The position is that Article 83 of the General Data Protection Regulation provides for the possible imposition of administrative fines on data controllers in cases in which its provisions have been infringed. Paragraph 7 of that Article provides that it is a matter for each Member State to decide whether, and to what extent, administrative fines may be imposed on public authorities and bodies. Section 136 of the Data Protection Bill 2018 provides that an administrative fine may be imposed on a data controller that is a public authority or body only where it is acting as an undertaking within the meaning of the Competition Act 2002.
The GDPR does not provide for exemptions from the administrative fine provisions for other categories of data controllers, such as health practitioners. A decision on whether or not to impose an administrative fine in respect of an individual case will be a matter for the
Data Protection Commission, having given due regard to the mitigating and aggravating factors set out in paragraph 2 of Article 83.