GDPR Fines & Penalties

GDPR Fines and Penalties

The GDPR introduced a fundamentally new sanctions regime. Articles 83 and 84 empower supervisory authorities to impose administrative fines of up to EUR 20 million or 4% of total worldwide annual turnover, whichever is higher. These amounts are designed to be effective, proportionate, and dissuasive, ensuring that data protection violations carry real financial consequences.

Since the GDPR took effect in May 2018, supervisory authorities across Europe have imposed billions of euros in fines, demonstrating that enforcement is not merely theoretical.

Two Fine Tiers (Art. 83)

The GDPR establishes two tiers of administrative fines, depending on the nature of the violation:

Tier 1: Up to EUR 10 Million or 2% of Turnover

This tier applies to violations of obligations regarding:

• Controller and processor obligations (Art. 8, 11, 25-39, 42-43)
• Certification body obligations (Art. 42-43)
• Monitoring body obligations (Art. 41(4))

This includes violations related to records of processing activities, technical and organisational measures, breach notification, DPIAs, and DPO designation.

Tier 2: Up to EUR 20 Million or 4% of Turnover

This higher tier applies to violations of:

• Basic principles of processing, including conditions for consent (Art. 5, 6, 7, 9)
• Data subject rights (Art. 12-22)
• International data transfers (Art. 44-49)
• Obligations under member state law adopted under Chapter IX
• Non-compliance with an order by a supervisory authority

Fine Assessment Criteria (Art. 83(2))

Supervisory authorities consider the following factors when determining the amount of a fine:

• Nature, gravity, and duration of the infringement
• Intentional or negligent character
• Actions taken to mitigate damage suffered by data subjects
• Degree of responsibility considering technical and organisational measures implemented
• Previous infringements by the controller or processor
• Degree of cooperation with the supervisory authority
• Categories of personal data affected
• How the supervisory authority became aware of the infringement (self-reported or complaint)
• Adherence to approved codes of conduct or certifications
• Any other aggravating or mitigating factors, including financial benefits gained

Prominent Fine Cases

These cases demonstrate that enforcement is not limited to technology companies. Organisations of all sizes and industries have been fined. SMEs typically face fines in the tens of thousands to low millions range.

Damages Claims (Art. 82)

Beyond administrative fines, Art. 82 gives data subjects the right to claim compensation for material and non-material damage resulting from a GDPR violation. This includes emotional distress, anxiety, and other non-financial harm. Courts across Europe have been increasingly willing to award damages, even in the absence of significant financial loss.

Class action-style mechanisms are available in several member states, allowing representative bodies to pursue claims on behalf of groups of data subjects.

Other Enforcement Measures

Fines are not the only tool available to supervisory authorities. Art. 58 grants them extensive corrective powers, including:

• Issuing warnings and reprimands
• Ordering compliance with data subject requests
• Ordering the controller to bring processing operations into compliance
• Imposing a temporary or definitive ban on processing
• Ordering rectification, restriction, or erasure of data
• Suspending data flows to third countries

A processing ban can be far more damaging than a fine: it may force an organisation to halt core business operations until compliance is restored.