Administrative Fines on Union Institutions, Bodies, Offices and Agencies
This specific provision addresses a distinct category of administrative fines applicable exclusively to Union institutions, bodies, offices and agencies, which differs from fines applicable to private actors and requires separate treatment to capture the unique institutional context and procedures.
administrative fines union institutions union bodies union offices union agencies institutional fines public sector fines EU institution penalties
Overview
Legal Framework
The legal basis for imposing administrative fines on Union institutions, bodies, offices, and agencies is established by Recital 23 of the AI Act, which explicitly subjects these entities to the Regulation when they act as providers or deployers of AI systems. The general enforcement principle, articulated in Recital 168, mandates that penalties for infringements must be effective, proportionate, and dissuasive, while respecting the ne bis in idem principle. However, the specific procedural and substantive rules for imposing such fines on Union institutions are not detailed in the provided AI Act recitals and would be governed by separate, specialized legal instruments applicable to the EU institutions themselves.
Practical Application
The application of administrative fines within the unique institutional context of the EU requires a distinct procedural framework from that used for private entities or Member States. While the substantive rules of the AI Act apply, the enforcement mechanism is internal to the EU's own administrative and judicial system. This reflects the principle that Union institutions are not subject to the enforcement powers of national supervisory authorities. Instead, compliance oversight and the imposition of any financial penalties would be managed by designated internal bodies, such as the European Data Protection Supervisor (EDPS) in the context of data protection, with potential parallels for AI governance. The process would involve internal investigations, a right to be heard, and appeals before the Court of Justice of the European Union.
Key Considerations
- Separate Enforcement Regime: Union institutions are subject to a dedicated internal enforcement procedure. Legal advisors must consult the specific regulations governing administrative procedures and penalties for EU institutions, not the national enforcement regimes of the AI Act.
- Procedural Safeguards: Any fine imposition process must adhere to the general principles of EU administrative law, including the rights of defense, the duty to state reasons, and the principle of proportionality, with ultimate judicial review by the EU Courts.
- Institutional Accountability: While the mechanism differs, the applicability of the AI Act's rules creates a direct compliance obligation for EU bodies. Internal legal services must implement governance structures to ensure AI systems used or developed by the institution meet the same regulatory standards as those imposed on external actors.
Laws (27)
View all 27Recital 179
Recital 22
Recital 23
Recital 59
Recital 149
Article 100
Administrative fines on Union institutions, bodies, offices and agencies
Recital 60
Recital 156
Recital 47
Recital 66
Recital 69
Recital 127
Recital 129
Recital 130
Article 34
General conditions for imposing administrative fines on essential and important entities
Recital 134
Recital 137
Recital 150
Recital 17
Case Law (6)
Deutsche Wohnen SE v Staatsanwaltschaft Berlin
C-807/21 (Deutsche Wohnen)
Fines can be imposed directly on legal persons without identifying responsible natural person.
Österreichische Datenschutzbehörde v CRIF
C-487/21 (Österreichische Datenschutzbehörde)
Right of access includes obtaining a copy in commonly used electronic form.
UI v Österreichische Post AG
C-300/21 (Österreichische Post)
Right to compensation under GDPR Article 82 requires proof of actual damage.
Peter Nowak v Data Protection Commissioner
C-434/16 (Nowak)
Examination scripts constitute personal data of the candidate.
Patrick Breyer v Bundesrepublik Deutschland
C-582/14 (Breyer)
Dynamic IP addresses can be personal data when holder can identify the person.
