GDPR Fines

What are the GDPR fines for non-compliance?

Multi-tiered approach to GDPR fines and penalties

General Data Protection Regulation has introduced a tiered approach to fines, meaning that the severity of the breach will determine the penalty. Within the GDPR, there are two ways how a penalty may be implemented against the company:

  • Through the acts of the data subjects (natural persons)
  • Through the acts of the supervisory agency.

Any person who has suffered material or non-material damage as a result of an infringement of this GDPR shall have the right to receive compensation from the controller or processor for the damage suffered (civil law claims).

Data subjects have the right to turn to the supervisory agency and lodge a complaint against a company, if they find that the company has used their data in a way, that is not compliant with the GDPR or the company does not fulfill the data subject’s rights (e.g.. right to be forgotten).

This will provoke the supervisory agency to investigate the company and if they find, that the company infringes the GDPR, they may fine the company. Estonian supervisory agencies have said, that taking account the severity of the infringement and the actions of the company, they will give firstly a formal notice and if the company will not change its policies, they will give a monetary fine. Of course, if the infringement is in a large scale, they will fine the company immediately and may impose other restrictions on the company, such as a ban on processing.

Furthermore, supervisory agencies may fine a company if they have not followed the GDPR rules.

Amounts of GDPR fines

1. The maximum fine a company can face is 4% of their annual global turnover, of €20 million, whichever is higher.

2. Less such as having improper records or failing to notify of any breaches, can be fined a maximum of 2% of their annual global turnover, or €10 million, whichever is higher.

However, the national legislators will introduce local fines for companies who have no global turnover.

In order to have proper records required in GDPR Article 30, there’s a solution like GDPR Register, which has easy to use templates and reporting, which is approved by local Data Protection Agency.

See the full contents of corresponding GDPR Article 83.

Ban on data processing

One of the powers, that a supervisory agency shall have with the GDPR is the power to put a temporary or definitive limitation on a company, including a ban on data processing. This means that if a supervisory agency finds that the data processing does not follow the GDPR, then they can limit the data processing and if they find that the company is not going to follow or is too out of line to comply with the GDPR, they can put a permanent ban on data processing. The ban and limitations do not exclude the GDPR fines.

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)? A Data Processing Agreement (DPA) is a legally binding document to be entered...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Transmitting personal data to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations. Which...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations...
10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for data controllers that you can use to ensure you have considered most important...