Page 23 - Quarterly Q1-Q2 2018
P. 23

 TAGS
  GDPR Data Protection Government Bill Sanctions
                    Who Can Impose the Sanctions, and on Whom?
According to the GDPR, the imposition of administrative fines and other penalties should
be subject to appropriate procedural safeguards, including effective judicial protection and due process. The Working Group (“TATTI”), appointed by the Ministry of Justice proposed in its report that the administrative fines would be imposed
by a new sanctions board. However, this well- founded approach did not make its way into the Government Bill. Rather, the power is in the hands of the Data Protection Ombudsman. Giving such sanctioning power to a single authority, albeit the main data protection authority, would be somewhat exceptional in Finland, as Jukka Lång pointed
out to the Parliament’s Legal Affairs Committee. The Committee for Constitutional Law pointed
out that such sanctioning power does not comply with the Constitution. At the time of writing this article, the Committee for Constitutional Law is preparing a second statement, as requested by the Administration Committee. It is, therefore, possible that the Data Protection Ombudsman will not, after all, get the sole sanctioning power.
An equally significant issue as who should impose the sanctions is whom they may be imposed on. The GDPR gives the Member States the right to decide whether the sanctions may be imposed, and to what extent, on public authorities and bodies.
The matter is not simple, and even the members of the TATTI working group were unable to reach a consensus. According to the Government Bill, the sanctions will not be imposed on public authorities and bodies.
It is fair to say that the public and private bodies are not in the same competitive position, as the latter has significantly higher risk of sanctions. It is also not certain that appropriate procedural safeguards apply, and that effective judicial procedure will be
in place when public bodies would be sanctioned by means of sanctioning the natural persons in charge.
In the big picture, the derogations are in the end, however, minor. The European data protection regime will be significantly harmonised and has already helped many global organisations unify their data processing practices.
Jukka Lång
Partner, Head of Data Protection, Marketing & Consumers
Tuomas Haavikko
Associate
   20   21   22   23   24