GDPR penalties and fines
The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million – whichever is greater – for organisations that infringe its requirements.
However, not all GDPR infringements lead to data protection fines. Supervisory authorities such as the UK’s ICO (Information Commissioner’s Office) can take a range of other actions, including:
- Issuing warnings and reprimands;
- Imposing a temporary or permanent ban on data processing;
- Ordering the rectification, restriction or erasure of data; and
- Suspending data transfers to third countries.
Suffered a data breach? The clock is ticking
The GDPR requires you to notify the ICO within 72 hours of discovering a data breach.
Our GDPR Data Breach Support Service helps you fulfil the Regulation's breach notification requirements in a structured and efficient manner.
Find out more
What is the maximum administrative fine under the GDPR?
There are two tiers of administrative fine that can be levied as penalties for GDPR non-compliance:
- Up to €10 million, or 2% of annual global turnover – whichever is greater; or
- Up to €20 million, or 4% of annual global turnover – whichever is greater.
Fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”.
How are GDPR fines determined?
Fines of up to €10 million or 2% of annual global turnover can be issued for infringements of articles:
- 8 (conditions for children’s consent);
- 11 (processing that doesn’t require identification);
- 25–39 (general obligations of processors and controllers);
- 42 (certification); and
- 43 (certification bodies).
Fines of up to €20 million or 4% of annual global turnover can be issued for infringements of articles:
- 5 (data processing principles);
- 6 (lawfulness of processing);
- 7 (conditions for consent);
- 9 (processing of special categories of data);
- 12–22 (data subjects’ rights); and
- 44–49 (data transfers to third countries or international organisations).
Notable GDPR fines to date:
The ICO’s first action under the GDPR. An enforcement notice was issued to AggregateIQ Data Services Ltd as part of its investigation into the Cambridge Analytica scandal.
The first major fine under the new law. France’s CNIL fined Google €50 million for failing to obtain a valid legal basis for processing personal data for ad personalisation. This breached the GDPR’s requirements for transparency and specific, unambiguous consent.
The ICO announced its first fines under the GDPR.
- It announced its intention to fine British Airways £183.39 million for a 2018 breach compromising the personal data of approximately 500,000 customers.
- It stated its intention to fine Marriott International £99,200,396 when “a cyber incident” exposed approximately 339 million customer records.
Bulgaria's Data Protection Commission (KZLD) announced its intention to fine the National Revenue Agency BGN5.1 million (approximately €2.6 million) after approximately 4 million living and 2 million dead individuals' personal data was compromised in a hacking attack.
We will keep this page updated with details of notable GDPR fines as and when they are issued.
How are GDPR fines applied?
When deciding whether to impose a fine and to what level, supervisory authorities must consider a range of factors, as set out in Article 83 of the Regulation:
- The nature, severity and duration of the GDPR infringement.
- Whether the infringement was caused intentionally or by negligence.
- Any action taken by the organisation to mitigate the damage suffered by individuals.
- Technical and organisational measures that have been implemented by the organisation.
- Any previous infringements by the organisation.
- The degree of cooperation with the regulator to remedy the infringement.
- The types of personal data involved.
- How the regulator found out about the infringement, and the extent of any notification by the controller or processor.
- Adherence to approved codes of conduct or certification schemes.
Useful external links
Don't get caught out: let us help you meet your compliance objectives today
As well as risking regulatory action for breaches, organisations face reputational damage and remediation costs. There is also the possibility of legal action from data subjects.
Don’t take the risk. See how our range of products and services can help you meet your GDPR compliance objectives.