Data protection is a critical concern for businesses operating in Europe and globally. The General Data Protection Regulation (GDPR) sets the standard for data protection and privacy within the European Union (EU) and the European Economic Area (EEA). Failure to comply with GDPR can lead to significant financial penalties, with the most severe violations potentially reaching fines of up to 20 million euros. This article breaks down how GDPR fines are assessed and what factors can influence the penalty your organization might face.
GDPR Fines: More Than Just a Slap on the Wrist
National data protection authorities have the power to impose fines for infringements of GDPR. These fines are not just symbolic; they are intended to be effective, proportionate, and dissuasive. This means they should be substantial enough to deter organizations from violating data protection rules and to serve as a real penalty for non-compliance.
Fines can be applied in addition to, or instead of, other corrective measures. Authorities can order companies to stop infringing activities, adjust data processing to comply with GDPR, or even impose temporary or permanent bans on data processing. For data processors (entities that process data on behalf of controllers), fines can be applied directly or in conjunction with the data controller.
How Are GDPR Fines Determined?
When deciding whether to impose a fine and determining its level, data protection authorities consider a range of criteria outlined in GDPR. These include:
- Nature, gravity, and duration of the infringement: How serious was the breach, how long did it last, and what was the impact?
- Intentional or negligent character of the infringement: Was the violation intentional, or was it due to negligence?
- Actions taken to mitigate the damage: Did the company take steps to lessen the harm caused by the breach?
- Degree of cooperation with the supervisory authority: How cooperative was the company with the data protection authority during the investigation?
- Categories of personal data affected: What type of data was compromised, and how sensitive was it?
- Manner in which the infringement became known to the supervisory authority: Was the breach self-reported, or was it discovered through other means?
- Adherence to approved codes of conduct or certification mechanisms: Did the company follow industry best practices and certifications?
- Previous infringements: Has the company had previous GDPR violations?
These factors help authorities assess the specific circumstances of each case and ensure the fine is appropriate. Aggravating factors, such as intentional infringement, failure to mitigate damage, or lack of cooperation, can lead to higher penalties.
The Scale of Fines: From 10 Million to 20 Million Euros
GDPR outlines different tiers of fines based on the severity of the violation. For particularly serious infringements, as listed in Article 83(5) of GDPR, the maximum fine can reach 20 million euros, or for companies, up to 4% of their total global turnover of the previous financial year, whichever is higher. These severe violations include breaches of the basic principles of processing, including conditions for consent, data subjects’ rights, and international data transfers.
Even for less severe infringements, outlined in Article 83(4) GDPR, the fines can still be substantial, reaching up to 10 million euros, or, in the case of an undertaking, 2% of its total global turnover of the previous financial year, again, whichever is higher. These less severe violations include infringements of the obligations of the controller and the processor, certification body monitoring, and the obligations of the monitoring body.
An overview of GDPR penalties and fines under Article 83.
What is an “Undertaking” and Why Does It Matter for Fines?
It’s crucial to understand the term “undertaking” in the context of GDPR fines. GDPR adopts the definition used in EU competition law. According to the European Court of Justice, an “undertaking” encompasses any entity engaged in economic activity, regardless of its legal status or how it’s financed.
This broad definition means that an undertaking is not limited to a single legal entity or company. It can include a group of companies or even individuals acting together in an economic activity. Therefore, when calculating fines based on turnover, authorities can consider the total worldwide annual turnover of the entire “undertaking,” not just the individual company that committed the infringement. This can result in significantly larger fines for GDPR violations within large corporate groups.
Beyond Administrative Fines: Other Penalties
In addition to the administrative fines outlined in Article 83, GDPR also allows Member States to establish rules for other penalties for infringements not covered by Article 83. These can include criminal penalties for certain GDPR violations or penalties for breaches of national laws enacted under GDPR flexibility clauses. These national penalties must also be effective, proportionate, and dissuasive.
How GDPR Violations Come to Light
GDPR violations can be discovered in various ways:
- Proactive Inspections: Data protection authorities can conduct inspections to proactively check for compliance.
- Employee or Customer Complaints: Dissatisfied employees or customers can lodge complaints with data protection authorities.
- Self-Denunciation: Companies may self-report breaches to authorities.
- Investigative Journalism and Press Reports: Media investigations can uncover and publicize potential violations.
The Enforcement Tracker provides a public database of reported GDPR fines and penalties imposed by data protection authorities across the EU, offering valuable insights into enforcement trends.
Staying Compliant and Avoiding Costly Fines
Understanding the potential financial impact of GDPR non-compliance, with fines reaching up to 20 million euros, is crucial for all organizations processing personal data. Proactive compliance measures, robust data protection practices, and a commitment to data privacy are essential to avoid these significant penalties and maintain customer trust.
Suitable GDPR Articles:
Art. 58 GDPR Powers
Art. 70 GDPR Tasks of the Board
Art. 83 GDPR General conditions for imposing administrative fines
Art. 84 GDPR Penalties
Suitable Recitals:
(148) Penalties
(149) Penalties for Infringements of National Rules
(150) Administrative Fines
(151) Administrative Fines in Denmark and Estonia
(152) Power of Sanction of the Member States
External Links:
Authorities
Expert contribution
Key Issues
Table of contents
Report error
