GDPR Enforcement and Penalties
The EU’s GDPR (General Data Protection Regulation) is supported by a regime of “effective, proportionate and dissuasive” administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater.
However, not all GDPR infringements lead to fines.
Besides the power to impose fines, supervisory authorities such as the ICO (Information Commissioner’s Office) have a range of corrective powers and sanctions to enforce the GDPR, including:
- Issuing warnings and reprimands;
- Imposing a temporary or permanent ban on data processing;
- Ordering the rectification, restriction or erasure of data; and
- Suspending data transfers to third countries.
Suffered a data breach? The clock is ticking
The GDPR requires you to notify the supervisory authority (the ICO in the UK) within 72 hours of discovering a data breach.
Our GDPR Breach Support Service helps you fulfil the Regulation's breach notification requirements in a structured and efficient manner
Find out more
What is the maximum administrative fine under the GDPR?
There are two tiers of administrative fines that can be levied as penalties for non-compliance with the GDPR:
- 1. Up to €10 million, or 2% annual global turnover – whichever is higher; or
- 2. Up to €20 million, or 4% annual global turnover – whichever is higher.
Fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and must be “effective, proportionate and dissuasive”.
The fines are based on the specific articles of the Regulation that the organisation has breached.
Data controllers and processors face administrative fines of
- the higher of €10 million or 2% of annual global turnover for infringements of articles:
- 8 (conditions for children’s consent),
- 11 (processing that doesn’t require identification),
- 25-39 (general obligations of processors and controllers),
- 42 (certification), and
- 43 (certification bodies)
- the higher of €20 million or 4% of annual global turnover for infringements of articles:
- 5 (data processing principles),
- 6 (lawful bases for processing),
- 7 (conditions for consent),
- 9 (processing of special categories of data),
- 12-22 (data subjects’ rights), and
- 44-49 (data transfers to third countries).
Avoid administrative fines – start your journey to GDPR compliance
Making sure that your organisation is compliant with the GDPR will reduce the chance of incurring an administrative fine. Download our free green paper, EU General Data Protection Regulation – A compliance guide, to understand the key elements of the Regulation, and what you need to do to comply.
GDPR fines to date
According to the EDPB (European Data Protection Board)’s February 2019 report on the implementation of the GDPR, 206,326 cases were reported by supervisory authorities in 31 EEA countries in the first nine months of the GDPR’s application.
- 94,622 related to complaints.
- 64,684 related to data breach notifications by data controllers.
In the same period, supervisory authorities in 11 EEA countries issued administrative fines totalling €55,955,871.
The vast majority of that total is the €50 million fine France’s CNIL issued to Google in January 2019.
The CNIL found that Google violated the GDPR in two ways:
- By “excessively” disseminating essential information – including data processing purposes, data storage periods and the categories of personal data used for ad personalisation – across several documents that require users to take several steps to access, and by describing its data processing activities in “too generic and vague” a manner, in breach of the GDPR’s requirement for transparency; and
- By failing to obtain a valid legal basis for processing personal data for ad personalisation, in violation of the GDPR’s requirements for specific and unambiguous consent for all forms of personal data processing.
Other notable GDPR enforcement action:
- The ICO took its first action under the GDPR on 6 July 2018, when it issued an enforcement notice to AggregateIQ Data Services Ltd as part of its investigation into the Cambridge Analytica/Facebook/Vote Leave scandal.
- In September 2018, the Austrian supervisory authority, the DSB, fined a sports betting café €5,280 for installing a CCTV camera that recorded passers-by, in contravention of the GDPR’s ban on large-scale monitoring of public spaces.
- The 16 German states’ supervisory authorities handed out a total of 41 fines in 2018. The first was in November 2018, when the LfDI Baden-Wüttemberg fined the social media platform Knuddels €20,000 for storing passwords in plaintext, following a data breach in which approximately 330,000 users’ personal data was compromised. The highest German fine to date was also issued by the Baden-Wüttemberg authority: €80,000 to a healthcare organisation that exposed sensitive personal data.
We will keep this page updated with details of notable GDPR fines as and when they are issued.
How are GDPR fines applied?
The GDPR’s harmonised approach to data protection requires consistent enforcement across the EU.
The EU’s Article 29 Data Protection Working Party – now replaced by the European Data Protection Board – issued guidelines on the application and setting of administrative fines in 2017.
When deciding whether to impose a fine and the level, supervisory authorities – including the UK’s ICO – must consider:
- The nature, gravity and duration of the infringement;
- The intentional or negligent character of the infringement;
- Any action taken by the organisation to mitigate the damage suffered by individuals;
- Technical and organisational measures that have been implemented by the organisation;
- Any previous infringements by the organisation or data processor;
- The degree of cooperation with the regulator to remedy the infringement;
- The types of personal data involved;
- The way the regulator found out about the infringement;
- The manner in which the infringement became known to the supervisory authority, in particular whether and to what extent the organisation notified the infringement;
- Whether, and, if so, to what extent, the controller or processor notified the infringement; and
- Adherence to approved codes of conduct or certification schemes.
Liability for damages
- The GDPR also gives individuals the right to compensation for material and/or non-material damage resulting from an infringement of the GDPR.
Start your journey to becoming GDPR compliant today
The remedies, liabilities and penalties that could result from non-compliance with the GDPR underline the importance of preparing your organisation. Browse our range of products to help you meet your GDPR compliance objectives.
Speak to an advisor
IT Governance’s specialists can help your organisation become GDPR compliant and avoid costly administrative fines.
Please contact our GDPR team for expert advice, and guidance on our products and services.