Home Privacy Law GDPR Article 83 GDPR (General Conditions For Imposing Administrative Fines)

Article 83 GDPR (General Conditions For Imposing Administrative Fines)

Article 83 of GDPR: General Conditions For Imposing Administrative Fines

Article 83 of GDPR is a very important article outlining the administrative fines that may be issued to organizations infringing GDPR.

Fines to be dissuasive and proportional (Article 83(1) GDPR)

As a first concept, GDPR provides guidance to the supervisory authorities to issue and impose administrative fines:

  1. That will dissuade data controllers and data processors from infringing GDPR again
  2. That will be proportionate with the overall nature of the infringement to the law

Factors to consider when imposing a fine (Article 83(2) GDPR)

GDPR clearly stipulates that the supervisory authorities have the power to:

  1. impose administrative fines to punish infringement of the law
  2. Impose administrative fines and order corrective measures to comply with the law

Furthermore, GDPR provides the supervisory authorities with guidelines and factors to consider when deciding on the amount of the administrative fine.

The following factors should be considered when imposing an administrative fine:

  1. The nature of the infringement (Article 83(2)(a) GDPR)
  2. The gravity of the infringement (Article 83(2)(a) GDPR)
  3. The duration of the infringement (Article 83(2)(a) GDPR)
  4. Number of data subjects affected (Article 83(2)(a) GDPR)
  5. Level of damage suffered by each data subject (Article 83(2)(a) GDPR)
  6. The intentional character of the infringement (Article 83(2)(b) GDPR)
  7. The level of negligence on the part of the controller or processor (Article 83(2)(b) GDPR)
  8. Measures taken by the controller or processor to mitigate damages (Article 83(2)(c) GDPR)
  9. The degree of responsibility of the data controller and data processor having implemented data protection by design and default measures (Article 83(2)(d) GDPR)
  10. The degree of responsibility of the data controller and data processor that have implemented technical and organizational measures to safeguard personal data (Article 83(2)(d) GDPR)
  11. Infringement history of the data controller or processor (Article 83(2)(e) GDPR)
  12. The level of cooperation with the supervisory authority (Article 83(2)(f) GDPR)
  13. The categories of personal data affected (Article 83(2)(g) GDPR)
  14. Whether the data controller or processor was the one notifying the infringement to the supervisory authority or not (Article 83(2)(h) GDPR)
  15. Previous orders of corrective measures on the same subject-matter and how the organization had complied with the past orders (Article 83(2)(i) GDPR)
  16. Adherence to approved codes of conduct or not (Article 83(2)(j) GDPR)
  17. Adherence to approved certification mechanisms (Article 83(2)(j) GDPR)
  18. Any other aggravating factors (Article 83(2)(k) GDPR)
  19. Any other mitigating factors (Article 83(2)(k) GDPR)

When the same processing operation infringes multiple provisions of GDPR (Article 83(3) GDPR)

When a company, based on the same processing operations and due to its intentional infringement activity or negligence, infringes multiple provisions of GDPR, then the administrative fines it could be held accountable to pay will not exceed the amount of the gravest infringement.

Fines of 10,000,000 Euros or 2% of total worldwide turnover (Article 83(4) GDPR)

GDPR categorizes different types of infringement to justify a different level of administrative fine.

In the following scenarios of infringement, the total possible administrative fine can go up to 10,000,000 Euros or 2% of the organizations total annual turnover:

  1. Obligations of data processors and data controllers related to the child’s consent in relation to information society services as outlined in Article 8 GDPR (Article 83(4)(a) GDPR)
  2. Obligations of data processors and data controllers related to the processing activities that do not require identification of the data subject as outlined in Article 11 GDPR (Article 83(4)(a) GDPR)
  3. Obligations of data processors and data controllers related to data protection by design and by default measures as outlined in Article 25 GDPR (Article 83(4)(a) GDPR)
  4. Obligations of data processors and data controllers related to the tasks of the data protection officer as outlined in Article 39 GDPR (Article 83(4)(a) GDPR)
  5. Obligations of data processors and data controllers related to their certification as outlined in Article 42 GDPR (Article 83(4)(a) GDPR)
  6. Obligations of data processors and data controllers related to the certification body as outlined in Article 43 GDPR (Article 83(4)(a) GDPR)
  7. Obligations of certification bodies related to the certification as outlined in Article 42 GDPR (Article 83(4)(b) GDPR)
  8. Obligations of certification bodies related to the certification as outlined in Article 43 GDPR (Article 83(4)(b) GDPR)
  9. Obligations of the monitoring body as outlined in Article 41(4) GDPR (Article 83(4)(c) GDPR)

Fines of 20,000,000 Euros or 4% of total worldwide turnover (Article 83(5) GDPR)

Another category of GDPR infringement will justify a higher level of administrative fines. 