RYNES V. ÚŘAD PRO OCHRANU OSOBNICH ÚDAJŮ, 11.12.2014 (“RYNES”)
Rynes
Personal data: The image of a person recorded by a camera constitutes personal data because it makes it possible to identify the person concerned. (¶ 22)
Guidance (12)
ARTICLE 29 DATA PROTECTION WORKING PARTY
Guidelines on transparency
Richtsnoeren 04/2022 voor de berekening van administratieve geldboeten krachtens de AVG
guidelines berekenen administratieve boetes
Het Europees Comité voor gegevensbescherming (EDPB) heeft deze richtsnoeren vastgesteld met het oog op de harmonisatie van de methode die de toezichthoudende autoriteiten gebruiken om het bedrag van de geldboete te berekenen. Deze richtsnoeren vormen een aanvulling op de eerder vastgestelde Richtsnoeren voor de toepassing en vaststelling van administratieve geldboeten in de zin van Verordening (EU) 2016/679 (WP 253), die betrekking hebben op de omstandigheden waarin een geldboete moet worden opg...
Guidelines 02/2022 on the application of Article 60 GDPR
Guidelines on the application of Article 60 GDPR
With the introduction of the GDPR, the concept of the one-stop shop was established as one of the main innovations. In cross-border processing cases, the supervisory authority in the Member State of the controller's or processor's main establishment is the authority leading the enforcement of the GDPR for the respective cross-border processing activities, in cooperation with all the authorities which may face the effects of the processing activities at stake: be it through the establishments ...
Guidelines 9/2022 on personal data breach notification under GDPR
Guidelines on personal data breach notification under GDPR
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
Guidelines on codes of conduct and monitoring bodies
Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation
Guidelines on certification and identifying certification criteria
Guidelines 01/2022 on data subject rights - Right of access
Guidelines on data subject rights - Right of access
The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.
Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020
Guidelines on data protection by design and by default
Guidelines 03/2021 on the application of Article 65(1)(a) GDPR
Guidelines on the application of Article 60 GDPR
Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679
Guidelines on relevant and reasoned objection under Regulation 2016/679
Richtsnoeren 4/2019 inzake artikel 25 Gegevensbescherming door ontwerp en door standaardinstellingen
guidelines privacy by design en default
Enforcement (2)
IDdesign A / S: Non-compliance with general data processing principles
€13,450 fine - Danish Data Protection Authority (Datatilsynet)
Original summary: On June 3, 2019, the Danish DPA (Datatilsynet) reported IDdesign to the police and demanded payment of a fine in the amount of EUR 200,850 for the processing of personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the
Taxa 4x35: Non-compliance with general data processing principles
€160,000 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA reported the taxi company to the police and recommended a fine (of 1.2M DKK) for non-adherence to the data-minimization principle. While the company deleted the names of its passengers from all its records after two years, the deletion did not include the rest of the ride records (about 8,873,333 taxi trips). Hence, the company continued to hold onto individual's phone numbers. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an
News (4)
CNIL Proposes 60 Million Euros Fine Against French AdTech Company For Non-Compliance with GDPR
> The proposed fine follows complaints filed by privacy NGO ‘Privacy International’ against Criteo. […] Under the CNIL’s sanction procedure, Criteo has the right to respond to the report, both with respect to the alleged infringements and the proposed sanction.
De CNIL stelt een boete van 60 miljoen euro voor aan een Frans bedrijf dat zich bezighoudt met advertentietechnologie, vanwege het niet naleven van de AVG (Algemene Verordening Gegevensbescherming).
De voorgestelde boete volgt op klachten die de privacyorganisatie "Privacy International" heeft ingediend tegen Criteo. [...] In het kader van de sanctieprocedure van de CNIL heeft Criteo het recht om te reageren op het rapport, zowel met betrekking tot de vermeende overtredingen als de voorgestelde sanctie.
GDPR Fines: A Graphic Calculation Guide – Part 1
> European supervisory authorities’ varying practices of calculating GDPR administrative fines can be viewed, on the one hand, as inconsistent and in conflict with the principle of uniform interpretation and application of the GDPR in general and uniform sanction for GDPR infringements in particular, as enshrined in GDPR recital 10, 11 and 13.
DeFine is a calculator for GDPR fines based on method of the EDPB
> DeFine is a translation into a calculator of part of the methodology proposed by the European Data Protection Board to calculate GDPR fines (see EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 12 May 2022, available online; it was subject to a public consultation until 27 June 2022).