So, what are the data protection authorities allowed to do? Well, their arm is indeed long. They can:
- Perform audits. Controllers and processors are required to give authorities access to all premises, equipment, data, and any information regarding the processing the auditors require.
- Issue warnings. Perhaps the lightest form of sanction.
- Issue reprimands, forcing companies to act within a given time.
- Give orders. They can basically order you to restrict your processing or turn the entire system off.
- Issue fines, up to 4% of total worldwide annual turnover (or 20,000,000 EUR, whichever is higher).
- Require compensations from the controller or processor, covering any damages, including indirect damages, unless the controller ...