• PART VII PART VII Fines and Remedies

    • 54. Directions

      (1) If the Commissioner of Data Protection is satisfied, after duly conducting all reasonable and necessary inspections and investigations, that a Controller or Processor has contravened or is contravening these Regulations or any rules made under these Regulations, the Commissioner of Data Protection may issue a direction requiring the Controller or Processor to do any of the measures referred to in sections 50(5)(a) to 50(5)(h) and section 50(5)(j) (a ‘Direction’).
      (2) A Direction issued under section 54(1) must contain:
      (a) a statement of the contravention of these Regulations or rules which the Commissioner of Data Protection is satisfied is being or has been committed; and
      (b) a statement to the effect that the Controller or Processor may refer the decision of the Commissioner of Data Protection to the Court for review.
      (3) A Direction issued under section 54(1) is enforceable, on the application of the Commissioner of Data Protection or any person authorised in writing by the Commissioner of Data Protection, by an injunction that can be imposed by the Court.
      (4) A Controller or Processor may ask the Commissioner of Data Protection to review the Direction within 21 days of receiving a Direction under this section. The Commissioner of Data Protection may receive further submissions and amend or discontinue the Direction.
      (5) If a Direction is amended or discontinued in accordance with section 54(4), the Commissioner of Data Protection must provide the Controller or Processor with reasons for the amendment or discontinuance.

    • 55. General conditions for imposing administrative fines

      (1) Where a Controller or Processor (i) does an act or thing that it is prohibited from doing; or (ii) omits to do an act or thing that it must do by or under:
      (a) any Direction issued by the Commissioner of Data Protection under section 54;
      (b) these Regulations; or
      (c) any rules made pursuant to these Regulations,
      the Commissioner of Data Protection, by written notice (a ‘Penalty Notice’) to the Controller or Processor, may impose a fine in respect of the contravention of such amount as the Commissioner of Data Protection determines to be appropriate, taking into account the factors in section 55(3). The amount determined by the Commissioner of Data Protection must not exceed USD 28 million.
      (2) Any fine imposed by the Commissioner of Data Protection under section 55(1) may, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in sections 50(5)(a) to 50(5)(h) and section 50(5)(j).
      (3) When deciding whether to impose a fine and deciding on the amount of the fine in each individual case, the Commissioner of Data Protection may consider the following factors:
      (a) the nature, gravity and duration of the contravention taking into account the nature scope or purpose of the Processing concerned as well as the number of Data Subjects affected, and the level of damage suffered by them;
      (b) the intentional or negligent character of the contravention;
      (c) any action taken by the Controller or Processor to mitigate the damage suffered by Data Subjects;
      (d) the degree of responsibility of the Controller or Processor taking into account technical and organisational measures implemented by them pursuant to sections 23 and 30;
      (e) any relevant previous contraventions of these Regulations or the Data Protection Regulations 2015 by the Controller or Processor;
      (f) degree of cooperation with the Commissioner of Data Protection, in order to remedy the contravention and mitigate its possible adverse effects;
      (g) the categories of Personal Data affected by the contravention;
      (h) the manner in which the contravention became known to the Commissioner of Data Protection, in particular whether, and if so to what extent, the Controller or Processor notified the Commissioner of Data Protection of the contravention;
      (i) where measures referred to in section 50(5) have previously been ordered against the Controller or Processor concerned in relation to the same subjectmatter, compliance with those measures;
      (j) adherence to approved codes of conduct pursuant to section 38 or approved certification mechanisms pursuant to section 39; and
      (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the contravention.
      (4) Before giving a Controller or Processor a Penalty Notice the Commissioner of Data Protection must, by written notice (a ‘Notice of Intent’) inform the Controller or Processor that the Commissioner of Data Protection intends to give a Penalty Notice.
      (5) The Notice of Intent must set out:
      (a) the reasons why the Commissioner of Data Protection considers it appropriate to issue a Penalty Notice;
      (b) an indication of the amount of the penalty;
      (c) the period in which a Controller or Processor may make written representations about the Commissioner of Data Protection’s intention to issue a Penalty Notice (which must be at least 21 days from the date of the Notice of Intent); and
      (d) whether the Commissioner of Data Protection considers it appropriate for the person to have an opportunity to make oral representations about the Commissioner of Data Protection’s intention to issue a Penalty Notice.
      (6) If a Controller or Processor intentionally or negligently, for the same or linked Processing operations, contravenes several provisions of these Regulations, the total amount of the administrative fine must not exceed USD 28 million.
      (7) If, within the period specified in the Penalty Notice, the Controller or Processor (as applicable):
      (a) pays the fine specified in the Penalty Notice to the Commissioner of Data Protection, then no proceedings or action may be commenced, whether in the Court or otherwise, by the Commissioner of Data Protection against the Controller or Processor in respect of the relevant contravention, provided that neither the imposition nor payment of a fine restricts the Commissioner of Data Protection from taking any action against a Controller or Processor, or refrain from doing any act or thing, in respect of any continuing contravention;
      (b) has not paid the prescribed fine to the Commissioner of Data Protection, then the obligation of the Controller or Processor to pay the fine is enforceable as a debt payable to the Commissioner of Data Protection and the Commissioner of Data Protection may apply to the Court for the recovery of the debt, plus such interest, costs of enforcement (including legal costs) and other expenses directly arising from the failure to pay as the Court sees fit to order; or
      (c) has appealed to the Court in accordance with section 57, then the provisions of section 57 apply.

