720-891-1663
Return to the list of client alerts
Besides fines of up to either 10 million or 20 million Euros – or more, regulators have another tool in their toolbox.
That tool is an order to cease all processing until the data protection commissioner is satisfied that the company is complying with the requirements of GDPR.
Article 51 of GDPR requires each country to have a Supervisory Authority (SA) responsible for enforcing the law and Article 58 gives that SA a lot of powers including the ability to impose a temporary or definitive limitation including a ban on processing.
While an authority is supposed to use this sanction appropriately, either a temporary or permanent ban on processing or even some processing could have a major impact on a company’s operations.
Cease processing orders have been used before. Ireland put one in place on the company Loyaltybuild after a breach in 2013. The order shut down the company from November 2013 thru January 2014. The company spent 500,000 euros on security improvements in that time window and the overall costs were way more than that. The company lost customers over the order and has not recovered from the event since. In 2015, the company lost 9 million euros.
Whether the authorities use fines or cease processing orders more frequently is unknown, but you should consider the possibility. While fines may be appealed and could take years to be paid, a cease processing order could take effect immediately, similar to a TRO or injunction, with appeals having to take place after the order is in effect.
Also remember that there are over 30 Supervisory Authorities and each one may have a different view on which tool is the best to use in a particular situation.
Source: IAPP here.