European Commercial Email Laws

Country

 

Law; Relevant Section(s)

 

Civil Remedies/Remedies for Injured Data Subjects

 

Criminal Penalties

 

Administrative Penalties

 

1)Austria

 

Federal Act Concerning the Protection of Personal Data (Datenschutzgesetz 2000-DSG 2000); Secs. 33, 51, 52

http://www.dsb.gv.at/DocView.axd?CobId=41936

 

Explicit provisions for civil damages and indemnification (requring a showing of cause)

 

 

Up to 1 year in jail (prosecution contingent upon injured party's authorization)

 

• Fine up to €18,890 for intentional violation.
•Fine up to €9,445 for violation resulting from gross negligence/failure to meet notification obligations/failure to obtain required permit
•Attempts are punishable
•Media/programs linked to administrative violation can be confiscated

 

2)Belgium

 

Belgian Law of 8 December 1992 on Privacy Protection in Relation to the Processing of Personal Data as Modified by the Law of 11 December 1998; Secs. 38-42

 

 

Violator is civilly liable for fines incurred by its appointee or agent.

 

•Fine between 100 to 100,000 francs for different types of violation* (though law does not specify an amount applicable to each type--apparently there is discretion for Commission hearing the case)

•Confiscation of data/means of transmitting the data upon conviction

•Publication of judgment against violator in one or more newspapers

NOTE: law does not specify if these provisions are criminal or administrative in nature

 

3)Bulgaria

 

Law for Protection of the Personal Data; Articles 39(2) (amended 2006), 42-42a

http://ec.europa.eu/justice/policies/privacy/docs/implementation/bg_data_protection_law_en.pdf

 

Data subject entitled to compensation for damages resulting from violation

 

•Fine or property sanction between 10,000-100,000 Bulgarian lev for violation involving data possessed lawfully and in good faith OR processing certain types of information (esp. racial, political, health)
•Fine or property sanction between 2,000 to 20,000 Bulgarian lev for failing to identify data administrator to data subject, where information is received from a third party
NOTE: these penalties are apparently both administrative and criminal (Articles are entitled "Administrative Penal Provisions"

 

 

4)Croatia

 

The Act on Personal Data Protection; Articles 25, 34, 36

http://www.dataprotection.eu/pmwiki/pmwiki.php?n=Main.HR

 

Data subject entitled to compensation from violator's unauthorized use or unauthorized disclosure of personal data for use by third parties.

 

• For violations where an individual at the data controlling entity exceeds his or her authority and improperly collects data, that individual may be subject to a separate fine between 10,000 to 20,000 Croatian kuna
• Fine between 20,000 and 40,000 kuna for obstructing Agency/not keeping records/collecting too much data
NOTE: Agency may initiate criminal proceedings.


 

Agency may suspend data processing, order data to be corrected, prohibit transfer, etc.--and initiate criminal proceedings.

 

5)Cyprus

 

Consolidated Version of the Personal Data Protection Act 101of April 4, 2000; Articles 21, 44, 45, 46

http://ec.europa.eu/justice/policies/privacy/docs/implementation/czech_republic_act_101_en.pdf

 

Joint and several liability to data subject for violations committed by both data controller and data processor

 

•Fine up to 100,000 Czech koruna for violation of provisions on data confidentiality
•Fine up to 1,000,000 Czech koruna for violation of other types of Law's provisions
•Fine up to 5,000,000 Czech koruna when such a violation of other provisions caused unathorized interference in the lives of a substantial number of people OR relates to processing of sensitive data

 

• Office may revoke registration to process data, order data destroyed, etc.
• Administrative fine up to 100,000 Czech koruna for violation of the law
• Administrative fine up to 1,000,000 Czech koruna for violations that causes unauthorized interference  a substantial number of people OR relates to processing of sensitive data
NOTE: no administrative liability if individual in controller proves he or she took reasonable effort to prevent the violation
NOTE: 1-year statute of limitations
NOTE: fines collectable 30 days from imposition

 

6)Czech Republic

 

Act on Processing of Personal Data; Chs. 10(40), 16(58), 70

http://www.datatilsynet.dk/english/the-act-on-processing-of-personal-data/read-the-act-on-processing-of-personal-data/compiled-version-of-the-act-on-processing-of-personal-data/

 

Data subject may request administrative remedies.  Violators to pay subject compensation for damages, unless they can show damages could not have been avoided by due diligence and care.

