GDPR Fines: What Are GDPR Fines And How Are They Imposed?

What are the GDPR fines?

Who can be imposed a fine under GDPR?

How much will a GDPR violation cost in fines and penalties?

In this article, we break down the concept of GDPR fines in detail.

We’ll look at what GDPR fines are, what is the maximum that can be imposed, how they are imposed, how to avoid them and more.

Are you ready?

Let’s get started!

GDPR Fines for effective enforcement 

Violations of GDPR can get very expensive for individuals and organizations.

GDPR is designed in such a way that those infringing may be exposed to severe fines. 

The European Union, by adopting the GDPR, wanted to ensure companies took data protection seriously.

Previously, companies earning billions of dollars considered that it was cheaper to pay infringement fines than to implement proper technical and organisational measures to protect personal data.

GDPR’s goal is to change that way of thinking.

To achieve its goal, the European Union has empowered their data protection supervisory authorities to issue administrative fines that can go up to the greater of 20,000,000 Euros or 4% of a company’s annual worldwide turnover.

Complying with GDPR is crucial for companies subjected to it as the potential liability resulting from non-compliance can be significant.

The GDPR fines must be effective, proportionate and dissuasive

The GDPR fines must be effective, proportionate and dissuasive.

In other words, the supervisory authorities will evaluate the nature, gravity and consequence of the GDPR infringement to determine the most adequate fine and corrective measures to impose.

The facts of the infringement case are highly relevant to assess the administrative fine to impose.

Depending on the European country in question, each EU member state can set additional requirements on the enforcement procedure their supervisory authority must follow.

However, domestic EU member state laws should not affect the ultimate objective of GDPR which is to issue fines that are effective, proportional and dissuasive.

Who is subject to GDPR fines?

To determine who can be subject to GDPR fines, we must determine who is subject to the regulation in the first place.

We must look at the territorial scope of GDPR to answer the question of who is subject to GDPR fines.

Companies established in Europe 

GDPR applies to the processing of personal data in the context of the activities of a company established in Europe, regardless of whether the processing takes place in Europe or not.

Companies not established in Europe 

GDPR also applies to the processing of personal data of data subjects who are in Europe by companies not established in Europe if: 

1. They are offering goods and services to European data subjects regardless if they get paid for it or not
2. They are monitoring the behaviour of data subjects when that behaviour takes place in Europe

In a nutshell, any European company dealing with Europeans in any capacity or foreign companies selling goods and services to Europeans or monitoring their behaviour while they are in the European territories. 

GDPR fines for individuals 

Individuals processing personal data for purely personal needs or the needs of their household are exempt from GDPR and thus exempt from GDPR fines.

However, even individuals, using personal data outside of their personal needs or needs of their household will be subject to GDPR and their infringement will be punishable by GDPR penalties and fines.

How GDPR fines are calculated?

Article 83 GDPR provides for a list of different factors to consider when supervisory authorities are looking to impose a fine.

Let’s look at how the supervisory authorities may consider the important factors to consider.

Nature of the infringement 

The nature of the infringement will determine what type of GDPR infringement case we have.

Depending on the nature of the infringement, the infringement will get categorized as a ‘less severe’ or ‘serious’ infringement category.

A less severe infringement can lead to an administrative fine of the greater of 10,000,000 Euros or 2% of an undertaking’s annual worldwide turnover.

This is the standard fine maximum.

A more severe infringement can go up to the greater of 20,000,000 Euros or 4% of the worldwide annual turnover.

This is a higher maximum fine.

You’ll notice that GDPR does not allow for a minimum but establishes a maximum cap.

If an infringement is considered as “minor infringements” as we see this notion in Recital 148 GDPR, a supervisory authority may choose that the most appropriate remedy is a reprimand to the company.

Gravity of the infringement

The gravity of the infringement is also considered.

To assess the gravity, the supervisory authorities will evaluate particularly the nature of the data processing operation along with the number of data subjects affected by the infringement.

The more adverse the consequences on the data subjects and the more data subjects affected, the more you can consider the infringement has a serious gravity.

Duration of the infringement

The duration of the case of infringement will also be telling.