    • 56. Fixed penalty for non-payment of the Data Protection Fee or Renewal Fee

      (1) If a Controller fails to pay the Data Protection Fee or the Renewal Fee in accordance with section 24, the Commissioner of Data Protection may issue a monetary penalty, imposing a fine on the Controller of up to 150 per cent of the Data Protection Fee, or Renewal Fee, in addition to the Data Protection Fee, or Renewal Fee, as the case may be.
      (2) The amount of the penalty for a failure to pay the Data Protection Fee in accordance with section 24 must be specified by rules made by the Board.
      (3) If a Controller has not paid the prescribed fine under section 56(1) to the Commissioner of Data Protection within the period specified in the monetary penalty, then the obligation of the Controller to pay the fine is enforceable as a debt payable to the Commissioner of Data Protection and the Commissioner of Data Protection may apply to the Court for the recovery of the debt, plus such interest, costs of enforcement (including legal costs) and other expenses directly arising from the failure to pay as the Court sees fit to order.

    • 57. Right to lodge a complaint with the Commissioner of Data Protection

      (1) Without prejudice to any other administrative or judicial remedy, a Data Subject has the right to lodge a complaint with the Commissioner of Data Protection if the Data Subject considers that the Processing of Personal Data relating to him or her contravenes these Regulations.
      (2) Where multiple Data Subjects are affected by the same alleged contravention, they may raise such complaint collectively, including via a representative body. The Commissioner of Data Protection may choose to deal collectively with multiple allegations which relate to the same contravention, whether or not such allegations are brought collectively.
      (3) The Commissioner of Data Protection must assess the complaint and inform the complainant on the progress and the outcome of the complaint.
      (4) Upon completion of the assessment, the Commissioner of Data Protection may, as appropriate:
      (a) dismiss the complaint;
      (b) uphold the complaint and take further action including under sections 54 or 55; or
      (c) uphold the complaint and take no further action.

    • 58. Application to the Court

      (1) Notwithstanding any other administrative or non-judicial remedy:
      (a) a Controller or Processor in respect of whom a Penalty Notice or Direction is issued may refer the matter to the Court for review within three months of the Penalty Notice or Direction being issued;
      (b) a Controller, Processor or affected Data Subject who considers the Commissioner of Data Protection has failed to handle a complaint under section 57 in accordance with these Regulations may refer the matter to the Court for review within three months immediately following the date that the complaint was made.
      (2) The Court may make any orders that the Court may think just and appropriate in the circumstances, including remedies for damages, penalties or compensation, imposition of administrative fines and findings of fact in relation to whether or not these Regulations have been contravened.
      (3) Court Procedure Rules may make provision for any reference to the Court under this section.

    • 59. Rights against a Controller and/or Processor

      (1) Any person who has suffered material or non-material damage as a result of a contravention of these Regulations is entitled to compensation from the Controller or Processor for the damage suffered. Any compensation is in addition to, and will not limit, any fine imposed on the same Controller or Processor under section 55.
      (2) Any Controller involved in Processing is liable for the damage caused by Processing which contravenes these Regulations.
      (3) A Processor is liable for the damage caused by Processing only where it has not complied with obligations of these Regulations specifically directed to Processors or where it has acted outside or contrary to lawful instructions of the Controller.
      (4) A Controller or Processor is exempt from liability under section 59(2) and 59(3) if it proves that it is not in any way responsible for the event giving rise to the damage.
      (5) It is a defence to a claim brought under section 59(2) for the Controller or Processor to prove that it had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.
      (6) Where more than one Controller or Processor, or both a Controller and a Processor, are involved in the same Processing and where they are responsible for any damage caused by Processing, each Controller or Processor will be held jointly and severally liable for the entire damage in order to ensure effective compensation of the Data Subject.
      (7) Where a Controller or Processor has, in accordance with section 59(6), paid full compensation for the damage suffered, that Controller or Processor is entitled to claim back from the other Controllers or Processors involved in the same Processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in section 59(2) and 59(3).
      (8) Proceedings for exercising the right to receive compensation must be brought before the Court.
      (9) A Data Subject may apply to the Court for an order that is binding on the Controller, or Processor, to take, or refrain from taking, specified steps in order to comply with these Regulations.