General conditions for imposing GDPR fines
Depending on the amount fines can reach, these may be separated into two categories. On the one hand, fines which may go up to €10,000,000, or up to 2% of the total worldwide annual turnover when the offending party is in an undertaking. On the other hand, fines which may go up to €20,000,000, or up to 4% of the total worldwide annual turnover when the offending party is an undertaking.
Regardless of the above distinction, these amounts work as financial caps to the powers to impose sanctions of the supervisory authority. A breach of the GDPR should never cross these limits.
This leaves the data protection authority with a broad threshold to measure and set the amount of a fine. Hence, Article 83 of the GDPR establishes that, when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.