 

Unspecified fine or imprisonment up to 4 months.

 

Commission may order correction, or suspension of processing, or destruction of data collected illegally.

 

7)Denmark

 

Act on Processing of Personal Data; Chs. 10(40), 16(58), 70

http://www.datatilsynet.dk/english/the-act-on-processing-of-personal-data/read-the-act-on-processing-of-personal-data/compiled-version-of-the-act-on-processing-of-personal-data/

 

Data subject may request administrative remedies.  Violators to pay subject compensation for damages, unless they can show damages could not have been avoided by due diligence and care.

 

Unspecified fine or imprisonment up to 4 months.

 

Commission may order correction, or suspension of processing, or destruction of data collected illegally.

 

8)Estonia

 

Personal Data Protection Act; Secs. 32, 33, 42

http://www.legaltext.ee/en/andmebaas/tekst.asp?loc=text&dok=X70030&keel=en&pg=1&ptyyp=RT&tyyp=X&query=data%2BprotectionLink

 

Data subject entitled to compensation for damages resulting from violation.  They may also make claims to the Data Protection Inspectorate.
NOTE: cases are handled under different national laws depending on whether they involve performance of some public duty vs. a private relationship

 

If violations amount to misdemeanor under national criminal law, then criminal sanctions may be imposed under that law.

 

 

•Inspectorate may order correction, or suspension of processing, or destruction of data collected illegally.
•Fordata controlling entities, fine up to "300 fine units."  For individuals within those entities, fine up to 50,000 kroons

 

9)Finland

 

Personal Data Act (523/1999) (amended 2000); Secs. 46-48

http://www.finlex.fi/en/laki/kaannokset/1999/en19990523.pdf

 

Violator is liable for economic and non-economic damages to data subject that result from processing data in violation of Act.

 

•National penal code applies to more serious offenses, especially violating provisions re: data secrecy
•Fines may be imposed for other violations  that are intentional or grossly negligent. Applied per national penal law, provided no more severe penalty applies.

 

Data Protection Ombudsman may threaten fine to ensure compliance with Board directives.Board  may order correction, or suspension of processing, or destruction of data collected illegally.

 

10)France

 

Act No. 78-17 of 6 January 1978, on Information Technology, Data Files and Civil Liberties (amended by several recent Acts); Secs. 46-47

http://www.cnil.fr/fileadmin/documents/en/Act78-17VA.pdf

 

 

Criminal penalty for impeding actions of CNIL: 1 year imprisonment and €15,000 fine

 

•First violation: fine up to €150,000
•Second violation in 5 years: fine up to €300,000 (or 5% of legal entity's gross revenues in past year, up to €300,000)
•Injunction to stop processing
NOTE: administrative fines may be deducted from any fines imposed in criminal case

 

11)Germany

 

Federal Data Protection Act (BDSG); Secs. 8, 43-44

http://www.gesetze-im-internet.de/bdsg_1990/index.html

 

Explicitly provides  for compensating data subject for damages, unless the controller exercised due care.

 

Up to 2 years imprisonment or a fine (amount unspecified), contingent upon a complaint being filed.

 

•Fine up to €50,000 for one of a group of less serious offenses
•Fine up to €300,000 for another group of offenses
NOTE: the statute provides that the fine should be greater than the violator's financial gain from the offense, so these amounts may be increased to make sure that is the result.

 

12)Greece

 

Law 2472/1997 On the Protection of Individuals with Regard to the Processing of Personal Data (as amended); Chapter E, Articles 21-23

http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/LEGAL%20FRAMEWORK/LAW%202472-97-APRIL010-EN%20_2_.PDF

 

•Violators liable for all damages resulting from violation, including non-monetary damages
•Non-monetary damages amount is 2,000,000 drachmas, irrespective of monetary damages.  Unless plaintiff claims less or violation was the result of negligence.

