Three main buckets of SA powers

1) Monitoring/advisory tasks, 2) Investigative powers (information, audits, access), 3) Corrective powers (warnings, orders, bans, fines).

Lower vs higher fine tier (Article 83)

Lower: up to 10M EUR or 2% turnover for organisational/procedural infringements. Higher: up to 20M EUR or 4% turnover for core principles, rights, and transfers.

Right of data subjects to lodge a complaint with a supervisory authority where they live, work, or where the infringement occurred.

78: Judicial remedy against decisions or inaction of SAs. 79: Judicial remedy against controllers or processors.

What is One-stop-shop?

GDPR mechanism where a lead supervisory authority oversees cross‑border processing cases, coordinating with concerned SAs.

What is Judicial remedy?

Right to bring a case before a court, either against an SA (Article 78) or against a controller/processor (Article 79).

What is Corrective powers?

Powers SAs use to remedy infringements, such as warnings, orders, bans on processing, suspension of data flows, and administrative fines.

What is Administrative fine?

A financial penalty imposed by an SA under Article 83 GDPR, subject to maximum tiers and assessment criteria.

Enforcement, Remedies and Liability: How GDPR Bites — CIPP/E Exam Prep: Mastering European Data Protection Law and the GDPR

Step 1 – Who Enforces the GDPR, and Why It Matters for Exams

From Rules to Real Sanctions

This module shows how GDPR rules actually bite: investigations, corrective orders, fines and lawsuits, and how these appear in exam scenarios.

Why Enforcement Matters

You need to recognise supervisory authority powers, understand fines and criteria, know data subject remedies, and grasp controller/processor liability.

Enforcement Patterns

We will also connect cross‑border enforcement patterns and landmark decisions at a high level, without memorising specific case names or amounts.

Step 2 – Supervisory Authorities: Roles and Core Powers

Supervisory Authorities

Each EU/EEA country has an independent supervisory authority (SA) that monitors and enforces GDPR, supported by the EDPB for consistency.

Three Buckets of Powers

For exams, group SA powers into: monitoring/advisory, investigative (information, audits, access), and corrective (orders, bans, fines).

Recognising Powers in Scenarios

Requests for information or audits point to investigative powers. Orders, bans, or fines point to corrective powers under Article 58(2).

Step 3 – Example: From Complaint to Corrective Order

Complaint to Investigation

A Spanish data subject complains that an online retailer refused erasure. The Spanish SA opens an investigation and requests policies, procedures and logs.

Findings and Orders

The SA finds no proper erasure workflow and late response. It orders erasure, fixes to retention rules, issues a reprimand and imposes a fine.

Exam Takeaway

Map: complaint (Art. 77), info requests (investigative powers), orders to erase/change (corrective powers), and the fine (administrative sanction).

Step 4 – Administrative Fines: Tiers and Criteria

Two Fine Tiers

Lower tier: up to 10M EUR or 2% turnover, for organisational/procedural issues. Higher tier: up to 20M EUR or 4% turnover, for core principles and rights.

What SAs Weigh

SAs look at nature, gravity, duration, intent vs negligence, mitigation, responsibility, past infringements, cooperation, data categories and discovery.

Exam Skill

Given a scenario, identify the tier and list aggravating vs mitigating factors to explain whether a high or low fine is more likely.

Step 5 – Quick Check: Fines in Practice

Apply the fine tiers and criteria to a simple scenario.

A controller systematically tracks website visitors without valid consent or other legal basis, builds detailed profiles, and ignores several data subjects' objections. Which fine tier does this conduct most clearly fall into?

Lower tier (up to 10M EUR / 2% turnover), because it is mainly about records and procedures
Higher tier (up to 20M EUR / 4% turnover), because it concerns lawfulness and data subject rights
No fine, only a warning, because the controller did not have a data breach

Show Answer

Answer: B) Higher tier (up to 20M EUR / 4% turnover), because it concerns lawfulness and data subject rights

This scenario concerns core principles: lack of legal basis (Article 6) and ignoring objections (Article 21). These fall in the higher fine tier under Article 83(5). A breach is not required for a fine.

Step 6 – Data Subject Remedies and Judicial Redress

Complaints to SAs

Under Article 77, data subjects can complain to an SA where they live, work, or where the infringement occurred. The SA must inform them of progress.

Courts vs SAs

Article 78: judicial remedy against SAs. Article 79: judicial remedy against controllers/processors. These are separate from SA complaints.

Compensation

Article 82 gives a right to compensation for material or non‑material damage from GDPR infringements. National law governs procedure and collective actions.

Step 7 – Thought Exercise: Choosing the Right Remedy

Imagine the following situations and decide which remedy path is most appropriate. There is often more than one correct option, but try to pick the most direct one first.

Slow or no response to access request

A company ignores your access request for 3 months.
Options you could take:
A. Complain to the SA
B. Go directly to court against the company
C. Both A and B
Best starting point for most individuals: A (complain to the SA). The SA can order compliance and possibly fine the company. But B is also legally possible.

