Two purposes of the GDPR are to provide effective remedies for ensuring extensive personal data rights and to change practices and policies of controllers and processors so that they become more aware of privacy protection. Article 58 GDPR lays down the investigative and corrective powers of the national supervisory authorities, such as issuing warnings or imposing new administrative fines. Article 79 GDPR states that every data subject whose rights according to the regulation have been infringed shall have access to an effective remedy. The two measures in focus here are those with the largest economic impact: Article 82 on damages and Article 83 on administrative fines. These articles target different areas and subjects – while the first has a compensatory purpose and is designed for use by individuals, the second has a preventive character and is implemented by Data Protection Authorities vis-á-vis controllers and processors. Considering these two profiles, an interesting question arises: Why are the provisions of Article 83 for imposing fines on companies and organisations so detailed, while the wording of Article 82 and hence the liability for controllers and processors is open to interpretation? What does this difference lead to in the application of the regulation, and more precisely, is it likely that the development in regards to administrative fines could spill over to the application of rules on damages?
Reichel, Jane and Chamberlain, Johanna, The Relationship Between Damages and Administrative Fines in the EU General Data Protection Regulation (September 1, 2019). Faculty of Law, Stockholm University Research Paper No 72 (2019); Mississippi Law Journal, 2020.