GDPR Enforcement and Penalties

GDPR infringements

Infringement of the EU GDPR can result in administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater.

Not all GDPR infringements lead to fines. Supervisory authorities such as the ICO (Information Commissioner’s Office) have the scope to take a range of other actions, such as:

• Issuing warnings and reprimands;
• Imposing a temporary or permanent ban on data processing;
• Ordering the rectification, restriction or erasure of data; and
• Suspending data transfers to third countries.

To find out more information about the changes you need to make to your data protection and information security regimes to avoid severe financial penalties, read the bestselling GDPR Implementation and Compliance Guide.

What is the maximum administrative fine under the GDPR?

There are two tiers of administrative fines that can be levied as penalties for GDPR non-compliance:

1. Up to €10 million, or 2% annual global turnover – whichever is greater; or
2. Up to €20 million, or 4% annual global turnover – whichever is greater.

Fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”.

The fines are based on the specific articles of the Regulation that the organisation has breached.

Data controllers and processors face administrative fines of

• Up to €10 million or 2% of annual global turnover for infringements of articles:
  • 8 (conditions for children’s consent);
  • 11 (processing that doesn’t require identification);
  • 25–39 (general obligations of processors and controllers);
  • 42 (certification); and
  • 43 (certification bodies).
• Up to €20 million or 4% of annual global turnover for infringements of articles:
  • 5 (data processing principles);
  • 6 (lawful bases for processing);
  • 7 (conditions for consent);
  • 9 (processing of special categories of data);
  • 12–22 (data subjects’ rights); and
  • 44–49 (data transfers to third countries).

GDPR fines to date

According to the European Data Protection Board, 206,326 cases were reported by supervisory authorities in the first nine months of the GDPR’s application.

Of these cases, 94,622 were related to complaints and 64,684 were related to data breach notifications by data controllers.

In the same period, supervisory authorities in 11 EEA countries issued administrative fines totalling €55,955,871.

The vast majority of that total is the €50 million fine France’s CNIL issued to Google in January 2019.

The CNIL found that Google violated the GDPR in two ways:

1. By “excessively” disseminating essential information – including data processing purposes, data storage periods and the categories of personal data used for ad personalisation – across several documents that require users to take several steps to access, and by describing its data processing activities in “too generic and vague” a manner, in breach of the GDPR’s requirement for transparency; and
2. By failing to obtain a valid legal basis for processing personal data for ad personalisation, in violation of the GDPR’s requirements for specific and unambiguous consent for all forms of personal data processing.

Other notable GDPR enforcement action:

• The ICO took its first action under the GDPR on 6 July 2018, when it issued an enforcement notice to AggregateIQ Data Services Ltd as part of its investigation into the Cambridge Analytica/Facebook/Vote Leave scandal.
• In September 2018, the Austrian supervisory authority, the DSB, fined a sports betting café €5,280 for installing a CCTV camera that recorded passers-by, in contravention of the GDPR’s ban on large-scale monitoring of public spaces.
• The 16 German states’ supervisory authorities handed out a total of 41 fines in 2018. The first was in November 2018, when the LfDI Baden-Württemberg fined the social media platform Knuddels €20,000 for storing passwords in plaintext, following a data breach in which approximately 330,000 users’ personal data was compromised. The highest German fine to date was also issued by the Baden-Württemberg authority: €80,000 to a healthcare organisation that exposed sensitive personal data.
• In March 2019, the UODO, the Polish Personal Data Protection Office, announced its first fine under the GDPR. An unnamed organisation was fined more than PLN 943,000 (approximately £193,500) for failing to inform more than 6 million data subjects that their personal data was being processed, thereby preventing them from exercising their rights.

We will keep this page updated with details of notable GDPR fines as and when they are issued.

How are GDPR fines applied?

When deciding whether to impose a fine and to what level, supervisory authorities consider a range of factors: 

• The nature, severity and duration of the infringement.
• Whether the infringement was caused intentionally or by negligence.
• Any action taken by the organisation to mitigate the damage suffered by individuals.
• Technical and organisational measures that have been implemented by the organisation.
• Any previous infringements by the organisation or data processor.
• The degree of cooperation with the regulator to remedy the infringement.
• The types of personal data involved.
• How the regulator found out about the infringement, and the extent of any notification by the controller or processor.
• Adherence to approved codes of conduct or certification schemes.