Depending on the duration of the infringement and the actions of the company, supervisory authorities will consider how diligent a company dealt with the matter.

If a company knew about the infringement and did not do anything about it or failed to take preventive measures or implement technical and organisational measures to comply with GDPR will have an impact on the end result.

Intentional infringement and negligence 

The element of intent is also very important.

In some cases, you have an intentional GDPR violation and, in other cases, you inadvertently violated GDPR without having any particular intention to do so.

When an element of intention is discernable by the supervisory authorities, the fines imposed can be much more severe.

The element of intention will be analyzed based on the objective conduct of the organization in its data processing operations.

For example, if you have a case where the data protection officer was recommending that an organization refrain from doing certain processing activities and the company executives decide to do it nonetheless, that’s a case of deliberate infringement of GDPR.

Actions taken to mitigate damage to data subjects

Supervisory authorities are also sensitive to the actions of data controllers and data processors have taken to mitigate damages to data subjects.

A company taking immediate and comprehensive measures to limit the damages to data subjects will be seen more favourably than a company that did not implement any measures or take any meaningful steps to prevent further damages to the data subjects.

Implementation of technical and organisational security measures 

Under GDPR, data controllers and data processors have the obligation to implement organisational and technical security measures to protect personal data.

In evaluating a potential fine, the supervisory authorities will consider if the company has complied with such requirement.

A company will be assessed on what measures they implemented to comply with GDPR, the level of security measures implemented based on the nature of the data processing activities and how it has internally implemented policies and measures to protect data.

GDPR states that companies must take into account the state of the art, the cost of implementation and nature, scope, context, purpose and risk of data processing as measures to decide the most appropriate level of technical and organisational measures to protect data.

This obligation is of means which means the evaluation will be based on what could have the company could have reasonably done in the circumstances.

Previous infringements 

The track record of a company will be a factor in assessing GDPR fines.

If a company has multiple GDPR infringement cases and was ordered corrective measures and has not implemented them, they can expect a much stricter fine to be imposed on them.

If a current infringement is substantially related to a similar past infringement, that’s an aggravating factor that will result is more elevated fines.

Degree of cooperation 

The degree of cooperation of a company with the supervisory authorities will be considered in evaluating fines under GDPR.

If a company cooperates with the supervisory authority, provides the needed information, answers in a timely fashion and is generally cooperative, the supervisory authority may decide to reduce the amount of the fine by an amount it considers proportionate.

Categories of personal data

The categories of personal data processed may have a significant impact on the amount of a GDPR fine.

If a company processes special categories of personal data and has infringed GDPR, the consequences are severe.

The manner infringement was notified to the supervisory authority

The manner a supervisory authority becomes aware of a GDPR infringement can have an impact on the assessment of the appropriate amount of GDPR administrative fine.

Here are some possible ways an infringement to GDPR can come to the surface:

1. Direct notification by the data controller or processor
2. Investigation of the supervisory authority
3. A complaint of a data subject
4. Article online
5. Article in the newspaper
6. An anonymous tip 

The circumstances of how the infringement to GDPR was notified to the supervisory authority can have an impact.

Adherence to a GDPR code of conduct 

Companies can adhere to approved GDPR codes of conduct to prove that they comply with GDPR.

The certification bodies have a duty to monitor a company’s compliance with the approved code of conduct and have the power to require corrective measures to enforce the code of conduct.

If a case of infringement was already dealt with at the level of the accredited certification body and measures were already taken against the company, a supervisory authority will take that into consideration to determine if additional measures should be taken or not.

Aggravating or mitigating factors 

Depending on the circumstances of the infringement, any aggravating or mitigating factors will be considered to establish a fine under GDPR.

Every case will be assessed in its own light and the aggravating factors or mitigating factors will be closely linked to the actions of the company, how they profited from the violation, how they acted to protect the rights of data subjects and so on.

What other action can a supervisory authority take?

A supervisory authority does not have have to impose a fine, they have powers to impose other corrective measures.

Some of these measures can be to:

1. Issue a warning
2. Impose a reprimand
3. Impose a temporary ban on data processing
4. Impose a permanent ban on data processing
5. Order the rectification of data
6. Order the restriction of data
7. Order the erasure of data
8. Suspend data transfers to third countries

GDPR clearly stipulates that the supervisory authorities have the power to impose fines but can also impose other measures.

