines
3. Right to Rectification
Under Article 16 of the GDPR individuals have the right to have
inaccurate personal data rectified. This may involve providing a
supplementary statement to the incomplete data. The GDPR does not give
a definition of the term accuracy. However, the Data Protection Act 2018
(DPA 2018) states that personal data is inaccurate if it is incorrect or
misleading as to any matter of fact. Determining whether personal data is
inaccurate can be more complex if the data refers to a mistake that has
subsequently been resolved. It is also complex if the data in question
records an opinion. Opinions are, by their very nature, subjective, and it
can be difficult to conclude that the record of an opinion is inaccurate15.
The GDPR does not specify how to make a valid request. Therefore,
an individual can make a request for rectification verbally or in writing. In
most cases an entity cannot charge a fee to comply with a request for
rectification. However, it can charge a “reasonable fee” for the
15
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-
regulation-gdpr/individual-rights/right-to-rectification/
General Data Protection Regulation 18
Data Protection + Teeth
In the Philippines
The GDPR does not specify how to make a valid request. Therefore,
an individual can make a request for rectification verbally or in writing. In
most cases an entity cannot charge a fee to comply with a request for
rectification. However, it can charge a “reasonable fee” for the
administrative costs of complying with the request if it is manifestly
unfounded or excessive. If there are doubts as to the identity of the person
making the request, the entity can ask for more information. In most cases,
a fee is not required to comply with a subject access request.
16
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-
regulation-gdpr/individual-rights/right-to-erasure/
General Data Protection Regulation 19
Data Protection + Teeth
In the case of Google Spain vs. AEPD & Mario Gonzales17, the
Court of Spain recognized that the activity of search engines plays a
decisive role in the overall dissemination of those data in that it renders
the latter accessible to any internet user making a search on the basis of
the data subject’s name, including to internet users who otherwise would
not have found the web page on which those data are published. The fact
that publishers of websites have the option of indicating to operators of
search engines, by means in particular of exclusion protocols such as
‘robot.txt’ or codes such as ‘noindex’ or ‘noarchive’, that they wish specific
information published on their site to be wholly or partially excluded from
the search engines’ automatic indexes does not mean that, if publishers of
websites do not so indicate, the operator of a search engine is released
from its responsibility for the processing of personal data that it carries out
in the context of the engine’s activity.
In the Philippines
Under the GDPR individuals have the right to request other parties to
restrict the processing of their personal data in the following situations:20
1. The individual contests the accuracy of their personal data and you
are verifying the accuracy of the data;
2. The data has been unlawfully processed (i.e. in breach of the
lawfulness requirement of the first principle of the GDPR) and the
individual opposes erasure and requests restriction instead;
3. When the data is no longer needed, but the individual needs you to
keep it in order to establish, exercise or defend a legal claim; or
4. The individual has objected to you processing their data under Article
21(1), and you are considering whether your legitimate grounds
override those of the individual.
Although this is different from the right to rectification and the right to
object, those rights and the right to restrict processing are closely related.
As a matter good practice, an individual should restrict processing while
considering the legitimate grounds for processing the personal data in
question illustrated as follows:21
19
Information Commissioner’s Office, Right to restrict processing. Retrieved March 11, 2020 from
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-
regulation-gdpr/individual-rights/right-to-restrict-processing/
20
Ibid.
21
Ibid.
General Data Protection Regulation 21
Data Protection + Teeth
The right to data portability allows data subjects to obtain and reuse
personal data about them for their own purposes across different services.23
In other words, an individual can demand from his or her service provider to
download his or her data or to transfer said data to another service provider.
Example of this is when a person wants to stop using an online service provider
but still wants to keep his or her data or transfer it to another service provider,
usually a download button would come in handy. Article 20 of the GDPR
specifies the following rights for the right to data portability:
1. The data subject shall have the right to receive the personal data concerning
him or her, which he or she has provided to a controller, in a structured,
commonly used and machine-readable format and have the right to transmit
those data to another controller without hindrance from the controller to
which the personal data have been provided, where:
22
Recital 67
23
Dela Torre, L. (23 February 2019) The right to data portability under EU data protection law. Retrieved
March 11, 2020 from https://medium.com/golden-data/what-is-the-right-to-data-portability-under-eu-data-
protection-law-8efa509fc788
General Data Protection Regulation 22
Data Protection + Teeth
(a) the processing is based on consent pursuant to point (a) of Article 6(1) or
point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1);
and
Under the Data Privacy Act of 2012, the right to data portability is
included in Chapter 4 which contains the rights of the data subject.
According to Section 18:
The data subject shall have the right, where personal information is processed by
electronic means and in a structured and commonly used format, to obtain from the
personal information controller a copy of data undergoing processing in an electronic
or structured format, which is commonly used and allows for further use by the data
subject. The Commission may specify the electronic format referred to above, as well as
the technical standards, modalities and procedures for their transfer.
