Fines and Sanctions

The GDPR introduces a two-tier administrative fine system set out in Article 83, designed to have a significant deterrent effect. It distinguishes between less serious infringements (Tier 1) and particularly serious infringements (Tier 2).

Tier 1 Infringements

For Tier 1 infringements (Article 83(4)), fines of up to EUR 10 million or — for undertakings — up to 2% of total worldwide annual turnover of the preceding financial year may be imposed, whichever is higher. This tier covers in particular infringements of the obligations of controllers and processors (e.g. data protection by design, records of processing activities, appointment of a data protection officer).

Tier 2 Infringements

For Tier 2 infringements (Article 83(5)), fines of up to EUR 20 million or up to 4% of global annual turnover are possible. This higher tier applies to infringements of the basic principles for processing (Article 5), legal bases (Article 6), special categories (Articles 9 and 10), data subject rights (Articles 17–22), and unlawful third-country transfers.

Recital 148 GDPR stresses that administrative fines must be effective, proportionate, and dissuasive. Article 83(2) GDPR lists the criteria by which the amount of the fine is determined: the nature, gravity, and duration of the infringement, its intentional or negligent character, action taken to mitigate damage, the degree of responsibility, relevant previous infringements, categories of personal data affected, the manner in which the supervisory authority became aware, and the degree of cooperation.

Further Supervisory Actions

In addition to fines, supervisory authorities may take further action under Article 58 GDPR: warnings, reprimands, temporary or permanent bans on processing, and orders to notify data subjects. Data subjects may also bring civil claims for compensation under Article 82 GDPR — an avenue that has grown in importance through collective consumer actions.

Article 84 GDPR enables Member States to lay down specific rules for penalties for infringements not covered by Article 83, particularly in the areas of professional secrecy and employee data. Germany has made use of this in the BDSG.