Art. 24 Sanctions of the Directive 95/46 recital “The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.” did not gave any specific criteria to Member State to set up sanctions rules.
Currently some national implementing measures of Directive 95/46 foreseen higher fines for poor data protection measures in comparison of other kind of infringements.
Italian 196/2003 foreseen even imprisonment up to two years for art. 33 (minimal protection of personal data) violations in addition of fines up to 120.000 Euros. Meanwhile art. 13 (Information to be provided) violations are affected only by a fine up to 36.000 euros.
GDPR Article 83 “General conditions for imposing administrative fines states that” says that “administrative fines up to 10 000 000 EUR …… pursuant to Articles 8, 11, 25 to 39 and 42 and 43”. Art. 25 to 39 are focused on data protection.
On the other end “administrative fines up to 20 000 000 EUR …… the data subjects’ rights pursuant to Articles 12 to 22;”. CHAPTER III Rights of the data subject starts from art.12.
So poor handling of “Information to be provided” will cost Italian data controllers 550 times more.
In my humble opinion Italian data controllers should hurry up and focus more on Informtion to be provided: the information to be given are more detailed in art. 13 of GRDP.
sacrosanto. aggiungerei che mancano al GDPR le sanzioni penali, in quanto come è noto il diritto comunitario non può legiferare in materia penale. quindi dovranno provvedere gli stati membri. resta da chiedersi se prevarranno orientamenti comuni o andranno in ordine sparso. e cosa farà l’italia: manterrà sanzioni simili alle attuali, centrate sull’omissione delle misure, oppure ne varerà di nuove, coerenti con il nuovo orientamento?