You believe the SA is not doing anything

You filed a complaint 9 months ago, and the SA has not updated you.
Options:
A. File a new complaint with a different SA
B. Seek a judicial remedy against the SA
C. Do nothing
Correct remedy: B (judicial remedy under Article 78). Courts can review the SA's inaction or decision.

You suffered financial loss from an unlawful disclosure

Your bank unlawfully disclosed your data, and you lost money due to fraud.
Options:
A. Complaint to SA only
B. Court action for compensation only
C. Both complaint and court action
Strong answer: C. Complaint to SA may lead to corrective measures and fines; court action is needed to obtain your personal compensation.

When you read exam scenarios, always ask:

Is the question about fixing behaviour (orders, fines) → think SA.
Or about personal redress (overturning decisions, compensation) → think courts.

Step 8 – Liability of Controllers and Processors

Who Is Liable?

Controllers and processors are liable for damage caused by GDPR infringements. Controllers oversee compliance; processors must follow GDPR and instructions.

Joint and Several Liability

If several actors are involved, each can be held liable for all the damage. This ensures the data subject can recover fully from any responsible party.

Right of Recourse

After paying compensation, a controller or processor can seek recourse from others based on their share of responsibility under Article 82(5).

Step 9 – Example: Controller–Processor Liability in a Breach

Breach Scenario

A retailer (controller) uses a cloud provider (processor). The processor misconfigures a database; the retailer failed to audit. Customers suffer identity theft.

External Liability

To data subjects, both controller and processor can be jointly and severally liable for the full damage caused by the GDPR infringement.

Internal Allocation

After paying, a party can seek recourse from the other based on their share of fault. Courts may split responsibility between poor security and poor oversight.

Step 10 – Cross-Border Enforcement and Big-Case Themes

One-Stop-Shop

For cross‑border processing, the SA of the controller's main establishment is the lead SA; others are concerned SAs and cooperate on decisions.

Consistency Mechanism

If SAs disagree, the EDPB can issue a binding decision under Article 65 to ensure consistent enforcement across the EEA.

Big Enforcement Themes

Patterns: weak legal bases, dark patterns in consent, transfer failures post‑Schrems II, poor security, and higher scrutiny for children/sensitive data.

Step 11 – Flashcard Review: Key Enforcement Concepts

Use these flashcards to reinforce the core ideas before you move on.

Three main buckets of SA powers: 1) Monitoring/advisory tasks, 2) Investigative powers (information, audits, access), 3) Corrective powers (warnings, orders, bans, fines).
Lower vs higher fine tier (Article 83): Lower: up to 10M EUR or 2% turnover for organisational/procedural infringements. Higher: up to 20M EUR or 4% turnover for core principles, rights, and transfers.
Article 77: Right of data subjects to lodge a complaint with a supervisory authority where they live, work, or where the infringement occurred.
Articles 78 and 79: 78: Judicial remedy against decisions or inaction of SAs. 79: Judicial remedy against controllers or processors.
Article 82 – core idea: Right to compensation for material or non‑material damage caused by GDPR infringements; controllers and processors can be jointly and severally liable.
Joint and several liability: Any responsible controller or processor can be required to pay full compensation; they can later seek recourse from others based on fault.
Lead supervisory authority (LSA): SA of the controller's or processor's main establishment in the EU for cross‑border processing; coordinates with concerned SAs.
Corrective powers examples: Warnings, reprimands, orders to comply with data subject requests, orders to erase or restrict data, bans on processing, suspension of data flows, fines.

Key Terms

One-stop-shop: GDPR mechanism where a lead supervisory authority oversees cross‑border processing cases, coordinating with concerned SAs.
Judicial remedy: Right to bring a case before a court, either against an SA (Article 78) or against a controller/processor (Article 79).
Corrective powers: Powers SAs use to remedy infringements, such as warnings, orders, bans on processing, suspension of data flows, and administrative fines.
Administrative fine: A financial penalty imposed by an SA under Article 83 GDPR, subject to maximum tiers and assessment criteria.
Investigative powers: Powers that allow SAs to gather information, conduct audits, and access premises and data to assess GDPR compliance.
Right to compensation: Right under Article 82 GDPR for individuals to obtain financial compensation for material or non‑material damage from GDPR infringements.
Right to lodge a complaint: Data subject right under Article 77 GDPR to complain to an SA about an alleged infringement of their data protection rights.
Supervisory Authority (SA): An independent public authority in each EU/EEA Member State responsible for monitoring the application of the GDPR and enforcing it.
Joint and several liability: Legal concept where each of several responsible parties can be held liable for the entire damage, leaving them to sort out contributions among themselves.
Lead Supervisory Authority (LSA): The SA of the controller's or processor's main establishment in the EU that takes the lead in cross‑border cases.