24
Ibid.
25
Recital 68.
General Data Protection Regulation 23
Data Protection + Teeth
7. Right to Object
Article 21 gives individuals the right to object to the processing of
their personal data at any time. This effectively prevents other parties from
processing the personal data of an individual. Individuals have the absolute
right to object to the processing of their personal data if it is for direct
marketing purposes.27 An example of this is when an individual receives
promotional calls or messages from his or her phone provider, that
individual has the right to make such promotional calls stop. Under the
GDPR, the right to object is emphasized on the following points: 28
26
K. Hayman, (April 2008) The Move to Make Social Data Portable in Computer. Retrieved March 11, 2020
from https://ieeexplore.ieee.org/document/4488241
27
Information Commissioner’s Office, Right to restrict processing. Retrieved March 11, 2020 from
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-
gdpr/individual-rights/right-to-object/
28
Dataguise, (2018) Right to object. Retrieved March 11, 2020 from http://dataguise.com/gdpr-knowledge-
center/right-to-object/
General Data Protection Regulation 24
Data Protection + Teeth
Under the Data Privacy Act the data subject has the right to object
to the processing of his or her personal data, including processing for direct
marketing, automated processing or profiling. He or she should be given
an opportunity to withhold consent in case of any amendment to the
information supplied to the data subject under the right to be informed.29
29
National Privacy Commission. Rights of a data subject. Retrieved March 11, 2020 from
https://www.privacy.gov.ph/wp-content/uploads/07-Rights-of-a-Data-Subject.pdf
30
Ibid.
General Data Protection Regulation 25
Data Protection + Teeth
31
National Privacy Commission. Rights of a data subject. Retrieved March 11, 2020 from
https://www.privacy.gov.ph/know-your-rights/#topic7_part4
32
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-
regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/
General Data Protection Regulation 26
Data Protection + Teeth
“The data subject shall have the right not to be subject to a decision based solely
on automated processing, including profiling, which produces legal effects concerning
him or her or similarly significantly affects him or her.” [Article 22(1)]
__________________
B. Restrictions
The exemptions in the DPA 2018 can relieve one of some of their
obligations for things such as:
This exemption has three parts. The first part can apply if one is
are required by law to make personal data available to the public.
But the exemption only applies to the extent that complying with these
provisions would prevent one from meeting the legal obligation to make
personal data publicly available.
The second part of this exemption can apply if one is required by law,
or court order, to disclose personal data to a third party. It exempts a
person from same provisions, but only to the extent that complying with
those provisions would prevent you disclosing the personal data.
The third part of this exemption can apply if it is necessary for one to
disclose personal data for the purposes of, or in connection with:
Self-incrimination
But the exemption only applies to the extent that complying with
these provisions would expose a person to proceedings for the offence. This
exemption does not apply to an offence under the DPA 2018 or an offence
regarding false statements made otherwise than on oath. But any
information one does provide to an individual in response to a subject
access request is not admissible against that person in proceedings for an
offence under the DPA 2018.
General Data Protection Regulation 29
Data Protection + Teeth
33
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-
protection-regulation-gdpr/accountability-and-governance/
General Data Protection Regulation 30
Data Protection + Teeth
34
General Data Protection Regulation (2018), Article 35(1).
35
Data protection impact assessments. Information Commissioner’s Office. Retrieved March 04, 2020 from
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-
gdpr/accountability-and-governance/data-protection-impact-assessments/
General Data Protection Regulation 32
Data Protection + Teeth
To assess the level of risk, you must consider both the likelihood and
the severity of any impact on individuals.36 High risk could result from
either a high probability of some harm, or a lower possibility of serious
harm. The identified risks will then be met by specific counter-measures
and standards for purposes of mitigating such risks or to totally prevent it
from affecting the processing operation intended. The illustration below
summarizes the carrying out of a DPIA:
Obligations of Secrecy
Member States may adopt specific rules to set out the powers of the
supervisory authorities in relation to controllers or processors that are
subject, under Union or Member State law or rules established by national
competent bodies, to an obligation of professional secrecy or other
equivalent obligations of secrecy where this is necessary and proportionate
36
What is a DPIA? Information Commissioner’s Office. Retrieved March 04, 2020 from https://ico.org.uk/for-
organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-
impact-assessments-dpias/what-is-a-dpia/.
General Data Protection Regulation 34
Data Protection + Teeth
to reconcile the right of the protection of personal data with the obligation
of secrecy. Those rules shall apply only with regard to personal data which
the controller or processor has received as a result of or has obtained in an
activity covered by that obligation of secrecy.37 This provision of the
General Data Protection Regulation mandates the member states of the
European Union to adopt specific rules to execute the GDPR over controllers
and processors subject to the specific state’s jurisdiction. The specific rules,
however, should amplify the obligation of controllers and processors for the
professional secrecy as well as to the right of an individual citizen to the
protection of his or her personal data.
