1 Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. 2 Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation. 3 However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.
This recital of the General Data Protection Regulation clarifies article 84 GDPR (Penalties).*