The following infringement cases will result in a possible administrative fine of up to 20,000,000 Euros or 4% of the total worldwide turnover of the organization:

  1. Violation of the basic principles relating to the processing of personal data as outlined in Article 5 GDPR (Article 83(5)(a) GDPR)
  2. Violation of the lawful processing of personal data as outlined in Article 6 GDPR (Article 83(5)(a) GDPR)
  3. Violation of the conditions required for consent  as outlined in Article 7 GDPR (Article 83(5)(a) GDPR)
  4. Violation of the provisions for the processing of special categories of personal data as outlined in Article 9 GDPR (Article 83(5)(a) GDPR)
  5. Violation of the transparent communication of data processing as outlined in Article 12 GDPR (Article 83(5)(b) GDPR)
  6. Violation of the obligation to provide information to data subjects as outlined in Article 13 GDPR (Article 83(5)(b) GDPR)
  7. Violation of the obligation to provide information to data subjects when data was obtained from a third party as outlined in Article 14 GDPR (Article 83(5)(b) GDPR)
  8. Violation of a data subject’s right to access personal data as outlined in Article 15 GDPR (Article 83(5)(b) GDPR)
  9. Violation of the data subject’s right to rectification as outline din Article 16 GDPR (Article 83(5)(b) GDPR)
  10. Violation of the data subject’s right to be forgotten or right to erasure as outlined in Article 17 GDPR (Article 83(5)(b) GDPR)
  11. Violation of the data subject’s right to restrict data processing as outlined in Article 18 GDPR (Article 83(5)(b) GDPR)
  12. Violation of the data subject’s portability rights as outlined in Article 20 GDPR (Article 83(5)(b) GDPR)
  13. Violation of the data subject’s right to object to the data processing as outlined in Article 21 GDPR (Article 83(5)(b) GDPR)
  14. Violation of the data subject’s right not to be subjected to automated decision-making as outlined in Article 22 GDPR (Article 83(5)(b) GDPR)
  15. Violation of the general principles of for personal data transfer as outlined in Article 44 GDPR (Article 83(5)(c) GDPR)
  16. Violation of the transfer of personal data obligations on the basis of an adequacy decision as outlined in Article 45 GDPR (Article 83(5)(c) GDPR)
  17. Violation of the transfer of personal data obligations with appropriate safeguards as outlined in Article 46 GDPR (Article 83(5)(c) GDPR)
  18. Violation of the transfer of personal data obligations in relation to binding corporate rules as outlined in Article 47 GDPR (Article 83(5)(c) GDPR)
  19. Violation of the transfer of personal data obligations without proper disclosure or not authorized by EU law as outlined in Article 48 GDPR (Article 83(5)(c) GDPR)
  20. Violation of obligations imposed by EU member state law (Article 83(5)(d) GDPR)
  21. Non-compliance with a supervisory authority order (Article 83(5)(e) GDPR)
  22. Failure to provide the supervisory authority access to data processing operations (Article 83(5)(e) GDPR)

Non-compliance with an order of the supervisory authority (Article 83(6) GDPR)

The non-compliance with an order of the supervisory authority can result in a fine of up to 20,000,000 Euros.

If the non-compliance is attributed to a legal entity or an undertaking, the fine can go up to the greater of either 20,000,000 Euros or 4% of the total worldwide turnover of the undertaking in its previous fiscal year.

Administrative fines on public authorities (Article 83(7) GDPR)

Each EU member state can define the rules with respect to whether or not public authorities and bodies will be subject to administrative fines and define to what extent they can be held responsible.

Judicial safeguards (Article 83(8) GDPR)

Each EU member country shall make sure that the exercise of the powers granted to the supervisory authority to issue administrative fines is supported by proper judicial due process and is given effective judicial remedy.

Fines imposed by a competent court (Article 83(9) GDPR)

When an EU member country does not provide for the issuance of administrative fines by the supervisory authority, it must ensure that the supervisory authority can initiate a request for a fine and such fine to be imposed by the competent court of the said EU country.

The fines imposed by the competent court must remain effective, proportionate to the infringement and dissuasive. 

Each EU member country that wishes to have the fines issued by their national court should notify the Commission by May 25, 2018.

Recitals applicable to Article 83 of GDPR

Relevant Recitals: 148, 149, 150, 151, 152

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation in Article 83 or relevant recitals

Treaty on the Functioning of the European Union

GDPR Text: Article 83 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)

Editorial Staff
Hello Nation! I'm a lawyer by trade and an entrepreneur by spirit. I specialize in law, business, marketing, and technology (and love it!). I'm an expert SEO and content marketer where I deeply enjoy writing content in highly competitive fields. On this blog, I share my experiences, knowledge, and provide you with golden nuggets of useful information. Enjoy!

Most Popular

What Is A Special Purpose Entity (All You Need To Know)

What Is A Special Purpose Entity (Explained: All You Need To Know)

What Is Corporate Raiding (Explained: All You Need To Know)

What Is Corporate Raiding (Explained: All You Need To Know)

What Are Golden Shares (Explained: All You Need To Know)

What Are Golden Shares (Explained: All You Need To Know)

What Is A Targeted Repurchase (Explained: All You Need To Know)

What Is A Targeted Repurchase (Explained: All You Need To Know)

What Is A Friendly Takeover (Explained: All You Need To Know)

What Is A Friendly Takeover (Explained: All You Need To Know)

Editor's Picks

C Note (Meaning: All You Need To Know)

C Note (Meaning: All You Need To Know)

Consortium Agreement (What Is It And How Does It Work)

Consortium Agreement (What Is It And How Does It Work)

C2C Meaning (Business Model: All You Need To Know)

C2C Meaning (Business Model: All You Need To Know)

Statement of Information (What Is It And How To File One)

Statement of Information (What Is It And How To File One)

What Is A Hostile Takeover (Explained: All You Need To Know)

What Is A Hostile Takeover (Explained: All You Need To Know)