[drewbuschhorn]

Do I misunderstand this section: "Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation." That sounds like you can be sued by any subject on their whim?

[tluyben2]

That is not how the EU works, in the US i would be very afraid reading that, in the EU nothing will happen if you do not violate in a spectacular way, and that, after many warnings. They are after companies tracking you across real estate and selling relevant data from their vast silos to companies that can market stuff to you. They tried many ways already to prevent this kind of practice in some countries but loopholes were found so this is the hammer. As a small company, if you answer and act on actual user complaints, you have no worries no matter what the language. It is not in their interest to go for small offences. And if your story is reasonable, like OP, they will just let it go.

What this gives the EU is the hammer to hit persistent abusers of user data. They want you to be careful with user data and not treat it like you own it; you do not. It is not yours to sell or share or publicize.

Edit; note as well that every country has a compliance office; if they know you are in complaince as in you are ‘good people’ (best effort, no giant holes etc; just best practice in our field which you should do anyway) they will not bother you with every (or any) user complaint after that. I have good experiences with this with far grave (and potentially criminally punishable) matters in a few EU countries.

[Fellshard]

It is reasonable to assume overreach by governing bodies will occur; this is no less true for the EU than for any national government. The EU is no less likely to misuse that hammer, intentionally or not.

[dangerface]

"It is reasonable to assume overreach by governing bodies will occur"

No its not as they now have regulations in place to prevent that, before GDPR you could. You can only be sued to the poor house from it if you do something like leave your patients health information on the bus.

[donkeyd]

Even then you probably won't. If it's an incident that happened despite of having taken the necessary precautions, you would probably get only a small fine or a warning.

[pgeorgi]

It's also reasonable to see what happened in the last 20+ years that there were DPAs already. I haven't seen overreach by them, did you?

[BigJ1211]

These laws have been in place since 2016, they are going to start enforcing them starting the 25th. If you actually read anything about it from the source, it's clear it's setup against data abusers. It's not aimed at small businesses. If you don't do anything with user data, you don't even have to do anything. Like in the case of the OP. Aside from that, the EU doesn't have a history of overreaching/abusing power such as this. If this was US legislation your worries would be justified.

[zerostar07]

Actually DPAs are national. So there is one for each state, not a "central" one for the whole EU.

[drewbuschhorn]

So we've gone from you can't, to you won't, to you almost certainly won't. I completely agree, I'm just saying the 1% possibility is something you have to live with.

[dominotw]

How do you know that a small company will only get warnings. I don't understand the source of your bravado. Perhaps it really is different from US.

[buckminster]

Because this will be enforced by the same people who enforce the existing regulations. We've had twenty years experience. We know how they operate.

[DanBC]

You do misunderstand it.

The regulator is the effective judicial remedy.

In the UK there's also a First Tier Tribunal and probably an upper tribunal. These are when the regulator has made an error in law.