Each case of infringement must be reviewed and assessed individually.

The ultimate objective is for the sanction or measure to be effective in ensuring compliance with GDPR.

Based on that, the supervisory authority can impose either a fine as a sole measure or issue a fine along with corrective measures to be implemented by the organizations.

The corrective measures are not necessarily a sanction as the objective is to prevent future GDPR infringement but organizations will incur significant costs in implementing such measures.

As a result, companies are well-advised to take step-by-step measures to ramp up their GDPR compliance to avoid being in a situation to implement significant measures in a short timeline.

What is the maximum GDPR fine?

The maximum GDPR fine is reserved for serious infringement and non-compliance is the greater of €20 million or 4% of a company’s global annual turnover.

GDPR does not have a fixed formula to precisely calculate the GDPR fine to be issued given a non-compliance situation.

Rather, GDPR requires that the imposition of the fines be effective, proportionate and dissuasive.

As a result, every infringement case will need to be assessed based on its factual underpinnings. 

How to avoid fines under GDPR?

To avoid fines under GDPR, you’ll need to comply with GDPR.

If we analyze the fines and penalties issued so far by various supervisory authorities, we can see that most of the fines are issued based on non-compliance with: 

1. the 7 GDPR principles
2. the lawfulness of processing 
3. the security of processing.

Although you must comply with all aspects of GDPR, for companies that are staring their GDPR compliance measures, it may be worth considering complying with GDPR provision giving rise to be most GDPR fines.

What if the same processing operation results in multiple GDPR infringement counts?

When a company, based on the same processing operations infringes multiple provisions of GDPR, then the administrative fines it could be held accountable to pay should not exceed the amount of the gravest infringement.

In other words, for the same processing operation, the company will be imposed a fine based on the most severe infringement.

The other counts for infringement will not result in a cumulative fine to the organization.

Is the data controller responsible for the fines or data processor?

Data controllers are responsible for the processing operations even though they may have hired a third party data processor to handle the actual processing operations for them.

The data controller is the organization collecting personal data in the first place and has the power to decide the means of data processing.

If they choose to delegate their data processing operations to another entity, they are not off the hook.

How much in GDPR fines have been imposed so far?

According to CNBC, data privacy regulation in the European Union has resulted in over 114 million Euros in fines since it was introduced in May 2018.

According to DLA Piper, as of January 2020, over 160,000 data breach notifications have been issued throughout Europe. 

As of January 2020, the countries with the highest number of reported GDPR data breach are:

1. Netherlands (40,647 breach notifications)
2. Germany (37,636 breach notifications)
3. United Kingdom (22,181 breach notifications)
4. Ireland (10,516 breach notifications)
5. Denmark (9,806 breach notifications)

You can consult the Enforcement Tracker to get an up-to-date list of GDPR fines and notices.

Largest GDPR fines

The most notable GDPR fine issued so far relates to the French Data Protection Authority (CNIL) imposing a fine of €50 million on Google Inc. for having an insufficient legal basis for processing data.

The complaint was lodged on the day GDPR came into effect on May 25, 2018, along with other complaints on May 28, 2018, with respect to Google’s practice of creating a Google account during the configuration of a mobile device running an Android operating system.

CNIL concluded that Google had infringed the following GDPR requirements:

1. Article 4(11) with respect to the data subject’s consent not being specific and unambiguous 
2. Article 5 with respect to the lack of transparency with the data subjects
3. Article 6 with respect to having no legal basis to process personal data
4. Article 13 with respect to insufficient information given to the data subjects about the collection of personal information
5. Article 14 with respect to insufficient information given to the data subjects with respect to information obtained and processed from other sources 

What factors are considered to impose data privacy fines?

