GDPR Fines

Introduction

GDPR Fines and PenaltiesThere will be two levels of fines based on the GDPR.  The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.  The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.  The potential fines are substantial and a good reason for companies to ensure compliance with the Regulation.

The Parliament had requested for fines to reach €100 million or 5% of the company’s global annual turnover.  The agreed fines are the compromise that was reached.

Fines for infringements will be considered on a case-by-case basis and will take a number of criteria into consideration, such as the intentional nature of the infringement, how many subjects were affected and any previous infringements by the controller or processor.

Further information

The lower level of fine, up to €10 million or 2% of the company’s global annual turnover, will be considered for infringements listed in Article 83(4) of the General Data Protection Regulation.

This includes infringements relating to:

  • Integrating data protection ‘by design and by default’
  • Records of processing activities
  • Cooperation with the supervising authority
  • Security of processing data
  • Notification of a personal data breach to the supervisory authority
  • Communication of a personal data breach to the data subject
  • Data Protection Impact Assessment
  • Prior consultation
  • Designation, position or tasks of the Data Protection Officer
  • Certification

The higher level of fine, up to €20 million or 4% of the company’s global annual turnover, will be considered for infringements listed in Article 83(5) of the General Data Protection Regulation.

This includes infringements relating to:

  • The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data
  • Rights of the data subject
  • Transfer of personal data to a recipient in a third country or an international organisation

When deciding whether to impose a fine or the amount to be paid as a fine, the following will be taken into consideration for each individual case:

  • The nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them
  • The intentional or negligent character of the infringement
  • Any action taken by the controller or processor to mitigate the damage suffered by data subjects
  • The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them
  • Any relevant previous infringements by the controller or processor
  • The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
  • The categories of personal data affected by the infringement
  • The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement
  • Where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures
  • Adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42
  • Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

If a controller or processor makes several infringements, the total amount of the administrative fine will not exceed the fine for the most serious infringement for the same or linked processing operations.

Member States will also have the ability to apply penalties for infringements to the GDPR.  The Member State will be responsible for implementing such penalties, which must be effective, proportionate and dissuasive.

Separate to these fines and penalties, individuals will have the right to claim compensation for any damage suffered as a result of violating the GDPR.

show all breach penalties

Breach Penalties

How big or small will the first GDPR fine be? 0

One of the biggest points to note about the General Data Protection Regulation is the potential of massive fines. It is certainly an eye-opener. But how much will the first

Read More

British firms face £122bn in fines under GDPR regime 0

D-Day for GDPR is 25 May 2018 0

A Cheat Sheet for the General Data Protection Regulation 3

European Council approves EU General Data Protection Regulation Draft; final approval may come by end of 2015 0

show all breach penalties
show all prevention

Prevention

The GDPR Guru Blog: GDPR – if I delete my customer database then that will fix it! 1

When the pub chain JD Wetherspoons recently announced that it had fixed its GDPR problem by deleting their customer data base, it caused a collective sigh of desperation amongst the

Read More

GDPR Guru: GDPR is it a Project, or is it a Programme? 1

With just over one year to go before the GDPR Regulation is enacted most organisations who are doing something about

Download: A New Approach to Endpoint Security Software Testing

Download: A New Approach to Endpoint Security Software Testing 0

Downloadable transcript. Tomer Weingarten, CEO of SentinelOne on the Need for Change Interviewed by Tom Field, VP of Editorial for

The Great Crypto Diversion

The Great Crypto Diversion 0

One year after “Apple vs. FBI,” British Home Secretary Amber Rudd this past weekend slammed Silicon Valley social networking firms,

Experts Pick: Cyber threats are evolving and so must your defences 0

Digital transformation is not a new subject. Technology driven evolution of business to develop more efficient ways of interacting with

Download: 5 Question executives should be asking their security teams 0

Data breaches are more than a security problem. A significant attack can shake your customer base, partner relations, executive staff,

Webinar – Data Transfers under the EU GDPR – do you need to comply? 0

Many organisations transfer personal data across borders to both EU and non-EU recipients. The EU General Data Protection Regulation (“GDPR”)

Download: TCS’ Approach Towards Compliance

Download: TCS’ Approach Towards Compliance 0

PDF Outline: Any organisation, based inside or outside the EU, dealing with the data of EU individuals will be impacted

Consumer trust in banking security misplaced – Capgemini

Consumer trust in banking security misplaced – Capgemini 0

Research from Capgemini highlights a striking dichotomy between the views of consumers and banking insiders about levels of security in

Encryption “critical” for GDPR but many deterred by complexity

Encryption “critical” for GDPR but many deterred by complexity 0

Three quarters of organisations plan to expand their data protection capabilities with encryption as GDPR deadline looms. The study polled

show all prevention