Fines under theGeneral Data Protection Regulation (GDPR). What you need to know about GDPR fines, the guidelines on the application of GDPR administrative fines, ways to protect against GDPR fines, penalties, sanctions and the sanction mechanism under the GDPR.

If there is one thing that people know about the GDPR it’s that GDPR fines (administrative fines) can go up to 20 million Euros or 4 percent of annual global (note global!) turnover, whichever of both is highest. 


Territorial Scope  (<--- Link to the gdpreu.org source)

  Despite being a European Union regulation, the GDPR has far-reaching implications for any business that has a global presence. In short, it impacts any business, EU-based or not, that has EU users or customers. This represents a key change relative to the current Directive.  

(Click image to view source page)

Fines and Penalties  (<--- Link to the gdpreu.org source)

  

Administrative fines

The GDPR imposes stiff fines on data controllers and processors for non-compliance.

Determination

Fines are administered by individual member state supervisory authorities (83.1). The following 10 criteria are to be used to determine the amount of the fine on a non-compliant firm:

  • Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing
  • Intention: whether the infringement is intentional or negligent
  • Mitigation: actions taken to mitigate damage to data subjects
  • Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance
  • History: (83.2e) past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
  • Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement
  • Data type: what types of data the infringement impacts; see special categories of personal data
  • Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
  • Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct
  • Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement

Amount

If a firm infringes on multiple provisions of the GDPR, it shall be fined according to the gravest infringement, as opposed to being separately penalized for each provision. (83.3)

However, the above may not offer much relief considering the amount of fines possible:

Lower level

Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:

  • Controllers and processors under Articles 8, 11, 25-39, 42, 43
  • Certification body under Articles 42, 43
  • Monitoring body under Article 41(4)

Upper level

Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:

  • The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9
  • The data subjects’ rights under Articles 12-22
  • The transfer of personal data to a recipient in a third country or an international organisation under Articles 44-49
  • Any obligations pursuant to Member State law adopted under Chapter IX
  • Any non-compliance with an order by a supervisory authority (83.6)
       		  


    To Top 

___________________________________

Let us show you where your data/money is most at risk!
Digital Data System Guards and Controls

Give us a call today!