The General Data Protection Regulation (GDPR) empowers national authorities to impose significant fines for data protection violations. These financial penalties serve not just as punishments, but as effective, proportionate, and dissuasive measures to ensure compliance. It’s critical to understand that these fines are applied in addition to, or in place of, other corrective actions, such as orders to halt violations or mandates to adjust data processing practices to align with GDPR standards. Authorities also possess the power to enforce temporary or permanent limitations, including outright bans on data processing activities. Processors are also directly accountable and can face sanctions independently or alongside controllers.
When determining whether to impose a fine and the appropriate level, authorities consult a statutory list of criteria. Factors that can increase penalties include intentional infringement, failure to mitigate damages, and lack of cooperation with regulatory bodies. For the most severe infringements, as detailed in Article 83(5) of the GDPR, the potential fine can reach a staggering 20 million euros, or for undertakings, up to 4% of their total global turnover from the preceding fiscal year, whichever amount is higher. Even for less severe violations, outlined in Article 83(4) GDPR, fines can still climb to 10 million euros, or 2% of the company’s global turnover, again, whichever is greater.
It’s particularly important to grasp the GDPR’s definition of “undertaking.” This term aligns with its use in Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU). European Court of Justice case law clarifies that an “undertaking” encompasses any entity engaged in economic activity, irrespective of its legal structure or funding model. Therefore, an undertaking isn’t limited to a single legal entity; it can encompass multiple individuals or corporate bodies. This means an entire group of companies can be considered a single undertaking, and its total worldwide annual turnover can be used as the basis for calculating a GDPR fine, even if only one company within the group commits the violation. Beyond these administrative fines, each EU Member State is required to establish rules for other penalties for GDPR infringements not covered by Article 83. These typically include criminal penalties for certain GDPR violations or penalties for breaches of national rules enacted under GDPR flexibility clauses. These national penalties must also be effective, proportionate, and dissuasive.
How do companies get caught? A punishable situation can come to light through various avenues. Data protection authorities may conduct proactive inspections. Dissatisfied employees or customers can lodge complaints. Companies themselves might self-report violations. Investigative journalism and general press scrutiny also play a role in uncovering GDPR breaches.
For a comprehensive overview of reported fines and penalties imposed by EU data protection authorities, resources like the Enforcement Tracker provide valuable insights.
Relevant GDPR Articles
- Art. 58 GDPR Powers
- Art. 70 GDPR Tasks of the Board
- Art. 83 GDPR General conditions for imposing administrative fines
- Art. 84 GDPR Penalties
Relevant Recitals
- (148) Penalties
- (149) Penalties for Infringements of National Rules
- (150) Administrative Fines
- (151) Administrative Fines in Denmark and Estonia
- (152) Power of Sanction of the Member States
External Resources
Authorities
Expert Insights
Key GDPR Issues
Report an Error
