GDPR Fines

Introduction

GDPR Fines and Penalties There will be two levels of fines based on the GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. The potential fines are substantial and a good reason for companies to ensure compliance with the Regulation.

The Parliament had requested for fines to reach €100 million or 5% of the company’s global annual turnover. The agreed fines are the compromise that was reached.

Fines for infringements will be considered on a case-by-case basis and will take a number of criteria into consideration, such as the intentional nature of the infringement, how many subjects were affected and any previous infringements by the controller or processor.

Further information

The lower level of fine, up to €10 million or 2% of the company’s global annual turnover, will be considered for infringements listed in Article 83(4) of the General Data Protection Regulation.

This includes infringements relating to:

Integrating data protection ‘by design and by default’
Records of processing activities
Cooperation with the supervising authority
Security of processing data
Notification of a personal data breach to the supervisory authority
Communication of a personal data breach to the data subject
Data Protection Impact Assessment
Prior consultation
Designation, position or tasks of the Data Protection Officer
Certification

The higher level of fine, up to €20 million or 4% of the company’s global annual turnover, will be considered for infringements listed in Article 83(5) of the General Data Protection Regulation.

This includes infringements relating to:

The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data
Rights of the data subject
Transfer of personal data to a recipient in a third country or an international organisation

When deciding whether to impose a fine or the amount to be paid as a fine, the following will be taken into consideration for each individual case:

The nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them
The intentional or negligent character of the infringement
Any action taken by the controller or processor to mitigate the damage suffered by data subjects
The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them
Any relevant previous infringements by the controller or processor
The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
The categories of personal data affected by the infringement
The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement
Where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures
Adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42
Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

If a controller or processor makes several infringements, the total amount of the administrative fine will not exceed the fine for the most serious infringement for the same or linked processing operations.

Member States will also have the ability to apply penalties for infringements to the GDPR. The Member State will be responsible for implementing such penalties, which must be effective, proportionate and dissuasive.

Separate to these fines and penalties, individuals will have the right to claim compensation for any damage suffered as a result of violating the GDPR.

show all breach penalties

Breach Penalties

Thought of the Day: DPOs and the GDPR 0

When the General Data Protection Regulation comes into effect on May 25 this year, Data Protection Officers (DPOs) will be mandatory for certain organisations. This includes organisations where the core

Facebook told to stop tracking in Belgium 0

Thought of the Day: Fined for appointing a Data Protection Officer? 1

Thought of the Day: What would a £400,000 fine be under the GDPR? 0

Google faces mass legal action in UK over data snooping 0

Uber concealed huge data breach 0

Hackers stole personal data of 57MILLION Uber customers and drivers – and the company ‘paid them $100,000 to delete the information and go away’ 0

How big or small will the first GDPR fine be? 0

British firms face £122bn in fines under GDPR regime 1

show all breach penalties

show all prevention

Cookie	Description
cookielawinfo-checkbox-analytics	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Analytics'.
cookielawinfo-checkbox-marketing	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Marketing'.
cookielawinfo-checkbox-necessary	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Necessary'.
cookielawinfo-checkbox-performance	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Performance'.
cookielawinfo-checkbox-preferences	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Preferences'.
JSESSIONID	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
PHPSESSID	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Description
IDE	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
lidc	This cookie is set by LinkedIn and used for routing.
NID	This cookie is used to a profile based on user's interest and display personalized ads to the users.
VISITOR_INFO1_LIVE	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
zfccn	Zoho CRM cookie - used by a number of organisations

Cookie	Description
GPS	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
pardot	The cookie is set when the visitor is logged in as a Pardot user.
_ga	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors.
_gat	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
_gid	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
__cfduid	The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Description
ARRAffinity	Windows Azure Web Sites, by default, use an ARRAffinity cookie to ensure subsequent requests from a user are routed back to the web site instance that the user initially connected to. In other words, Windows Azure Web Sites assumes that a web site is not stateless
OptanonConsent	This cookie is set by the cookie compliance solution from OneTrust. It stores information about the categories of cookies the site uses and whether visitors have given or withdrawn consent for the use of each category. This enables site owners to prevent cookies in each category from being set in the users browser, when consent is not given. The cookie has a normal lifespan of one year, so that returning visitors to the site will have their preferences remembered. It contains no information that can identify the site visitor.
YSC	This cookies is set by Youtube and is used to track the views of embedded videos.

GDPR Questions? Call Us

GDPR Fines

Introduction

Further information

Breach Penalties

Thought of the Day: DPOs and the GDPR 0

Thought of the Day: How much could Facebook be fined? 1

Facebook told to stop tracking in Belgium 0

Thought of the Day: Fined for appointing a Data Protection Officer? 1

Thought of the Day: What would a £400,000 fine be under the GDPR? 0

Google faces mass legal action in UK over data snooping 0

Uber concealed huge data breach 0

Hackers stole personal data of 57MILLION Uber customers and drivers – and the company ‘paid them $100,000 to delete the information and go away’ 0

How big or small will the first GDPR fine be? 0

British firms face £122bn in fines under GDPR regime 1

Prevention

NHS Trusts Failed Cyber Security Assessment 0

Data Protection 1

GDPR – Processing Personal Data 1

The AI Lock In Loop 1

Business Cybersecurity Strategy 1

GDPR – lawyer reveals latest changes that will affect property industry 0

GDPR and cyber-security: An opportunity that cannot be ignored 0

The GDPR Advisory Board Offers Expert Advice 0

USA: FISA reauthorisation act seeks “proper balance” between individuals’ rights and security 0

GDPR awareness warning triggers Government action 0

GDPR Questions? Call Us

GDPR Fines

Introduction

Further information

Breach Penalties

Prevention

Loading, Please Wait!