Basket
United Kingdom
Select regional store:
Please enter more than 3 characters
Get 25% off training for life with the IT Governance Rewards Club. Book a selected classroom or live online course today to qualify!
Data privacy solutions EU GDPR (General Data Protection Regulation) GDPR penalties

GDPR fines

GDPR penalties and fines

The GDPR (General Data Protection Regulation) sets a maximum fine of up to €20 million or, in the case of an undertaking, 4% of annual global turnover – whichever is greater – for infringements.

However, not all GDPR infringements lead to data protection fines. Supervisory authorities such as the UK’s ICO (Information Commissioner’s Office) can take a range of other actions, including:

  • Issuing warnings and reprimands;
  • Imposing a temporary or permanent ban on data processing;
  • Ordering the rectification, restriction or erasure of data; and
  • Suspending data transfers to third countries.

Suffered a data breach? The clock is ticking

The GDPR requires you to notify the ICO within 72 hours of discovering a data breach.

Act fast with our GDPR Data Breach Support Service, to ensure you fulfil the Regulation's breach notification requirements quickly and efficiently.

Find out more

What is the maximum GDPR fine?

There are two tiers of administrative fine for non-compliance with the GDPR:

  1. Up to €10 million, or, in the case of an undertaking, 2% of annual global turnover – whichever is greater; or
  2. Up to €20 million, or, in the case of an undertaking, 4% of annual global turnover – whichever is greater.

GDPR breach fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”.

What is the definition of ‘undertaking’ under the GDPR?

Articles 101 and 102 of the TFEU (Treaty on the Functioning of the European Union) set out competition rules applying to undertakings, but do not actually define what an undertaking is.

According to EU case law, however, an ‘undertaking’ is “any entity engaged in an economic activity, regardless of its legal status and the way in which it is financed”.

In other words, it is what we would term an organisation.

How are GDPR fines determined?

Lower level of GDPR penalties

Fines of up to €10 million or 2% of annual global turnover can be issued for infringements of articles:

  • 8 (conditions for children’s consent);
  • 11 (processing that doesn’t require identification);
  • 25 – 39 (general obligations of processors and controllers);
  • 42 (certification); and
  • 43 (certification bodies).

Higher level of GDPR penalties

Fines of up to €20 million or 4% of annual global turnover can be issued for infringements of articles:

GDPR fines so far

By the end of 2019, European supervisory authorities had issued, or announced their intention to issue, at least 133 administrative fines, totalling approximately €400 million (£337 million).

(This includes the ICO’s intended fines for Marriott International and British Airways, which were announced in July 2019. Without them, the figure is closer to €85 million (£72 million). The total is approximate owing to currency fluctuations and the fact that not all supervisory authorities publish information about the action they have taken.)

Graph displaying cumulative GDPR fines so far

GDPR fines 2018 – 2019

2018 fines

2019 fines

Month

Monthly total (€)

Month

Monthly total (€)
   

January

50,080,888 

February

92,1080.00

March

679,542.00 

April

372,135.00 

May

560,375.00

June

1,076,000.00

July

400,000.00

July

315,351,756.00

August

0.00

August

3,246,630.00

September

5,280.00

September

859,187.00

October

388.00

October

16,210,480.00

November

20,500.00

November

1,064,400.00

December

35,318.50

December

10,061,600.00

Other 2018 (dates unknown)

57,100.00

Other 2019 (dates unknown)

15,00.00

Grand total 2018 – 2019:

€400,188,687.50

Most common types of GDPR breach – to end of December 2019

Not all penalties are data breach fines. Most fines relate to breaches of the GDPR’s requirements.

Of the 123 GDPR fines where data is available, there were:

(Many breaches involved violations of more than one article of the GDPR.)

Learn more about GDPR compliance

Notable GDPR fines to date:

July 2018

The ICO’s first action under the GDPR. An enforcement notice was issued to AggregateIQ Data Services Ltd as part of its investigation into the Cambridge Analytica scandal.

July 2018

The first fine issued under the GDPR. A Portuguese hospital was fined €400,000 for allowing medical staff unrestricted access to patient data. 

January 2019

The first major fine under the new law. France’s CNIL fined Google €50 million for failing to obtain a valid legal basis for processing personal data for ad personalisation. This breached the GDPR’s requirements for transparency and specific, unambiguous consent.

July 2019

The ICO issued two notices of intent: 

  1. To fine British Airways £183.39 million for a 2018 breach compromising the personal data of approximately 500,000 customers.
  2. To fine Marriott International £99,200,396 when “a cyber incident” exposed approximately 339 million customer records.

The ICO is expected to issue these fines on or by 31 March 2020.

December 2019

The ICO issued its first fine under the GDPR. 
Doorstep Dispensaree, a London pharmacy, was fined £275,000 for violating the GDPR's integrity and confidentiality principle. It left 500,000 documents containing sensitive personal data in unlocked containers.

Learn more about the UK’s first GDPR fine on our blog

We will keep this page updated with details of notable GDPR fines as and when they are issued.

How are GDPR fines applied?

When deciding whether to impose a fine and to what level, supervisory authorities must consider a range of factors, as set out in Article 83 of the Regulation:

  • The nature, severity and duration of the GDPR infringement.
  • Whether the infringement was caused intentionally or by negligence.
  • Any action taken by the organisation to mitigate the damage suffered by individuals.
  • Technical and organisational measures that have been implemented by the organisation.
  • Any previous infringements by the organisation.
  • The degree of cooperation with the regulator to remedy the infringement.
  • The types of personal data involved.
  • How the regulator found out about the infringement, and the extent of any notification by the controller or processor.
  • Adherence to approved codes of conduct or certification schemes.
GDPR – A compliance guide - free pdf download

Protect your organisation: reduce the risk of an administrative fine

Ensuring your organisation is GDPR compliant will reduce your risk of incurring an administrative fine.

Learn what you need to do to comply with our free green paper – EU General Data Protection Regulation – A compliance guide.

Download now

Useful external links

Don't get caught out: let us help you meet your compliance objectives today

As well as risking regulatory action for breaches, organisations face reputational damage and remediation costs. There is also the possibility of legal action from data subjects.

Don’t take the risk. See how our range of products and services can help you meet your GDPR compliance objectives.

This website uses cookies. View our cookie policy