The EU GDPR prescribes a regime of “effective, proportionate and dissuasive” administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater – for organisations that infringe its requirements.
However, not all GDPR infringements lead to data protection fines. Supervisory authorities such as the UK’s ICO (Information Commissioner’s Office) can take a range of other actions, including:
- Issuing warnings and reprimands;
- Imposing a temporary or permanent ban on data processing;
- Ordering the rectification, restriction or erasure of data; and
- Suspending data transfers to third countries.
To find out more about how to comply with the GDPR and avoid regulatory action, read our bestselling GDPR Implementation and Compliance Guide.
Suffered a data breach? The clock is ticking
The GDPR requires you to notify your supervisory authority (the ICO in the UK) within 72 hours of discovering a data breach.
Our GDPR Data Breach Support Service helps you fulfil the Regulation's breach notification requirements in a structured and efficient manner.
Find out more
What is the maximum administrative fine under the GDPR?
There are two tiers of administrative fine that can be levied as penalties for GDPR non-compliance:
- Up to €10 million, or 2% of annual global turnover – whichever is greater; or
- Up to €20 million, or 4% of annual global turnover – whichever is greater.
Fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”.
How are GDPR fines determined?
Fines of up to €10 million or 2% of annual global turnover can be issued for infringements of articles:
- 8 (conditions for children’s consent);
- 11 (processing that doesn’t require identification);
- 25–39 (general obligations of processors and controllers);
- 42 (certification); and
- 43 (certification bodies).
Fines of up to €20 million or 4% of annual global turnover can be issued for infringements of articles:
- 5 (data processing principles);
- 6 (lawfulness of processing);
- 7 (conditions for consent);
- 9 (processing of special categories of data);
- 12–22 (data subjects’ rights); and
- 44–49 (data transfers to third countries or international organisations).
GDPR fines to date
According to the European Data Protection Board, 281,088 cases were logged by supervisory authorities in the first year of the GDPR’s application.
Of these cases, 144,376 related to complaints and 89,271 related to data breach notifications by data controllers.
Notable GDPR enforcement action:
The ICO’s first action under the GDPR: an enforcement notice to AggregateIQ Data Services Ltd as part of its investigation into the Cambridge Analytica/Facebook/Vote Leave scandal.
The first fine issued under the GDPR: the Austrian DSB fined a sports betting café €5,280 for installing a CCTV camera that recorded passers-by.
A German supervisory authority, the LfDI Baden-Württemberg, fined the social media platform Knuddels €20,000 for storing passwords in plaintext, following a data breach in which approximately 330,000 users’ personal data was compromised.
The first major fine under the new law: France’s CNIL fined Google €50 million for breaching the GDPR’s requirement for transparency and failing to obtain a valid legal basis for processing personal data for ad personalisation, in violation of the GDPR’s requirements for specific and unambiguous consent.
The UODO (the Polish Personal Data Protection Office) announced its first fine under the GDPR. An unnamed organisation was fined more than PLN 943,000 (approximately £193,500) for failing to inform more than 6 million data subjects that their personal data was being processed, thereby preventing them from exercising their rights.
The ICO announced its first fines under the GDPR.
First, it announced that it intended to fine British Airways £183.39 million for a 2018 security breach in which approximately 500,000 customers’ personal data was compromised.
Second, it stated its intention to fine Marriott International, Inc. £99,200,396 for breaching the GDPR when “a cyber incident” affecting its Starwood chain resulted in approximately 339 million customer records – including 7 million relating to residents of the UK – being exposed.
We will keep this page updated with details of notable GDPR fines as and when they are issued.
How are GDPR fines applied?
When deciding whether to impose a fine and to what level, supervisory authorities must consider a range of factors:
- The nature, severity and duration of the GDPR infringement.
- Whether the infringement was caused intentionally or by negligence.
- Any action taken by the organisation to mitigate the damage suffered by individuals.
- Technical and organisational measures that have been implemented by the organisation.
- Any previous infringements by the organisation.
- The degree of cooperation with the regulator to remedy the infringement.
- The types of personal data involved.
- How the regulator found out about the infringement, and the extent of any notification by the controller or processor.
- Adherence to approved codes of conduct or certification schemes.
Don't get caught out: let us help you meet your compliance objectives today
As well as risking regulatory action for breaches, organisations face reputational damage and remediation costs, plus the possibility of legal action from data subjects.
Don’t take the risk. See how our range of products and services can help you meet your GDPR compliance objectives.