United Kingdom
Select regional store:

GDPR Fines

GDPR penalties and fines

The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million – whichever is greater – for organisations that infringe its requirements.

However, not all GDPR infringements lead to data protection fines. Supervisory authorities such as the UK’s ICO (Information Commissioner’s Office) can take a range of other actions, including:

  • Issuing warnings and reprimands;
  • Imposing a temporary or permanent ban on data processing;
  • Ordering the rectification, restriction or erasure of data; and
  • Suspending data transfers to third countries.

Suffered a data breach? The clock is ticking

The GDPR requires you to notify the ICO within 72 hours of discovering a data breach.

Our GDPR Data Breach Support Service helps you fulfil the Regulation's breach notification requirements in a structured and efficient manner.

Find out more

What is the maximum administrative fine under the GDPR?

There are two tiers of administrative fine that can be levied as penalties for GDPR non-compliance:

  1. Up to €10 million, or 2% of annual global turnover – whichever is greater; or
  2. Up to €20 million, or 4% of annual global turnover – whichever is greater.

Fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”.

How are GDPR fines determined?

Fines of up to €10 million or 2% of annual global turnover can be issued for infringements of articles:

  • 8 (conditions for children’s consent);
  • 11 (processing that doesn’t require identification);
  • 25–39 (general obligations of processors and controllers);
  • 42 (certification); and
  • 43 (certification bodies).

Fines of up to €20 million or 4% of annual global turnover can be issued for infringements of articles:

  • 5 (data processing principles);
  • 6 (lawfulness of processing);
  • 7 (conditions for consent);
  • 9 (processing of special categories of data);
  • 12–22 (data subjects’ rights); and
  • 44–49 (data transfers to third countries or international organisations).
EU General Data Protection Regulation – A compliance guide.

Protect your organisation: reduce the risk of an administrative fine

Ensuring your organisation is GDPR compliant will reduce your risk of incurring an administrative fine.

Learn what you need to do to comply with our free green paper – EU General Data Protection Regulation – A compliance guide.

Download now

GDPR fines so far

According to the European Data Protection Board, 281,088 cases were logged by supervisory authorities in the first year of the GDPR’s application.

Of these cases, 144,376 related to complaints and 89,271 related to data breach notifications by data controllers. 

As of September 2019, the EU’s supervisory authorities have issued, or announced their intention to issue, fines totalling approximately €372,120,990.50. (The figure is approximate owing to fluctuations in currency values.)

European Data Protection Board and individual supervisory authority graph - GDPR fines so far

Notable GDPR fines to date:

July 2018

The ICO’s first action under the GDPR. An enforcement notice was issued to AggregateIQ Data Services Ltd as part of its investigation into the Cambridge Analytica scandal.

September 2018

The first fine issued under the GDPR. The Austrian DSB fined a sports betting café €5,280 for installing a CCTV camera that recorded passers-by.

January 2019

The first major fine under the new law. France’s CNIL fined Google €50 million for failing to obtain a valid legal basis for processing personal data for ad personalisation. This breached the GDPR’s requirements for transparency and specific, unambiguous consent.

July 2019

The ICO announced its first fines under the GDPR.

  1. It announced its intention to fine British Airways £183.39 million for a 2018 breach compromising the personal data of approximately 500,000 customers.
  2. It stated its intention to fine Marriott International £99,200,396 when “a cyber incident” exposed approximately 339 million customer records.

August 2019

Bulgaria's Data Protection Commission (KZLD) announced its intention to fine the National Revenue Agency BGN5.1 million (approximately €2.6 million) after approximately 4 million living and 2 million dead individuals' personal data was compromised in a hacking attack.

We will keep this page updated with details of notable GDPR fines as and when they are issued.

How are GDPR fines applied?

When deciding whether to impose a fine and to what level, supervisory authorities must consider a range of factors, as set out in Article 83 of the Regulation:

  • The nature, severity and duration of the GDPR infringement.
  • Whether the infringement was caused intentionally or by negligence.
  • Any action taken by the organisation to mitigate the damage suffered by individuals.
  • Technical and organisational measures that have been implemented by the organisation.
  • Any previous infringements by the organisation.
  • The degree of cooperation with the regulator to remedy the infringement.
  • The types of personal data involved.
  • How the regulator found out about the infringement, and the extent of any notification by the controller or processor.
  • Adherence to approved codes of conduct or certification schemes.

Useful external links

Don't get caught out: let us help you meet your compliance objectives today

As well as risking regulatory action for breaches, organisations face reputational damage and remediation costs. There is also the possibility of legal action from data subjects.

Don’t take the risk. See how our range of products and services can help you meet your GDPR compliance objectives.

This website uses cookies. View our cookie policy