37
General Data Protection Regulation (2018), Article 90.
38
Republic Act 10173 (2012), Section 20(a).
39
Republic Act 10173 (2012), Section 21.
General Data Protection Regulation 35
Data Protection + Teeth
Unfortunately, the Data Privacy act of 2012 does not require the
appointment of a data protection officer. In its provisions, however, the
data privacy act provides for the confidentiality rule of employees, agents,
and representatives of personal information controller, as follows:
40
General Data Protection Regulation (2018), Article 37(1).
General Data Protection Regulation 36
Data Protection + Teeth
information are not intended for public disclosure. This obligation shall continue
even after leaving the public service, transfer to another position or upon
termination of employment or contractual relations.41
4. Codes of Conduct
Codes of Conduct
41
Republic Act 10173 (2012), Section 20(e).
42
Codes of conduct. Information Commissioner’s Office. Retrieved March 04, 2020 from https://ico.org.uk/for-
organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-
and-governance/codes-of-conduct/.
43
Ibid.
General Data Protection Regulation 37
Data Protection + Teeth
The GDPR provides that in the case of a personal data breach, the
controller shall without undue delay and, where feasible, not later than 72
hours after having become aware of it, notify the personal data breach to
the supervisory authority, unless the personal data breach is unlikely to
result in a risk to the rights and freedoms of natural persons. Where the
notification to the supervisory authority is not made within 72 hours, it
shall be accompanied by reasons for the delay.45 Dissecting the provision,
the 72-hour requirement is limited to breaches that would result in a risk
to the rights and freedom of natural persons. It also provides for a
requirement of explanation to provide justifiable reasons for the delay of
notification.
When the personal data breach is likely to result in a high risk to the
rights and freedoms of natural persons, the controller shall
communicate the personal data breach to the data subject without
undue delay.47 The GDPR also provides not only for the notification
requirement to the proper supervising authority, but also notification
to the data subject. This is justifiable since the data is an extension
44
Personal data breaches. Information Commissioner’s Office. Retrieved March 04, 2020 from
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-
gdpr/personal-data-breaches/.
45
General Data Protection Regulation (2018), Article 33(1).
46
Personal data breaches. Information Commissioner’s Office.
47
General Data Protection Regulation (2018), Article 34(1).
General Data Protection Regulation 38
Data Protection + Teeth
The Data Privacy Act of 2012 is also equipped in handling personal data
breach. The law, in its Section 20 (f) provides:
The personal information controller shall promptly notify the Commission and
affected data subjects when sensitive personal information or other information
that may, under the circumstances, be used to enable identity fraud are
reasonably believed to have been acquired by an unauthorized person, and the
personal information controller or the Commission believes (but such
unauthorized acquisition is likely to give rise to a real risk of serious harm to any
affected data subject. The notification shall at least describe the nature of the
breach, the sensitive personal information possibly involved, and the measures
taken by the entity to address the breach. Notification may be delayed only to the
extent necessary to determine the scope of the breach, to prevent further
disclosures, or to restore reasonable integrity to the information and
communications system.48
This means that not only should the Commission exempt a controller
from notification in cases where, in its reasonable judgement, such
48
Republic Act 10173 (2012), Section 20(f).
49
Ibid.
General Data Protection Regulation 39
Data Protection + Teeth
1. Make it easy for consumers to manage and control for their data for
direct marketing purposes, as well as to retrieve and sell them;
2. Banning of the collection of data on children under the age of 16
without parental approval.
