One of the most discussed topics and the novelties introduced by the GDPR are the administrative fines that supervisory authorities may impose in the event of infringements of the provisions of the Regulation. As it was explained in the previous step, such fines may be imposed on the data controller or the data processor.
According to Article 83 GDPR, the fines may, depending on the infringed provision of the GDPR, amount to a maximum of 20 million Euros, or, if this is a higher amount, to 4% of the total worldwide annual turnover of an undertaking. For example, a failure to implement the data protection by design and by default is subject to a maximum fine of only 10 million Euros or 2% of the total worldwide annual turnover of an undertaking. On the other hand, violating the basic principles of data processing, including the conditions for obtaining a valid consent as well as non-compliance with a supervisory authority’s order may result in the highest fine of 20 million Euros or 4% of the total worldwide annual turnover.
However, one has to keep in mind that the GDPR establishes only the maximum amount of the fines leaving it to the supervisory authorities to determine the exact amount in specific cases. For determining the amount of a fine, the supervisory authority will take account of the specificity of the case as well as to the use of other corrective powers, such as those relating to, for instance, issuing warnings, reprimands and orders.
What the amount of a fine will be at the end will depend on the nature, gravity and duration of the infringement as well as on its character - if there was intention or negligence from the undertaking. The supervisory authority must ensure that the administrative fines would be in each specific case proportionate to the infringement and at the same time also effective and dissuasive. As a result, not all infringements of the GDPR will lead to those serious fines mentioned above.
If you are eager to learn more on the administrative fines, their setting and application, you can find below the guideliness issued by Article 29 Working Party.
© University of Groningen