GDPR penalties and fines
The GDPR (General Data Protection Regulation) sets a maximum fine of up to €20 million or, in the case of an undertaking, 4% of annual global turnover – whichever is greater – for infringements.
However, not all GDPR infringements lead to data protection fines. Supervisory authorities such as the UK’s ICO (Information Commissioner’s Office) can take a range of other actions, including:
- Issuing warnings and reprimands;
- Imposing a temporary or permanent ban on data processing;
- Ordering the rectification, restriction or erasure of data; and
- Suspending data transfers to third countries.
Suffered a data breach? The clock is ticking
The GDPR requires you to notify the ICO within 72 hours of discovering a data breach.
Act fast with our GDPR Data Breach Support Service, to ensure you fulfil the Regulation's breach notification requirements quickly and efficiently.
Find out more
What is the maximum GDPR fine?
There are two tiers of administrative fine for non-compliance with the GDPR:
- Up to €10 million, or, in the case of an undertaking, 2% of annual global turnover – whichever is greater; or
- Up to €20 million, or, in the case of an undertaking, 4% of annual global turnover – whichever is greater.
GDPR breach fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”.
What is the definition of ‘undertaking’ under the GDPR?
Articles 101 and 102 of the TFEU (Treaty on the Functioning of the European Union) set out competition rules applying to undertakings, but do not actually define what an undertaking is.
According to EU case law, however, an ‘undertaking’ is “any entity engaged in an economic activity, regardless of its legal status and the way in which it is financed”.
In other words, it is what we would term an organisation.
How are GDPR fines determined?
Lower level of GDPR penalties
Fines of up to €10 million or 2% of annual global turnover can be issued for infringements of articles:
- 8 (conditions for children’s consent);
- 11 (processing that doesn’t require identification);
- 25 – 39 (general obligations of processors and controllers);
- 42 (certification); and
- 43 (certification bodies).
Higher level of GDPR penalties
Fines of up to €20 million or 4% of annual global turnover can be issued for infringements of articles:
Most common types of GDPR breach – to end of December 2019
Not all penalties are data breach fines. Most fines relate to breaches of the GDPR’s requirements.
Of the 123 GDPR fines where data is available, there were:
(Many breaches involved violations of more than one article of the GDPR.)
Learn more about GDPR compliance
Notable GDPR fines to date:
The ICO’s first action under the GDPR. An enforcement notice was issued to AggregateIQ Data Services Ltd as part of its investigation into the Cambridge Analytica scandal.
The first major fine under the new law. France’s CNIL fined Google €50 million for failing to obtain a valid legal basis for processing personal data for ad personalisation. This breached the GDPR’s requirements for transparency and specific, unambiguous consent.
We will keep this page updated with details of notable GDPR fines as and when they are issued.
How are GDPR fines applied?
When deciding whether to impose a fine and to what level, supervisory authorities must consider a range of factors, as set out in Article 83 of the Regulation:
- The nature, severity and duration of the GDPR infringement.
- Whether the infringement was caused intentionally or by negligence.
- Any action taken by the organisation to mitigate the damage suffered by individuals.
- Technical and organisational measures that have been implemented by the organisation.
- Any previous infringements by the organisation.
- The degree of cooperation with the regulator to remedy the infringement.
- The types of personal data involved.
- How the regulator found out about the infringement, and the extent of any notification by the controller or processor.
- Adherence to approved codes of conduct or certification schemes.
Don't get caught out: let us help you meet your compliance objectives today
As well as risking regulatory action for breaches, organisations face reputational damage and remediation costs. There is also the possibility of legal action from data subjects.
Don’t take the risk. See how our range of products and services can help you meet your GDPR compliance objectives.