Another half is contradictions between the GDPR and the legislation of national Supervisory Authorities, and this is in no way easy to overcome.
Truly, it is difficult to expect that ALL member states will apply GDRP consistently if an agreement within ONE member state seems very far from being reached.
Germany has recently become an example of how Act on Regulatory Offences contradicts to GDPR, while opinion of the District Court of Berlin (‘Court’) contradicts to that of Conference of German SAs (‘Conference’), with stumbling block being whether Article 83 GDPR lists all the requirements that SAs must address to fine a company, or whether national laws can impose additional requirements. Is it enough to establish that a breach of the GDPR has occurred for a company to be held responsible (as GDPR says) or there have to be evidences of a specific act by management or legal representatives that led to the offence (as the German Act says)?
Court opined that German Act on Regulatory Offences shall apply, and this is in clear contradiction with GDPR and the position of Conference. What is especially important here is that it is all about fines, which is often the strongest ‘motivation’ to comply (let’s be realistic).
Meanwhile, Austrian and French courts create their own case law on this issue. Overall… it is a beuatiful mess 🙂
I do wonder if there will be a trend to move main processing activities to the country (one-stop-shop) which is the most lenient when it comes to handing out fines.
Very possible 🙂 More and more DPAs are openly issuing their “fining policies”, so I think there will be a possibility to compare and choose 😉