Are you aware of how much can GDPR fines amount to? Here you will find information about the different penalties set out by the GDPR and which conditions bind authorities when imposing a fine.

GDPR fines explained

Quoting Cambridge Dictionary, a fine is “an amount of money that has to be paid as a punishment for not obeying a rule or law” and that is no less true for GDPR fines. GDPR fines ar amounts that must be paid when a provision of the General Data Protection Regulation (GDPR) has been violated.

And what is the amount? As established by the GDPR, failure to comply with the Regulation may be punished with a fine up to 20,000,000 euros or up to 4% of the total worldwide annual turnover. However, these amounts just function as financial caps to the corrective powers of the supervisory authorities and, as of today, any authority has ever imposed a fine that high.

Furthermore, administrative fines are not the only resources that supervisory authorities have at their disposal and they may, depending on the infringement, impose other penalties as warnings or orders.

An infringement of the GDPR provisions may end up without the imposition of an administrative fine.

Types of penalties in the GDPR

In light of a breach of the GDPR, Article 58.2 empowers supervisory authorities to:

  1. issue warnings;
  2. issue reprimands;
  3. issue orders;
  4. withdraw a certification; and
  5. impose administrative fines,

A supervisory authority may issue a warning where it spots that intended processing operations are likely to infringe provisions of the GDPR.

In the event processing activities have already violated provisions of the GDPR, a data protection authority is entitled to issue a reprimand or an order, to impose administrative fines or, where applicable, to withdraw a certification.

Regarding orders, supervisory authorities are entitled to issue the following orders:

  1. to comply with data subject’s rights requests;
  2. to bring processing operations into compliance with the provisions of the Regulation;
  3. to communicate a personal data breach to the data subject;
  4. to impose a temporary or definitive limitation including a ban on processing;
  5. rectification or erasure of personal data or restriction of processing and the notification of such actions to recipients;
  6. to order the certification body not to issue certification; and
  7. suspension of international data transfers.

Not all violations of the GDPR are punished with an administrative fine.

Depending on the nature of the infringement, a data protection authority may impose an administrative fine in addition to, or instead of, other sanctions.

General conditions for imposing GDPR fines

Depending on the amount fines can reach, these may be separated into two categories. On the one hand, fines which may go up to €10,000,000, or up to 2% of the total worldwide annual turnover when the offending party is in an undertaking. On the other hand, fines which may go up to €20,000,000, or up to 4% of the total worldwide annual turnover when the offending party is an undertaking.

Regardless of the above distinction, these amounts work as financial caps to the powers to impose sanctions of the supervisory authority. A breach of the GDPR should never cross these limits.

This leaves the data protection authority with a broad threshold to measure and set the amount of a fine. Hence, Article 83 of the GDPR establishes that, when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b) the intentional or negligent character of the infringement;

(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;

(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

(e) any relevant previous infringements by the controller or processor;

(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

(g) the categories of personal data affected by the infringement;

(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

Summary table of GDPR violation fines

GDPR FINES OF ARTICLE 83.4GDPR FINES OF ARTICLE 83.5 AND 83.6
Undertakings:

  • Up to €10,000,000 or,
  • up to 2% of the total worldwide annual turnover.
  • whichever is higher is preferred.
Undertakings:

  • Up to €20,000,000 or,
  • up to 4% of the total worldwide annual turnover.
  • whichever is higher is preferred.
Non-undertakings:

  • Fines up to €10,000,000.
Non-undertakings:

  • Fines up to €20,000,000.
Articles breached:

  • 8, 11, 25 to 39, 41.4, 42 and 43.
Articles breached:

  • 5, 6, 7, 9, 12 to 22, 44 to 49, 58.1, 58.2 and 85 to 91.
Controller and processor obligations:

  • children consent;
  • processing which does not require identification;
  • data protection by design and by default;
  • joint controllers;
  • appointment of representative;
  • engagement of processors;
  • record of processing activities;
  • cooperation with data protection authorities (DPA);
  • information security;
  • notification of data breaches;
  • DPIA;
  • DPOs; and
  • certification.

Obligations relating to certification bodies.
Obligations relating to DPAs.

Principles relating to processing of personal data.
Lawfulness of the processing.
Consent.
Data subject rights.
International data transfers.
Local law provisions expanding on the
processings of GDPR Chapter IX
:

  • freedom of expression and information;
  • public access to official documents;
  • national identification number;
  • employment;
  • archiving purposes in the public interest;
  • scientific or historical research;
  • statistical purposes;
  • obligations of secrecy; and
  • churches and religious associations.

Failure to comply with the DPA’s investigatory
and corrective powers.

GDPR penalties on public authorities and bodies

When addressing infringements of the GDPR by private organisations, data protection authorities are entitled to use their corrective powers and impose the sanction they deem more appropriate, within the limits of proportionality and observing the criterias set forth by Article 83.2, explained above.

However, what are the consequences when the offending party is a public authority or entity?

