Fines and Penalties

Administrative fines

The GDPR imposes stiff fines on data controllers and processors for non-compliance.

Determination

Fines are administered by individual member state supervisory authorities (83.1). The following 10 criteria are to be used to determine the amount of the fine on a non-compliant firm:

Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing

number of people affected, damaged they suffered, duration of infringement, and purpose of processing Intention: whether the infringement is intentional or negligent

whether the infringement is intentional or negligent Mitigation: actions taken to mitigate damage to data subjects

actions taken to mitigate damage to data subjects Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance

how much technical and organizational preparation the firm had previously implemented to prevent non-compliance History: (83.2e) past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines

(83.2e) past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement

how cooperative the firm has been with the supervisory authority to remedy the infringement Data type: what types of data the infringement impacts; see special categories of personal data

what types of data the infringement impacts; see special categories of personal data Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party

whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct

whether the firm had qualified under approved certifications or adhered to approved codes of conduct Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement

Amount

If a firm infringes on multiple provisions of the GDPR, it shall be fined according to the gravest infringement, as opposed to being separately penalized for each provision. (83.3)

However, the above may not offer much relief considering the amount of fines possible:

Lower level

Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:

Controllers and processors under Articles 8, 11, 25-39, 42, 43

Certification body under Articles 42, 43

Monitoring body under Article 41(4)

Upper level

Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of: