GDPR Fines and Penalties

GDPR Fines and Penalties: What You Need to Know to Avoid Costly Mistakes

The General Data Protection Regulation (GDPR) lays out strict rules for how organizations operating in the European Union can collect, use, and protect personal data. Enforcement of the regulation is handled by data protection authorities (DPAs) in each EU member state, who have the power to levy substantial administrative fines on organisations found to be in violation.

Contents show

The size and scope of potential GDPR fines have made compliance a priority for companies around the world. Even organizations based outside the EU must comply if they process data on EU residents. Fines are one of the most discussed aspects of GDPR enforcement, but authorities have additional corrective powers like bans on data processing or audits.

This guide examines the structure of GDPR penalties, how authorities calculate appropriate fines, the types of violations that incur fines, and examples of major fines already levied. It provides an overview of the financial liability organizations take on when they fail to comply with GDPR data protection standards.

Importance of Compliance

Compliance with the GDPR is crucial for organizations that handle personal data. By adhering to the regulation’s requirements, businesses can build trust with their customers and stakeholders, demonstrate their commitment to data protection, and mitigate the risk of facing severe fines and penalties. Moreover, compliance helps organizations foster a culture of data privacy and security, which can enhance their reputation and competitiveness in the market.

Two Tiers of Administrative Fines Under GDPR

The GDPR establishes two tiers of administrative fines that can be imposed for violations:

  • Up to €10 million or 2% of annual global turnover, whichever is higher – For less serious infringements.
  • Up to €20 million or 4% of annual global turnover, whichever is higher – For more serious infringements.

The severity of the fine is based on the articles of GDPR violated. The GDPR outlines specific violations in each category:

Fines Up to 2% of Global Turnover

Infringements of obligations under the following GDPR articles face fines up to €10 million or 2% of total worldwide annual turnover, whichever is higher:

  • Article 8 – Conditions applicable to child’s consent in relation to information society services
  • Article 11 – Processing which does not require identification
  • Articles 25-39 – General obligations of controllers and processors
  • Article 42 – Certification
  • Article 43 – Certification bodies

This includes violations by data controllers, processors, and accredited certification bodies. Non-compliance with orders from supervisory authorities also incurs a fine of up to 2% of global turnover.

Fines Up to 4% of Global Turnover

More serious infringements violating the core data protection principles of GDPR face fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher. This applies to violations of:

  • Article 5 – Principles relating to processing of personal data
  • Article 6 – Lawfulness of processing
  • Article 7 – Conditions for consent
  • Article 9 – Processing of special categories of personal data
  • Articles 12-22 – Rights of the data subject
  • Articles 44-49 – Transfers of data to third countries or international organizations

Violations of GDPR articles directly concerning individuals’ rights and freedoms, sensitive data, consent requirements, and data transfers incur the highest level of fines.

How Turnover is Calculated

The “undertaking” definition used to determine annual turnover comes from EU competition law. This means even large corporate groups can be considered a single undertaking.

If different group subsidiaries violate GDPR, their parent company’s total global turnover is used as the benchmark to calculate a fine, rather than the individual subsidiary’s turnover.

Factors in Calculating GDPR Fines

GDPR does not mandate specific fines for particular violations. DPAs in each EU member state have latitude in deciding:

  • Whether to impose a fine at all
  • The appropriate fine amount up to the 2% or 4% limits

Authorities use these factors to guide fine decisions:

  • Nature, gravity, and duration – Overall scope of the infringement.
  • Intent or negligence – Whether the violation was purposeful or accidental.
  • Mitigation – Steps the firm took to minimize damage to affected individuals.
  • Precautions – Technical and organizational measures already in place to comply.
  • History – Previous infringements under GDPR or prior EU data protection law.
  • Cooperation – How much the firm aided authorities in investigating the breach.
  • Data type – Whether special categories of data like health info were involved.
  • Notification – If the firm properly informed authorities about the violation.
  • Certification – Whether the firm followed GDPR certification procedures.
  • Other factors – Motivation of the breach like financial gain.

These considerations allow authorities to tailor fines to the specific situation. Firms that self-report violations, have solid precautions in place or cooperate with investigations may face lower fines. Violations involving sensitive data, lack of cooperation, or previous issues may increase fines.

