Genel Veri Koruma Tüzüğü İdari Para Cezaları Rejimi ve Etkiliği

Öz

GVKT, güçlü yaptırım olanakları ile desteklenen modern ve kapsamlı bir kişisel verilerin korunması rejimi düzenlemektedir. Avrupa Birliği’nde kişisel verilerin etkili bir şekilde korunmasını sağlamayı amaçlayan GVKT, ulusal veri koruma kurullarına, diğer düzeltici önlemler alma yetkisinin yanı sıra veri koruma kurallarının ihlali halinde önemli miktarlarda idari para cezası uygulama yetkisi vermektedir. İdari para cezalarının olası maksimum miktarı, AB yasa koyucusunun Tüzüğe tam uyum sağlanmasını amaçladığına işaret ederken, idari para cezalarına ilişkin temel ilkeler ile değerlendirme kriterleri dengeyi sağlamakta ve ilgili tarafları proaktif bir yaklaşım benimseyerek iş birliği yapmaya teşvik etmektedir. Bu nedenle GDPR yaptırım rejimi etkililiği, orantılılığı ve caydırıcılığı sağlamayı amaçlamaktadır. Şimdiye kadarki uygulama, yalnızca idari para cezalarına konu olan ihlallerin sayısında değil, aynı zamanda belirli ihlaller halinde uygulanan yüksek para cezalarında da kademeli bir artış olduğunu göstermiştir. Önümüzdeki yıllarda aşamalı olarak, GVKT’nin idari para cezalarına ilişkin kurallarının AB genelinde daha uyumlu, istikrarlı ve etkili bir şekilde uygulanacağı beklenmektedir.

Anahtar Kelimeler

• AVRUPA BİRLİĞİ
• GENEL VERİ KORUMA TÜZÜĞÜ
• YAPTIRIM
• İDARİ PARA CEZASI

The Administrative Fines Regime of the General Data Protection Regulation and Its Impact

Öz

The GDPR provides a modernised and comprehensive personal data protection regime backed by strong enforcement measures. Aiming to ensure effective protection of personal data in the European Union, the GDPR allows the national data protection authorities to impose massive administrative fines along with other corrective powers for infringements of data protection rules. While the possible maximum amount of fines implies that the EU legislator seeks for complete compliance with the Regulation, the principles and assessment criteria protect the balance and encourage the parties involved to adopt a pro-active approach and to cooperate. Therefore, the GDPR sanction regime aims at effectiveness, proportionality, and dissuasiveness. Its implementation so far demonstrates a gradual increase not only in the number of violations that have become subject to administrative fines but also in sky-high fines in specific cases. In the following years, it is expected that a high level of coherent, consistent, and effective application of the GDPR’s administrative fine regime throughout the EU will progressively be reached.

Anahtar Kelimeler

• EUROPEAN UNION
• GENERAL DATA PROTECTION REGULATION
• ENFORCEMENT
• ADMINISTRATIVE FINES

Kaynakça

1. Charter of Fundamental Rights of the European Union [2012] OJ C 326.
2. Consolidated Version of the Treaty on the Functioning of the European Union [2012] OJ C 326.
3. Case C-41/90 Kalus Höfner and Fritz Elser v Macrotron GmbH [1991] ECR I-01979.
4. Murray A, Information Technology Law (4th edn, Oxford University Press 2019).
5. Pila J and Torremans P, European Intellectual Property Law (2nd edn, Oxford University Press 2019).
6. Albrecht J P, ‘How the GDPR Will Change the World’ [2016] 2(3) EDPLR.
7. Data Protection Commission, ‘Annual Report’ [2019].
8. EU Agency for Fundamental Rights, Access to data protection remedies in EU Member States [2013].

9. EU Agency for Fundamental Rights, Handbook on European data protection law [2018].
10. Maxwell W and Gateau C, ‘A point for setting administrative fines under the GDPR’ [2019] 16 RJSP.
11. McLaughlin S, ‘Ireland: A Brief Overview of the Implementation of the GDPR’ [2018] 4(2) EDPL.
12. Nemitz P, ‘Fines under the GDPR’ [2017] CPDP Conference Book.
13. Purtova N, ‘The law of everything. Broad concept of personal data and future of EU data protection law’ [2018] 10(1) LIT.
14. Baines J, ‘Covid-19 and ICO’s proposed fines for BA and Marriott’ (Mishcon de Reya, 16 March 2020) .
15. Bodewits J and Blok B, ‘Dutch DPA Issues Record Fine for Violating GDPR Data Subject Rights’ (Lexology, 7 July 2020)
16. Council of Europe Directorate General Human Rights and Rule of Law, ‘Data Protection Convention 108’ (20 January 2020)
17. DLA Piper, ‘GDPR data breach survey: January 2020’ (20 January 2020) 4 .
18. European Commission, ‘Commission fines Google €1.49 billion for abusive practices in online advertising’ (20 March 2019).
19. European Data Protection Board, ‘Irish Data Protection Commission announces decision in Twitter inquiry’ (15 December 2020).
20. European Data Protection Board, ‘Marketing: The Italian SA Fines TIM EUR 27.8 Million’ (1 February 2020).
21. Hamburg DPA, ’35.3 million euros fine for data protection violations in the H&M service center’ (1 October 2020)
22. Horgan-Jones J, ‘Data commissioner starts investigations into Google and Tinder’ The Irish Times (4 February 2020)
23. Information Commissioner’s Office, ‘Intention to fine British Airways £183.39m under GDPR for data breach’ (08 July 2019).
24. International Association of Privacy Professionals, ‘GDPR One Year Anniversary – Infographic’ .
25. Kobie N, ‘Germany says GDPR could collapse as Ireland dallies on big fines’ (Wired, 27 April 2020) .
26. Lillington K, ‘Coronavirus: Contact tracing app raises privacy concerns’ The Irish Times (3 April 2020)
27. Monteiro A M, ‘First GDPR fine in Portugal issued against hospital for three violations’ (IAPP, 3 January 2019) .
28. Ram A and Khan M, ‘France fines Google €50m in test for EU’s new data laws’ (Financial Times, 21 January 2019
29. Ritzer C and Filkina N, ‘German Court cuts multimillion GDPR fine by 90%’ (the Data Protection Report, 17 November 2020)
30. Taylor C, ‘Data Protection Commission disappointed at budget allocation’ The Irish Times (9 October 2019)
31. Tinnefeld C and Hanssen H, ‘German Court Drastically Reduces GDPR Fine’ (Lexology, 17 November 2020)
32. Vinocur N, ‘One country blocks the world on data privacy’ (Politico, 24 April 2019) .
33. Vinocur N, ‘We have a huge problem: European regulator despairs over lack of enforcement’ (Politico, 27 December 2019)