GDPR Fines

Introduction

GDPR Fines and PenaltiesThere will be two levels of fines based on the GDPR.  The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.  The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.  The potential fines are substantial and a good reason for companies to ensure compliance with the Regulation.

The Parliament had requested for fines to reach €100 million or 5% of the company’s global annual turnover.  The agreed fines are the compromise that was reached.

Fines for infringements will be considered on a case-by-case basis and will take a number of criteria into consideration, such as the intentional nature of the infringement, how many subjects were affected and any previous infringements by the controller or processor.

Further information

The lower level of fine, up to €10 million or 2% of the company’s global annual turnover, will be considered for infringements listed in Article 83(4) of the General Data Protection Regulation.

This includes infringements relating to:

  • Integrating data protection ‘by design and by default’
  • Records of processing activities
  • Cooperation with the supervising authority
  • Security of processing data
  • Notification of a personal data breach to the supervisory authority
  • Communication of a personal data breach to the data subject
  • Data Protection Impact Assessment
  • Prior consultation
  • Designation, position or tasks of the Data Protection Officer
  • Certification

The higher level of fine, up to €20 million or 4% of the company’s global annual turnover, will be considered for infringements listed in Article 83(5) of the General Data Protection Regulation.

This includes infringements relating to:

  • The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data
  • Rights of the data subject
  • Transfer of personal data to a recipient in a third country or an international organisation

When deciding whether to impose a fine or the amount to be paid as a fine, the following will be taken into consideration for each individual case:

  • The nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them
  • The intentional or negligent character of the infringement
  • Any action taken by the controller or processor to mitigate the damage suffered by data subjects
  • The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them
  • Any relevant previous infringements by the controller or processor
  • The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
  • The categories of personal data affected by the infringement
  • The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement
  • Where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures
  • Adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42
  • Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

If a controller or processor makes several infringements, the total amount of the administrative fine will not exceed the fine for the most serious infringement for the same or linked processing operations.

Member States will also have the ability to apply penalties for infringements to the GDPR.  The Member State will be responsible for implementing such penalties, which must be effective, proportionate and dissuasive.

Separate to these fines and penalties, individuals will have the right to claim compensation for any damage suffered as a result of violating the GDPR.

show all breach penalties

Breach Penalties

Thought of the Day: DPOs and the GDPR 0

When the General Data Protection Regulation comes into effect on May 25 this year, Data Protection Officers (DPOs) will be mandatory for certain organisations. This includes organisations where the core

Read More

Thought of the Day: How much could Facebook be fined? 0

Facebook told to stop tracking in Belgium

Facebook told to stop tracking in Belgium 0

Thought of the Day: Fined for appointing a Data Protection Officer? 1

Thought of the Day: What would a £400,000 fine be under the GDPR? 0

Google faces mass legal action in UK over data snooping 0

Uber concealed huge data breach

Uber concealed huge data breach 0

Hackers stole personal data of 57MILLION Uber customers and drivers – and the company ‘paid them $100,000 to delete the information and go away’ 0

How big or small will the first GDPR fine be? 0

British firms face £122bn in fines under GDPR regime 1

show all breach penalties
show all prevention

Prevention

NHS Trusts Failed Cyber Security Assessment 0

Every single one of the 200 British NHS trusts so far assessed for cyber security resilience has failed an onsite assessment, MPs on the Public Accounts Committee were told on

Read More

Data Protection 1

Revision of data protection rules On 27 April 2016, new laws on data protection, which will set out new European rules

GDPR – Processing Personal Data 1

Under both the Data Protection Act 1998 and the General Data Protection Regulation 2016 (“GDPR”) organisations must ensure there is

The AI Lock In Loop 0

Much more awareness is needed about the importance of making the right kind of ethical decisions in artificial intelligence, according

Business Cybersecurity Strategy 0

In the last decade there have been a growing number of cyber-attacks on business. A huge range of organisations and

GDPR – lawyer reveals latest changes that will affect property industry 0

The General Data Protection Regulation legislation coming into effect in the UK on May 25 has undergone some subtle changes

GDPR and cyber-security: An opportunity that cannot be ignored 0

Data controllers and processors are required to carefully think about the ways to effectively secure personal data and take all

The GDPR Advisory Board Offers Expert Advice 0

The GDPR Advisory Board launched on 7th December is an easily-accessible, authoritative platform for organisations baffled by the implications of

USA: FISA reauthorisation act seeks “proper balance” between individuals’ rights and security

USA: FISA reauthorisation act seeks “proper balance” between individuals’ rights and security 0

The U.S. President, Donald Trump, signed, on 19 January 2018, the bill for the Foreign Intelligence Surveillance Act (‘FISA’) Amendments

GDPR awareness warning triggers Government action 0

The UK Government is ratcheting up its campaign to get companies to wake up to GDPR on the back of

show all prevention