Examples of Major GDPR Fines

While interpretation of GDPR varies somewhat between EU states, major fines show the substantial liability for non-compliance:

  • January 2021 – WhatsApp was fined €225 million by Irish DPA for transparency violations around sharing user data with other Facebook companies.
  • July 2021 – Amazon was fined €746 million by Luxembourg DPA for violations related to online advertising services and data processing transparency.
  • September 2021 – H&M was fined €35 million by German DPA for unlawful surveillance of hundreds of employees and lack of transparency.
  • January 2022 – Meta (Facebook) was fined €17 million by Italian DPA for not securing user data and bypassing consent requirements when using data for targeted advertising.
  • May 2022 – Clearview AI was fined €20 million by Italian DPA for using facial recognition technology to unlawfully collect biometric data on Italian citizens from public sources.
  • September 2022 – Meta was fined €405 million by Irish DPA for forcing users to consent to personalized ads and lacking transparency around how user data fuels targeting.

Fines have ranged from tens of thousands of euros against small firms up to hundreds of millions of euros against major multinational corporations like Google, Facebook, and Amazon. Even relatively minor violations can quickly incur five or six-figure fines if authorities determine the firm’s precautions or cooperation were lacking.

GDPR Fines

How to Avoid GDPR Fines

Compliance with GDPR

To avoid GDPR fines and penalties, organizations must ensure compliance with the General Data Protection Regulation (GDPR). Compliance involves adhering to the principles and requirements outlined in the GDPR to protect the privacy and rights of individuals.

Compliance with GDPR means implementing appropriate measures and controls to protect personal data and fulfil the obligations imposed by the regulation. It requires organizations to adopt a privacy-by-design approach and prioritize data protection throughout their operations.

Steps to Ensure Compliance

  1. Conduct a Data Inventory: Start by identifying and documenting the personal data you collect, process, and store. This includes data received from customers, employees, and any other stakeholders.
  2. Assess Legal Basis: Determine the legal basis for processing personal data under the GDPR. This involves identifying the purpose and legal justification for each processing activity.
  3. Implement Data Protection Policies: Develop and implement comprehensive data protection policies and procedures that align with the GDPR requirements. These policies should cover areas such as data retention, data subject rights, and data breach response.
  4. Train Employees: Educate employees about their responsibilities in handling personal data and the importance of data protection. Regular training sessions will help reinforce compliance and promote a privacy-aware culture within the organization.
  5. Perform Regular Audits: Conduct periodic audits to assess compliance with the GDPR. These audits can help identify any gaps or areas for improvement and allow organizations to take corrective actions promptly.

Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is a key tool to ensure compliance with the GDPR. It is a systematic process used to identify and minimize the data protection risks associated with a particular project or processing activity.

A DPIA involves assessing the impact of data processing on individuals’ privacy rights and evaluating the measures in place to mitigate those risks. It helps organizations identify and address potential privacy risks before they occur.

When to Conduct a DPIA

A DPIA is required under the GDPR in specific circumstances, such as when processing personal data involves high risks to individuals’ rights and freedoms. Examples include large-scale processing of sensitive data, systematic monitoring, or the use of new technologies.

Steps to Conduct a DPIA

  1. Identify the Need for a DPIA: Determine if the processing activity meets the criteria for requiring a DPIA as outlined in the GDPR.
  2. Describe the Processing Activity: Provide a clear and detailed description of the processing activity, including the purposes, data types, and recipients of the data.
  3. Assess the Necessity and Proportionality: Evaluate the necessity and proportionality of the processing activity, considering the rights and freedoms of individuals.
  4. Identify and Assess Risks: Identify and assess the potential risks to individuals’ rights and freedoms. This includes risks related to data security, data accuracy, and the exercise of data subjects’ rights.
  5. Implement Mitigation Measures: Implement appropriate measures to mitigate the identified risks. This may involve implementing technical and organizational safeguards, pseudonymization, or encryption.
  6. Review and Consultation: Review the DPIA findings and consult with relevant stakeholders, such as data protection authorities or data subjects, if necessary.