 

•Failure to notify Authority: up to 3 years imprisonment and fine between 1,000,000-5,000,000 drachmas
•Keeping file w/o permission: up to 1 year imprisonment and fine between 1,000,000-5,000,000 drachmas
•Interconnection of data without notifying Authority: up to 3 years imprisonment and fine between 1,000,000-5,000,000 drachmas
•Other violations (including interfering, making accessible, etc.): at least 1 year imprisonment and fine between 1,000,000-10,000,000 drachmas unless more serious sanction applies.
•Failure to comply w/Authority decision: at least 2 years imprisonment and fine between 1,000,000-5,000,000 drachmas.
•Violation done to benefit violator or to harm another: up to 10 years imprisonment and fine between 2,000,000-10,000,000 drachmas
•Violation jeopardized democracy or national security: imprisonment of undefined period and fine between 5,000,000-10,000,000 drachmas
•Negligent violation: imprisonment for at least 3 months and fine (unspecified amount)
NOTE: representatives of legal entities/public authorities may be subject to these provisions, depending on their duties

 

•Fine between 300,000-50,000,000 drachmas (amount commiserate with gravity of offense)
•Requirement to cease activity
•Destruction of data

 

13)Hungary

 

Act CXII of 2011 on Informational Self-Determination and Freedom of Information

 

 

Data subject may request administrative remedies.

 

Criminal sanctions apparently available only if a crime has been committed under some other provision of Hungarian law, separate from this Act

 

Upon data subject's request, Data Authority may order fine of 100,000 to 10,000,000 Hungarian forint, publication of violation, rectifying violation, blocking data collection, notification, etc.

 

14)Ireland

 

 

Data Protection (amendment) Act 2003 (amending Data Protection Act 1988); Secs. 8 (amend. Sec. 6), 19 (amend. Sec. 31), 10

http://www.irishstatutebook.ie/1988/en/act/pub/0025/index.html

 

 

 

 

 

Data subject may request administrative remedies.

 

•Summary conviction punishable by fine up to €3,000
•Conviction by indictument punishable by fine up to €100,000
•Court may order data destroyed upon violator's conviction

 

Commissioner may require data to be supplemented, corrected, or erased

 

 

 

 

 

 

15)Italy

Italian Personal Data Protection Code; Secs. 15, 150-152, 161-172

http://www.privacy.it/privacycode-en.html

 

•Provision for damages (per Italy's Civil Code) and non-monetary damages resulting from violation of law.
•Legal costs to losing party.

 

•Between 6-18 months for some offenses in data procession; between 1-3 years for others.  But both of these provisions allow for longer sentences if the offense is particularly serious.
•Between 6 months-3 years for untrue disclosure/notification to Garante, unless offense is more serious.
•Judgment of conviction will be publicized.

 

•Garante may order violator to cease activty and enter other remedies to enforce subject's rights
•Fine between €3,000-18,000 for violator providing inadequate information to data subject; between €5,000-30,000 if serious harm or harm to more than one subject results
•Fine between €5,000-30,000 for violation relating to termination of data processing/transfering to another data controller
•Fine between €500-3,000 for violation regarding health information €€€€€€€€
•Mandatory publication of judgment against violator.
•NOTE: Cases may be brought before a judge or the Garante alternatively, or in both simultaneously.

 

16)Latvia

 

Personal Data Protection Law; Articles 29(4)(6), 32

 

Data subject entitled to compensation for damages resulting from violation

 

None specified.

 

None specified, but Commission has the power to impose administrative penalties for violation, consistent with legal procedure

 

17)Lithuania

 

Law on Legal Protection of Personal Data (with amendments); Article 34

http://www.ada.lt/images/cms/File/pers.data.prot.law.pdf

 

Data subjects harmed by violation can get monetary and non-monetary damages, in the amount determined by the court.

 

State Data Protection Inspectorate only monitors compliance, and is NOT authorized to issue criminal or administrative sanctions.

 

 

18)Luxembourg

 

Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data (modified by later amendment); Articles 4(3), 5(2), 6(4), 7(5), 8(4), 10(4), 12(4), 14(6), 17(3), 18(5), 19(4), 25, 26(3), 27(4), 28(2) and (7), 29(6), 30(2), 32(11), 33, 39(5)

http://www.cnpd.public.lu/fr/legislation/droit-lux/doc_loi02082002_en.pdf

 

No explicit provision.

