Date: 28-Aug-2025

SANCTIONS AND FINES IN CASES OF PERSONAL DATA BREACHES

August 28, 2025

The Law on Personal Data Protection is not a matter of choice or ethics, but a binding legal obligation that imposes direct responsibility and serious sanctions on any violator.

The Law has granted the Information and Privacy Agency (AIP) full powers to investigate, order corrective measures, and impose administrative fines against controllers and processors who fail to comply with their legal obligations.

Violations may result in significant financial consequences, reputational damage, and loss of client trust. Awareness of these measures is not only about avoiding penalties but also about building a sustainable and trustworthy data processing practice.

The Agency, ex officio or based on a complaint, may conduct inspections and audits to oversee compliance with data protection rules. In doing so, the Agency:

  1. Supervises the lawfulness of personal data processing;
  2. Monitors the adequacy of procedures and measures undertaken to ensure the security of personal data in accordance with the law;
  3. Oversees and acts with regard to: records of processing activities; notification of data breaches; data protection impact assessments; data protection officers; codes of conduct; certification mechanisms; and records of disclosure of data to recipients.

It should be clear that during inspections, the Agency (inspection officers) have the right to review and seize any documentation related to data processing, examine the content of filing systems, review and confiscate documentation regulating data security, inspect premises, and verify measures and procedures intended to safeguard personal data, etc.

Powers of the IPA

The Agency, ex officio or based on a complaint, may conduct inspections and audits to oversee compliance with data protection rules. In doing so, the Agency:

  1. Supervises the lawfulness of personal data processing;
  2. Monitors the adequacy of procedures and measures undertaken to ensure the security of personal data in accordance with the law;
  3. Oversees and acts with regard to: records of processing activities; notification of data breaches; data protection impact assessments; data protection officers; codes of conduct; certification mechanisms; and records of disclosure of data to recipients.

It should be clear that during inspections, the Agency (inspection officers) have the right to review and seize any documentation related to data processing, examine the content of filing systems, review and confiscate documentation regulating data security, inspect premises, and verify measures and procedures intended to safeguard personal data, etc.

Based on the inspection results, the Agency has the authority to:

  1. Order the rectification of irregularities and deficiencies identified during the inspection (which may include destruction, blocking, deletion, or anonymization of personal data);
  2. Temporarily prohibit data processing by controllers and processors in a specified manner;
  3. Temporarily prohibit the processing, anonymization, classification, and blocking of personal data in a specified manner;
    • Example: By Decision No. 148/2025 dated 30.06.2025, the Agency temporarily prohibited the processing of data through a video surveillance system and ordered the controller to destroy the data collected through the surveillance system.
  4. Temporarily prohibit the processing of personal data in other countries and international organizations, or their disclosure to recipients, if such transfers or disclosures are unlawful or in contradiction with international agreements;
  5. Order the fulfillment of data subject requests;
  6. Impose fines;
    • Example: By Decision No. 45/2025 dated 21.03.2025, the Agency imposed a fine of €25,000 on the controller for violating provisions on personal data security and ordered the implementation of necessary security measures.
  7. Issue warnings or written advice to the controller or processor in cases of minor violations.
    • Example: By Decision No. 253/2024 dated 04.11.2024, the Agency advised the controller to align video surveillance practices with the provisions of the Law on Personal Data Protection (LMDHP).

Administrative Fines

Although fines are not the only measures the Agency may impose on violators of the Law on Personal Data Protection (LMDHP), they are the most significant in terms of financial implications for controllers and processors.

The law establishes clear criteria to ensure fines are both effective and proportionate. When determining fines, the Agency must take into account:

  1. The nature, gravity, and duration of the infringement, considering the nature, scope, or purpose of the processing, as well as the number of data subjects affected and the level of damage caused;
  2. Whether the infringement was intentional or due to negligence;
  3. Measures taken by the controller or processor to mitigate the damage suffered;
  4. The degree of responsibility of the controller or processor, taking into account technical and organizational measures applied;
  5. Previous infringements by the controller or processor;
  6. The level of cooperation with the Agency;
  7. The categories of personal data affected; etc.

Fine Amounts

The LMDHP provides for fines of up to forty thousand euros (€40,000) for controllers or processors who:

  1. Process data unlawfully;
  2. Breach contractual processing provisions;
  3. Fail to ensure adequate protection of personal data;
  4. Process data through video surveillance in workplaces;
  5. Process biometric data in the public or private sector contrary to the law;
  6. Violate provisions regarding supervision by the data protection officer.

The LMDHP provides for fines of up to twelve thousand euros (€12,000) for controllers or processors who:

  1. Violate provisions on video surveillance in apartment buildings.
    • Example: By Decision No. 295/2024 dated 06.12.2024, the Agency upheld the complaint of the appellant and ordered the controller to stop processing personal data through video surveillance in shared premises.

The LMDHP provides for fines of up to ten thousand euros (€10,000) for controllers or processors who:

  1. Breach provisions on direct marketing;
    • Example: By Decision No. 223/2024 dated 18.09.2024, the Agency ordered the controller to stop processing personal data collected without the subject’s consent for direct marketing purposes.
  2. Breach general provisions on video surveillance;
    • Example: By Decision No. 305/2024 dated 23.12.2024, the Agency imposed a fine of €8,000 on the controller for breaching general provisions on video surveillance and ordered the removal of the surveillance system.
  3. Breach provisions on video surveillance related to access to official and business premises.

The LMDHP provides for fines of up to eight thousand euros (€8,000) for controllers or processors who:

  1. Violate provisions on recording building entry and exit data;
  2. Breach provisions on supervision by the data protection officer.

The LMDHP provides for fines of up to five thousand euros (€5,000) for controllers or processors who:

  1. Breach provisions on interconnection of filing systems.

Serious and Widespread Violations

If the Agency identifies a serious and widespread violation of personal data provisions, it may impose fines ranging from twenty thousand euros (€20,000) to forty thousand euros (€40,000).

For companies and enterprises, fines may reach between 2% and 4% of the total annual turnover of the preceding financial year, in line with Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

The Importance of Compliance

Compliance with the Law on Personal Data Protection should not be seen merely as a way to avoid fines. It is an investment in the organization’s reputation, the building of client trust, and the prevention of future legal problems.

Author: Valmir Haziraj