National authorities tasked with upholding data protection are empowered to impose significant fines for violations of the General Data Protection Regulation (GDPR). These financial penalties serve as a critical tool, either alongside or in place of other corrective measures, to ensure compliance. These measures can range from orders to cease violations and mandates to adjust data processing practices, to temporary or permanent bans on data processing activities. Processors, acting on behalf of controllers, can also face sanctions, either directly or in conjunction with the controller, highlighting the shared responsibility in data protection.
The cornerstone of GDPR fines is that they must be effective, proportionate, and dissuasive, tailored to the specifics of each case. To determine the appropriateness and magnitude of a penalty, authorities must consider a statutory catalogue of criteria. Factors that can amplify fines include intentional infringement, failure to mitigate damages, or lack of cooperation with supervisory bodies.
For the most severe breaches of GDPR, as outlined in Article 83(5), the financial repercussions can be substantial, reaching up to 20 million euros. To put this figure into perspective for a US audience, 20 million euros is approximately equivalent to 21 million US dollars (as of late 2023, and this can fluctuate with exchange rates). For undertakings, or businesses, the fine can escalate even further, reaching up to 4% of their total global turnover from the preceding fiscal year, whichever amount is higher. This dual calculation ensures that both large multinational corporations and smaller businesses face penalties that are appropriately impactful.
Even violations categorized as less severe under Article 83(4) of the GDPR can still result in considerable fines, up to 10 million euros, or 2% of the company’s total global turnover, again, whichever is greater. It’s crucial to note the GDPR’s definition of “undertaking,” which aligns with that used in Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU). European Court of Justice case law clarifies that an “undertaking” encompasses any entity engaged in economic activity, irrespective of its legal structure or funding model. This broad definition means an undertaking isn’t limited to a single legal entity but can include groups of companies or even individuals acting in concert. Therefore, a parent company could be held accountable for the GDPR infringements of a subsidiary, with the fine calculated based on the entire group’s global turnover.
Furthermore, individual EU Member States are required to establish additional rules for penalties for GDPR infringements not already covered under Article 83. These often include criminal penalties for specific violations or penalties for breaches of national regulations enacted using GDPR flexibility clauses. These national penalties, like GDPR fines, must also be effective, proportionate, and serve as a deterrent.
How are potential GDPR violations discovered? They can come to light through various channels, including proactive inspections by data protection authorities, complaints from dissatisfied employees or customers, self-reporting by companies, or investigations by the press, particularly through investigative journalism.
For those seeking to understand the real-world application of GDPR fines, resources like the Enforcement Tracker offer a valuable overview of reported fines and penalties imposed by EU data protection authorities.
Suitable GDPR Articles:
Art. 58 GDPR Powers
Art. 70 GDPR Tasks of the Board
Art. 83 GDPR General conditions for imposing administrative fines
Art. 84 GDPR Penalties
Suitable Recitals:
(148) Penalties
(149) Penalties for Infringements of National Rules
(150) Administrative Fines
(151) Administrative Fines in Denmark and Estonia
(152) Power of Sanction of the Member States
External Links:
Authorities
Expert contribution
Key Issues Table of contents
Report error