 

•Violations of rules on data security may result in prison term between 8 days to 6 months, and/or a fine between €251 to €125,000
•Violations of rules on providing information to data subjects/disclosing data/obtaining data/obstruting Commission may result in prison term between 8 days and 1 year, and/or fine between €251 to €125,000

 

 

Commission may order destruction of data, publication of violation in newspaper (following judicial determination only), and ban data operations

 

19)Malta

 

Data Protection Act; Part VIII, supbarts 46 and 47

http://ec.europa.eu/justice/policies/privacy/docs/implementation/malta_en.pdf

 

By writ of summons in competent court, harmed data subject may sue violator for damages, subject to statute of limitaitons of 1 year from date when subject knew or should have known of the violation

 

Upon conviction, violations punishable by fines up to 10,000 liri and/or imprisonment up to 6 months

 

 

20)Netherlands

 

Act of 6 July 2000, Bulletin of Acts, Orders, and Decrees 302, Containing Rules Regarding the Protection of Personal Data (as amended by subsequent Acts); Articles 49, 50, 66, 72, 75

http://www.dataprotection.eu/pmwiki/pmwiki.php?n=Main.NL

 

•Fair compensation for harm resulting from violation, including non-property damage (w/causation requirement)
•Court may order violator to stop/change conduct

 

•Fine (amount unspecified)
•No imprisonment for petty offenses; up to 6 months imprisonment for punishible offenses
NOTE: no criminal sanctions after Commission has entered an order for an administrative fine

 

Commission may order administrative fines up to 10,000 guilder, depending on seriousness of the violation.
NOTE: Commission's ability to impose fines ceases when criminal charges are brought for the violation.
NOTE: 5-year statute of limitation.

 

21)Poland

 

Act of August 29, 1997 on the Protection of Personal Data (amended); Articles 35, 49-54

http://ec.europa.eu/justice/policies/privacy/docs/implementation/poland_en.pdf

 

Data subject may request administrative remedies.

 

•Processing unauthorized data punishable by unspecified fine and/or imprisonment up to 2 years, OR up to 3 years if information is about race, religion, political, health, etc.
•Violation re: data storage punishable by unspecified fine and/or imprisonment up to 1 year
•Violation in disclosure of data punishable by unspecified fine and/or imprisonment up to 2 years for intentional, up to 1 year for unintentional
•Intentional or unintentional violation re: data security punishable by unspecified fine and/or imprisonment up to 1 year
•Failure to notify for registration OR failure to notify data subject punishable by unspecified fine and/or imprionsment up to 1 year
NOTE: law does not specifiy if these sanctions are criminal or administrative in nature.

 

 

22)Portugal

 

Act on the Protection of Personal Data; Articles 34, 38-41, 43-49

http://www.cnpd.pt/english/bin/legislation/Law6798EN.HTM

 

Data subject entitled to compensation for damages resulting from violation, unless data controller can prove it was not responsible for the event causing damages.

 

•Violation involving not protecting data punishable by imprisonment up to 1 year or a "fine" up to 120 days.  Penalty increased to double the maximum if violation involves certain sensitive information.
•Violation involving undue access punishable by imprisonment up to 1 year or a "fine" up to 120 days
•Violation involving unauthorized destruction of personal data punishable by imprisonment up to 2 years or a "fine" up to 240 days, but the maximum is increased if the damage is particularly serious.  Negligence here punished criminally, by up to 1 year imprisonment or "fine" of up to 120 days.
•Violation involving breach of secrecy punishable by up to 2 years imprisonment or a "fine" up to 240 days. This penalty maximum is increased by half if violator is a civil servant, acts w/intent to gain unlawfully, or adversely affects another's reputation.
NOTE: law provides that where a violation constitues both a crime and an administrative offense, it shall be punished as a crime.
NOTE: criminal liability explicitly made available for attempts

 

•Negligent violation of notification requirements, failure to comply when Commission has ordered persons not have access, punishable by fine between 50,000 to 500,000 Portugese Euro for individuals; between 300,000 to 3,000,000 for non-legal entities
•Failure to comply with other provisions of Act punishable by fine between 100,000 to 1,000,000 Portugese Euro
•Commission may order destruction, modification, or blocking of data. 
•Commission may order publication of violation in newspaper.
NOTE: negligence is always punished as an administrative offense, not a criminal one

 

23)Romania

 

Law No. 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data; Articles 18, 31-35

http://ec.europa.eu/justice/policies/privacy/docs/implementation/ro_law_677_2001_en_unofficial.pdf

 

Data subject entitled to compensation for "prejudice suffered" from the violation

 

Apparently, actions constituting crimes under national criminal law are separately punished under those provisions. The supervising authority determines what are "minor offenses" to be punished by administrative fines rather than criminal sanctions.

