Skip main navigation

Administrative fines

This article discusses administrative fines and their application.
© University of Groningen

One of the most discussed topics and the novelties introduced by the GDPR are the administrative fines that supervisory authorities may impose in the event of infringements of the provisions of the Regulation. As it was explained in the previous step, such fines may be imposed on the data controller or the data processor.

According to Article 83 GDPR, the fines may, depending on the infringed provision of the GDPR, amount to a maximum of 20 million Euros, or, if this is a higher amount, to 4% of the total worldwide annual turnover of an undertaking. For example, a failure to implement the data protection by design and by default is subject to a maximum fine of only 10 million Euros or 2% of the total worldwide annual turnover of an undertaking. On the other hand, violating the basic principles of data processing, including the conditions for obtaining a valid consent as well as non-compliance with a supervisory authority’s order may result in the highest fine of 20 million Euros or 4% of the total worldwide annual turnover.

However, one has to keep in mind that the GDPR establishes only the maximum amount of the fines leaving it to the supervisory authorities to determine the exact amount in specific cases. For determining the amount of a fine, the supervisory authority will take account of the specificity of the case as well as to the use of other corrective powers, such as those relating to, for instance, issuing warnings, reprimands and orders.

What the amount of a fine will be at the end will depend on the nature, gravity and duration of the infringement as well as on its character – if there was intention or negligence from the undertaking. The supervisory authority must ensure that the administrative fines would be in each specific case proportionate to the infringement and at the same time also effective and dissuasive. As a result, not all infringements of the GDPR will lead to those serious fines mentioned above.

If you are eager to learn more on the administrative fines, their setting and application, you can find below the guideliness issued by Article 29 Working Party.

© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education