The following factors will be considered by the supervisory authorities to calculate the most appropriate amount for it to be effective, proportionate and dissuasive: 

1. The nature of the infringement 
2. The gravity of the infringement 
3. The duration of the infringement 
4. Number of data subjects affected 
5. Level of damage suffered by each data subject 
6. The intentional character of the infringement 
7. The level of negligence on the part of the controller or processor 
8. Measures taken by the controller or processor to mitigate damages 
9. The degree of responsibility of the data controller and data processor having implemented data protection by design and default measures 
10. The degree of responsibility of the data controller and data processor that have implemented technical and organizational measures to safeguard personal data 
11. Infringement history of the data controller or processor 
12. The level of cooperation with the supervisory authority 
13. The categories of personal data affected 
14. Whether the data controller or processor was the one notifying the infringement to the supervisory authority or not 
15. Previous orders of corrective measures on the same subject-matter and how the organization had complied with the past orders 
16. Adherence to approved codes of conduct or not 
17. Adherence to approved certification mechanisms 
18. Any other aggravating factors 
19. Any other mitigating factors 

What are the possible fines under GDPR?

GDPR provides for a two-tier fine mechanism.

The first tier administrative fines relate to less severe cases of infringement and therefore less severe fines.

The second tier administrative fines relate to more serious infringement cases and the administrative fines can get very expensive.

Fines for less severe infringement

In the following scenarios of infringement, the total possible administrative fine can go up to €10,000,000 or 2% of the organizations total annual turnover:

1. Obligations of data processors and data controllers related to the child’s consent in relation to information society services as outlined in Article 8 GDPR 
2. Obligations of data processors and data controllers related to the processing activities that do not require identification of the data subject as outlined in Article 11 GDPR
3. Obligations of data processors and data controllers related to data protection by design and by default measures as outlined in Article 25 GDPR 
4. Obligations of data processors and data controllers related to the tasks of the data protection officer as outlined in Article 39 GDPR 
5. Obligations of data processors and data controllers related to their certification as outlined in Article 42 GDPR
6. Obligations of data processors and data controllers related to the certification body as outlined in Article 43 GDPR
7. Obligations of certification bodies related to the certification as outlined in Article 42 GDPR
8. Obligations of certification bodies related to the certification as outlined in Article 43 GDPR 
9. Obligations of the monitoring body as outlined in Article 41(4) GDPR 

Fines for serious infringement 

The following infringement cases will result in a possible administrative fine of up to €20,000,000 or 4% of the total worldwide turnover of the organization:

1. Violation of the 7 principles relating to the processing of personal data as outlined in Article 5 GDPR 
2. Violation of the lawful processing of personal data as outlined in Article 6 GDPR 
3. Violation of the conditions required for consent as outlined in Article 7 GDPR 
4. Violation of the provisions for the processing of special categories of personal data as outlined in Article 9 GDPR 
5. Violation of the transparent communication of data processing as outlined in Article 12 GDPR 
6. Violation of the obligation to provide information to data subjects as outlined in Article 13 GDPR 
7. Violation of the obligation to provide information to data subjects when data was obtained from a third party as outlined in Article 14 GDPR 
8. Violation of a data subject’s right to access personal data as outlined in Article 15 GDPR 
9. Violation of the data subject’s right to rectification as outline din Article 16 GDPR
10. Violation of the data subject’s right to be forgotten or right to erasure as outlined in Article 17 GDPR 
11. Violation of the data subject’s right to restrict data processing as outlined in Article 18 GDPR 
12. Violation of the data subject’s portability rights as outlined in Article 20 GDPR 
13. Violation of the data subject’s right to object to the data processing as outlined in Article 21 GDPR 
14. Violation of the data subject’s right not to be subjected to automated decision-making as outlined in Article 22 GDPR 
15. Violation of the general principles of for personal data transfer as outlined in Article 44 GDPR 
16. Violation of the transfer of personal data obligations based on an adequacy decision as outlined in Article 45 GDPR 
17. Violation of the transfer of personal data obligations with appropriate safeguards as outlined in Article 46 GDPR 
18. Violation of the transfer of personal data obligations in relation to binding corporate rules as outlined in Article 47 GDPR
19. Violation of the transfer of personal data obligations without proper disclosure or not authorized by EU law as outlined in Article 48 GDPR 
20. Violation of obligations imposed by EU member state law 
21. Non-compliance with a supervisory authority order 
22. Failure to provide the supervisory authority access to data processing operations 

Frequently asked questions