Starting on May 20th 2019, the Guarantor no longer has to “take into account”” the novelty of GDPR (General Data Protection Regulation) or the purposes of sanctioning.
As is known, art. 22 of Legislative Decree 101/2019 stated that the Privacy Guarantor, in applying the administrative sanctions provided for by the new European Regulation (GDPR), “”would have taken into account”” the fact they were in their first phase of application.
A generic prediction that, however, gave hope for as long as it lasted, that is until May 20th this year, when the effectiveness of the aforementioned rule expired. A hope that was not misplaced by companies, if it is true that the only sanction (amounting to 50,000 Euros) was imposed on the Rosseau Association for not having implemented adequate security measures after the political website it managed underwent a data breach in summer 2017.
But now the Guarantor is no longer obliged to be understanding and can impose the sanctions provided by the GDPR with the wide discretion that the generic provisions of the same regulation allow. Suffice it to say that the GDPR quantifies the fines only in the maximum, indicated as &euro