Data Breach Notification

Explanation of Data Breach Notification

Data breach notification is an essential aspect of GDPR compliance. It refers to the process of informing the appropriate authorities and individuals when a data breach occurs.

Under the GDPR, a data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”

When a data breach occurs, it is crucial for organizations to promptly assess the impact and take necessary actions to mitigate the risks.

When to Notify Authorities

Organizations are required to notify the relevant supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of a data breach. However, if the breach is unlikely to result in a risk to the rights and freedoms of individuals, there may be no need for notification.

The supervisory authority to be notified depends on the location and scope of the breach. For example, if the breach affects individuals in multiple EU member states, organizations should notify the supervisory authority in each respective country.

Steps to Notify Authorities

  1. Assess the Breach: Begin by assessing the breach and determining its severity. This includes identifying the nature and extent of the personal data involved, the potential risks to individuals, and any measures taken to mitigate the breach.
  2. Prepare a Notification: Prepare a comprehensive notification that includes all relevant details of the breach. This should include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences of the breach, and any measures taken or proposed to address the breach.
  3. Submit the Notification: Once the notification is prepared, promptly submit it to the appropriate supervisory authority. This can typically be done electronically through the authority’s designated channels. Ensure that all necessary information is provided accurately and in a timely manner.
  4. Maintain Documentation: Keep a record of the breach notification and any subsequent correspondence with the supervisory authority. This documentation will be crucial for demonstrating compliance with the GDPR’s breach notification requirements.

By following these steps and promptly notifying the authorities in the event of a data breach, organizations can demonstrate their commitment to GDPR compliance and minimize the risk of facing hefty fines for non-compliance.

Conclusion

GDPR enforcement rests on substantial administrative fines designed to make non-compliance prohibitively expensive, regardless of an organization’s size or resources. Violations of GDPR’s core principles on data protection and individual rights often incur fines up to 4% of annual global turnover. Even violations of secondary requirements face 2% turnover fines.

The large fines already handed down by EU authorities underscore the expensive liability organizations take on if they fail to comply with GDPR standards. Combined with individuals’ right to sue for damages and the risk of barred data processing, fines make building a comprehensive GDPR compliance program essential.

Frequently Asked Questions

How are fines calculated under GDPR?

GDPR fines are based on two tiers linked to the articles violated: up to 2% or up to 4% of total worldwide annual turnover. Authorities consider factors like violation severity, precautions taken, cooperation, and data type to decide appropriate fine amounts under those limits.

What violations have the highest fines under GDPR?

The most serious fines up to 4% of global turnover apply to violations of GDPR articles governing core principles of data processing, legal bases for processing, data subject rights, consent requirements, and data transfers.

Who determines and levies GDPR fines?

Data protection authorities (DPAs) in each EU member state are responsible for enforcing the GDPR through tools like administrative fines. The national DPA where an organization is based typically leads cross-border cases.

What was the largest GDPR fine so far?

As of late 2022, the largest GDPR fine was the €746 million penalty against Amazon by Luxembourg authorities in July 2021 for violations related to online advertising data processing transparency.

Do GDPR fines replace other corrective actions?

No, authorities can levy administrative fines in addition to or instead of other tools like bans on data processing, orders to meet compliance standards, mandatory audits, warnings, and reprimands. Fines are not mutually exclusive from other enforcement mechanisms.

Can individuals sue for damages under GDPR?

Yes, GDPR gives individuals the right to sue for compensation if violations cause them material or non-material damages. This creates risks of class action-style suits in cases of major breaches impacting many people.

Does GDPR apply to organizations outside the EU?

Yes, GDPR applies extraterritorially to any organization that processes personal data on EU residents, even if the organization has no physical EU presence. Non-EU firms must comply or risk substantial fines.

References

GDPR Enforcement Tracker – GDPR Enforcement Tracker. (n.d.). Retrieved January 3, 2023.

GDPR fines and notices – Wikipedia. (2022, November 7). GDPR fines and notices. Retrieved January 2, 2023.

GDPR.EU – GDPR.eu. (n.d.). GDPR Fines. Retrieved January 2, 2023.

Related Posts