50
Bloomberg (25 May 2018). GDPR: Why Privacy Is Now Stronger in EU Than U.S. Retrieved March 11, 2020
from https://fortune.com/2018/05/25/what-is-gdpr-compliance/
51
Wikipedia. General Data Protection Regulation. Retrieved March 11, 2020 from
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
52
IT Governance Ltd. The GDPR and NIS Directive Risk-Based Security Measures and Incident Notification
Requirements. Retrieved March 11, 2020 from https://www.slideshare.net/ITGovernanceLtd/the-gdpr-and-nis-
directive-riskbased-security-measures-and-incident-notification-requirements
General Data Protection Regulation 41
Data Protection + Teeth
53
McGregor and Zylberberg (7 March 2018). Understanding the General Data Protection Regulation: A primer
for global publishers. Retrieved 10 March 2019 from https://www.cjr.org/tow_center_reports/understanding-
general-data-protection-regulation.php
General Data Protection Regulation 43
Data Protection + Teeth
2. Penalties
In the imposition of the penalties meted out by GDPR, Member States are
empowered to:
1. Lay down its own rules as to the infringements of this Regulation, in
particular for infringements which are not subject to administrative
fines pursuant to Article 83;
2. Notify the Commission the provisions of its law which it adopts by 25
May 2018 and, without delay, any subsequent amendment thereto;
3. Take all measures necessary to ensure that they are implemented;
4. Consider that penalties shall be effective, proportionate and
dissuasive.54
The first tier can be subject to fines up to €10 million (Php. 570
million), or, in the case of an undertaking, 2% of annual global turnover –
whichever is greater. This category includes infringements of the following
provisions by the controller and the processor:
1. Child’s consent
2. Data protection by design and by default
3. The responsibilities of the Data Protection Officer
4. The obligations of organizations related to certification schemes
54
Article 84, General Data Privacy Regulation
55
Article 83, General Data Privacy Regulation
General Data Protection Regulation 44
Data Protection + Teeth
While the GDPR imposes data protection and breach fines, they are
discretionary rather than mandatory. It also authorizes supervisory
authorities such as the UK’s ICO (Information Commissioner’s Office) to
take a range of other actions, including:
1. Issuing warnings and reprimands;
2. Imposing a temporary or permanent ban on data processing;
3. Ordering the rectification, restriction or erasure of data; and
4. Suspending data transfers to third countries. 57
56
McGregor and Zylberberg (7 March 2018). Understanding the General Data Protection Regulation: A primer
for global publishers. Retrieved 10 March 2019 from https://www.cjr.org/tow_center_reports/understanding-
general-data-protection-regulation.php
57
IT Governance UK. GDPR Penalties and Fines. Retrieved 10 March 2019 from
https://www.itgovernance.co.uk/dpa-and-gdpr-penalties
58
Article 82, General Data Privacy Regulation
General Data Protection Regulation 45
Data Protection + Teeth
3. Applications of GDPR
The GDPR is a fairly new regulation that is being effected not only in
the European Union, but also around the globe. The GDPR is deemed one
of the most, if not, the strongest, data privacy law in effect around the
world. The GDPR has been applied since, and companies, especially in the
EU, are making the necessary adjustments to meet GDPR compliance. It is
deemed to have ‘teeth’ because of its enforcement measures. The best
evidence of the enforcement of this ‘teeth’ is through actual cases.
59
Sawers, P. (8 July 2019). British Airways faces record $230 million GDPR fine over data breach. Venture
Beat. Accessed March 10, 2020 retrieved from https://venturebeat.com/2019/07/08/british-airways-faces-
record-230-million-gdpr-fine-over-data-breach/
60
BBC News. (8 July 2019). British Airways faces record £183m fine for data breach. Accessed March 10, 2020
retrieved from https://www.bbc.com/news/business-48905907
61
BBC News (7 September 2018). British Airways breach: How did hackers get in? Accessed March 10, 2020
retrieved from https://www.bbc.com/news/technology-45446529
General Data Protection Regulation 46
Data Protection + Teeth
62
Poland UODO Decision ZSZZS.440.769.2018. 18 February 2020. Access original text (in Polish)
https://uodo.gov.pl/decyzje/ZSZZS.440.768.2018
63
Sawers, P. (6 March 2020). Polish school hit with GDPR fine for using fingerprints to verify students’ lunch
payments. Venture Beat. Accessed March 10, 2020, retrieved from
https://venturebeat.com/2020/03/06/polish-school-hit-with-gdpr-fine-for-using-fingerprints-to-verify-
students-lunch-payments/
64
European Data Protection Board (5 March 2020). Fine for processing student’s fingerprints imposed on a
school. Accessed March 10, 2020, retrieved from https://edpb.europa.eu/news/national-news/2020/fine-
processing-students-fingerprints-imposed-school_en
65
Another GDPR case involved a Swedish case, its first GDPR fine (€20,000), against a school for conducting a
pilot using facial recognition to keep track of students’ attendance. Accessed through the European Data
Protection Board Website. Accessed March 10, 2020 retrieved from https://edpb.europa.eu/news/national-
news/2019/facial-recognition-school-renders-swedens-first-gdpr-fine_en
General Data Protection Regulation 47
Data Protection + Teeth
V. CONCLUSION
The GDPR, as extensively discussed, is an evolutionary response to
the pervasive effect of technology in the lives of global citizens. The GDPR
is by no means an overnight legislation, in fact, it took years of unfortunate
experiences in order to craft such strong legislation. The GDPR is an
example how legislation should always be evolving and ever adaptive. This
begs the question, why do we value data privacy so much?
66
David H. Flaherty, On the Utility of Constitutional Rights to Privacy and Data Protection, 41 Case W. Res. L.
Rev. 831 (1991) Available at: https://scholarlycommons.law.case.edu/caselrev/vol41/iss3/14
67
He Li, Lu Yu & Wu He (2019) The Impact of GDPR on Global Technology Development, Journal of Global
Information Technology Management, 22:1, 1-6, DOI: 10.1080/1097198X.2019.1569186