When the infringement is committed by a public authority or body, the GDPR sets out that data protection authorities may use their corrective powers and impose penalties such as orders, warnings or reprimands. However, when it comes to fines the GDPR lets the door open for EU Member States to legislate and establish whether is possible to impose fines on public entities which are based in their territory.

This will certainly bring different regimes across Europe and there are states such as Spain which has opted to not allow supervisory authorities to impose gdpr fines to public authorities or entities.

In that regard, Article 77 of the Spanish Data Protection Act (LOPDGDD) sets out that infringements of a data protection provision which are committed by the following entities shall be punished with a reprimand:

  1. Constitutional bodies or with constitutional relevance and analogous institutions of autonomous communities.
  2. Jurisdictional bodies.
  3. Central State Administration, Administration of autonomous communities and entities that form the Local Administration.
  4. Public bodies and bodies governed by public law which are linked or dependent on Public Administrations.
  5. Independent administrative authorities.
  6. The Bank of Spain.
  7. Public corporate bodies when the purposes of the processing are related to the exercise of their public law powers.
  8. Public sector foundations.
  9. The Public Universities.
  10. Consortiums
  11. Parliamentary groups of the Cortes Generales and the Autonomous Legislative Assemblies, as well as political groups of Local Corporations.

GDPR fines FAQ

GDPR fines may reach up to 20 million euros or the 4% of the total worldwide annual turnover of the preceding financial year when committing an infringement of provisions: 5, 6, 7, 9, 12 to 22, 44 to 49, 58.1, 58.2 and 85 to 91.  

These provisions regulate the following subjects:

  • Principles relating to processing of personal data.
  • Lawfulness of the processing.
  • Consent.
  • Data subject rights.
  • International data transfers.
  • Member State law provisions which expands on the processings set out by GDPR Chapter IX, which includes: freedom of expression and information; public access to official documents; national identification number; employment; archiving purposes in the public interest; scientific or historical research; statistical purposes; obligations of secrecy; and churches and religious associations.
  • Failure to comply with the DPA’s investigatory and corrective powers.

US companies are exposed to the same fines that are exposed companies established in European soil. Therefore, a US corporation breach of the GDPR may be punished with administrative fines up to 20,000,000 euros or up to 4% of the total worldwide annual turnover, whichever is higher, depending on the infringement and the context of the offense.

However, a US company may only be fined when the GDPR applies to a specific processing operation and the company fails to comply with its obligations under the European law.

GDPR fines consider the total worldwide annual turnover of the preceding financial year.

Generally speaking, data processors are exposed to the same fines as controllers are, which means that, for breaching provisions 8, 11, and 25 to 39 of the Regulation, processors may be subject to fines up up to 10,000,000 euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

On the other hand, when violating provisions 5, 6, 7, 9, 12 to 22, 44 to 49, 58.1, 58.2 and 85 to 91, the infringement may be sanctioned with a fine up to 20,000,000 euros, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

However, there are some responsibilities which only pend over controllers and therefore processors cannot be fined by a supervisory authority for their breach, without prejudice to contractual liability. For instance, processors are not responsible for communicating data breaches to supervisory authorities, nor to data subjects, nor are they responsibles for attending data subject requests.

Failure to comply with the GDPR may make the non-compliant party subject to fines which are capped depending on the provision violated.

Thus, non-compliance of provisions 8, 11, 25 to 39, 41.4, 42 and 43 entitles supervisory authorities to issue a fine up to 10,000,000 euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Conversely, a violation of provisions , 6, 7, 9, 12 to 22, 44 to 49, 58.1, 58.2 and 85 to 91 entitles supervisory authorities to issue a fine up to 20,000,000 euros, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The GDPR does not have any special provision regarding small businesses, therefore these are equally exposed to the same fines that are exposed big companies. However, supervisory authorities are required to consider the nature, duration and gravity of the infringement, the number of data subjects affected and their loss together with several other factors which may be expanded by local law and which aim to bring proportionality, effectiveness and deterrentness to the corrective powers of supervisory authorities.

The GDPR does not have any special provision regarding individuals, therefore these are equally exposed to the same fines that are exposed big or small businesses. However, supervisory authorities are required to consider the nature, duration and gravity of the infringement, the number of data subjects affected and their loss together with several other factors which may be expanded by local law and which aim to bring proportionality, effectiveness and deterrentness to the corrective powers of supervisory authorities.

Failure to notify a data breach is an infringement of articles 33 and 34 and therefore may be punished with administrative fines up to 10,000,000 euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Others also viewed…

Who does the GDPR apply to
GDPR representative in the EU. Personal data protection and privacy. European Union
GDPR data protection officer (DPO). When must be appointed, role, requirements, duties and salary
International data transfers. Transfers of data outside the EU
GDPR principles of data protection
Records of processing activities under the GDPR guidelines. Article 30. Templates and examples
special categories gdpr sensitive personal data
GDPR data subject rights
GDPR data protection impact assessment DPIA. Privacy
GDPR information security requirements and controls
GDPR fines and sanctions for breaching the law
GDPR and blockchain. Issues and solutions for ensuring compliance