 

•Failure to notify punishable by fine between 5,000,000 and 100,000,000 Romanian lei
•Illegal processing of data punishale by fine between 10,000,000 to 250,000,000 lei
•Violation involving breach of confidentiality requirements punishable by fine between 15,000,000 to 500,000,000 lei
•Refusal to supply information punishable by fine between 10,000,000 to 150,000,000 lei

NOTE: these offenses are classified as administrative because each differentiates with language saying that offenses falling short of a criminal offense are punishable by fine in amount given

 

24)Slovakia

 

Act No. 428/2002 on the Protection of Personal Data (amended); Secs. 44a, 46, 48

http://ec.europa.eu/justice/policies/privacy/docs/implementation/slovakia_428_02_en.pdf

 

Data subject may request administrative remedies.

 

 

•For most violations, Office may impose fines between 50,000 to 10,000,000 Slovak koruna
•For violations involving destruction of personal data, failure to provide audit, failure to give notice, or violation involving unlawful transfer of data, Office may impose fines between 50,000 to 5,000,000 koruna
•For violations involving registration and authorization and obstructing officials, Office may impose fines between 30,000 to 3,000,000 koruna
•For violations involving failure to notify or satisfy data subject's requests or to keep adequate records, Office may impose fines between 10,000 to 1,000,000 koruna
•For violations involving provision of data to a third party or the obligation of secrecy, Office may impose fines up to 100,000 koruna
•Office may impose "disciplinary fines"for failure to cooperate with Office, up to 2,000,00 koruna depending on the situation--subject to 1-year statute of limitations
•Office may order correction, or suspension of processing, or destruction of data collected illegally; it may also publicize the violation
•Each party, and the Office, bears its own costs in adminstrative proceedings.
NOTE: 3-year statute of limitations for imposition of fines

 

25)Slovenia

 

Personal Data Protection Act of the Republic of Slovenia; Articles 32-33, 91-103

http://ec.europa.eu/justice/policies/privacy/docs/implementation/personal_data_protection_act_rs_2004.pdf

 

Data subject may request administrative remedies.

 

Fines between 50,000 and 3,000,000 Slovenian tolars for "minor offenses" that are broken up into detailed categories, with penalties stepped downwards based on who is being punished: the data controlling entity, responsible persons within that entity, and other individuals within that entity

 

National Supervisory Body may order correction, or suspension of processing, or destruction of data collected illegally. It may also publicize notice of violation. Data controller bears costs of administrative actions.

 

26)Spain

 

Organic Law 15/1999 of 13 December on the Protection of Personal Data; Articles 19, 45, 47, 49

https://www.agpd.es/portalwebAGPD/english_resources/regulations/common/pdfs/Ley_Orgaica_15-99_ingles.pdf

 

Explicitly provides that violators should compensate data subjects for damages to their possessions or rights resulting from their violation.
NOTE: distinguishes between data in public vs. private ownership (as to where/how damages claims should be heard)

 

 

•For a violation classified as "minor": fine between 100,000-10,000,000 ptas
•For a violation classified as "serious": fine between 10,000,000-50,000,000 ptas
•For a violation classified as "very serious": fine between 50,000,000-100,000,000 ptas and Data Protection Agency can require violator to terminate use of data
NOTE: statutes of limiation apply to each of these classes of violations

 

27)Sweden

 

Personal Data Act (1998: 204); Sec. 49

http://www.government.se/content/1/c6/01/55/42/b451922d.pdf

 

 

Negligent or intentional violations punishable by fine (unspecified amount) or imprisonment for a maximum of 6 months or 2 years if the offense is grave, but no prison time for "petty" offenses.

 

 

28)United Kingdom

 

Data Protection Act 1998; Secs. 13, 55A-55B

http://www.legislation.gov.uk/ukpga/1998/29/contents

 

•Compensation for damages to data subjects resulting from violation
•Additional compensation for distress resulting from violation if subject suffers damage or the violation relates to processing personal data for special purposes
NOTE: no compensation for these damages if violator can show he took all reasonably required care to comply.

 

 

Commissioner may impose monetary penalty  for intentional or reckless violations (after Commissioner gives notice ofintent to penalize to violator)
NOTE: statute doesn't seem to include a maximum penalty amount, but sec. 55A says "prescribed amount," with "prescribed" meaning prescribed by regulations by Secretary of State.

 

Last revised in May, 2014 by Jane Bobet.