What are the GDPR Fines? - GDPR.eu (2023)

GDPR fines are designed to make non-compliance a costly mistake for both large and small businesses. In this article we’ll talk about how much is the GDPR fine and how regulators determine the figure.

The European Union’s General Data Protection Regulation (GDPR) was designed to apply to all types of businesses, from multi-nationals down to micro-enterprises. The fines imposed by the GDPR under Article 83 are flexible and scale with the firm. Any organization that is not GDPR compliant, regardless of its size, faces a significant liability.

Below we will look at the administrative fine structure, how fines are assessed, and which infringements can incur penalties. This is not a guide on how to avoid GDPR fines (you can find our GDPR compliance checklist here). Rather it’s a brief primer on the financial exposure organizations face for non-compliance.

Two tiers of GDPR fines

The GDPR states explicitly that some violations are more severe than others.

(Video) GDPR explained: How the new data protection act could change your life

The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. They include any violation of the articles governing:

  • Controllers and processors (Articles 8, 11, 25-39, 42, and 43) — Organizations that collect and control data (controllers) and those that are contracted to process data (processors) must adhere to rules governing data protection, lawful basis for processing, and more. As an organization, these are the articles you need to read and adhere to.
  • Certification bodies (Articles 42 and 43) — Accredited bodies charged with certifying organizations must execute their evaluations and assessments without bias and via a transparent process.
  • Monitoring bodies (Article 41) — Bodies that have been designated to have the appropriate level of expertise must demonstrate independence and follow established procedure in handling complaints or reported infringements in an impartial and transparent manner.

The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. These include any violations of the articles governing:

  • The basic principles for processing (Articles 5, 6 and 9) — Data processing must be done in a lawful, fair, and transparent manner. It has to be collected and processed for a specific purpose, be kept accurate and up to date, and processed in a manner that ensures its security. Organizations are only allowed to process data if they meet one of the six lawful bases listed in Article 6. In addition, certain types of personal data, including racial origin, political opinions, religious beliefs, trade union membership, sexual orientation, and health or biometric data are prohibited except under specific circumstances.
  • The conditions for consent (Article 7) — When an organization’s data processing is justified based on the person’s consent, that organization needs to have the documentation to prove it.
  • The data subjects’ rights (Articles 12-22) — Individuals have a right to know what data an organization is collecting and what they are doing with it. They also have a right to obtain a copy of the data collected, to have this data corrected, and in certain cases, the right to have this data be erased. People also have a right to transfer their data to another organization.
  • The transfer of data to an international organization or a recipient in a third country (Articles 44-49) — Before an organization transfers any personal data to a third country or international organization, the European Commission must decide that that country or organization ensures an adequate level of protection. The transfers themselves must be safeguarded.

They also include:

  • Any violation of member state laws adopted under Chapter IXChapter IX grants EU member states the ability to pass additional data protection laws as long as they are in accordance with the GDPR. Any violation of these national laws also faces GDPR administrative fines.
  • Non-compliance with an order by a supervisory authority — If an organization fails to comply with an order from the monitoring bodies of the GDPR, they have set themselves up to face a huge fine, regardless of what the original infringement was.

And these are just the administrative fines. Article 82 gives data subjects the right to seek compensation from organizations that cause them material or non-material damage as a result of a GDPR infringement.

(Video) What is the GDPR? | A summary of the EU GDPR

How much is a GDPR fine?

Under the GDPR, fines are administered by the data protection regulator in each EU country. That authority will determine whether an infringement has occurred and the severity of the penalty. They will use the following 10 criteria to determine whether a fine will be assessed and in what amount:

  • Gravity and nature — The overall picture of the infringement. What happened, how it happened, why it happened, the number of people affected, the damage they suffered, and how long it took to resolve.
  • Intention — Whether the infringement was intentional or the result of negligence.
  • Mitigation — Whether the firm took any actions to mitigate the damage suffered by people affected by the infringement.
  • Precautionary measures — The amount of technical and organizational preparation the firm had previously implemented to be in compliance with the GDPR.
  • History — Any relevant previous infringements, including infringements under the Data Protection Directive (not just the GDPR), as well as compliance with past administrative corrective actions under the GDPR.
  • Cooperation — Whether the firm cooperated with the supervisory authority to discover and remedy the infringement.
  • Data category — What type of personal data the infringement affects.
  • Notification — Whether the firm, or a designated third party, proactively reported the infringement to the supervisory authority.
  • Certification — Whether the firm followed approved codes of conduct or was previously certified.
  • Aggravating/mitigating factors — Any other issues arising from circumstances of the case, including financial benefits gained or losses avoided as a result of the infringement.

If regulators determine an organization has multiple GDPR violations, it will only be penalized for the most severe one, provided all the infringements are part of the same processing operation.

Data controller’s responsibility

Many companies use third parties, like email or cloud storage services, to handle their data. While this can be helpful in adhering to the GDPR if the third party has a higher technological capacity, it does not absolve the hiring organization (i.e. the controller) from ensuring that personal data is processed in accordance with the GDPR. Unless the controller can clearly demonstrate that it was “not in any way responsible for the event giving rise to the damage,” it will be fully liable for any infringement caused by a non-compliant third party.

For this reason, it’s important to carefully vet any third party services you use to make sure they have a good track record for security.

(Video) GDPR: What Is It and How Might It Affect You?


The GDPR’s stiff fines are aimed at ensuring best practices for data security are too costly not to adopt. While it remains to be seen how fines will be applied by different EU member states, these fines loom for any organization not making strides to ensure GDPR compliance.

Related Posts

  • Art. 20 GDPR - Right to data portability

    (Video) GDPR Fines Explained Simply | How EU Regulators can Fine Companies in North America

  • Art. 10 GDPR - Processing of personal data relating to criminal convictions and offences

  • Art. 42 GDPR - Certification

    (Video) General Data Protection Regulation (GDPR) Fines

Leave a Reply


What are the fines for GDPR violations? ›

A lower-level GDPR violation can result in fines of up to $11.03 million or two percent of the company's annual revenue, whichever is greater.

What is true about the fines under the GDPR? ›

GDPR fines are designed to make non-compliance around data security a costly mistake and they can be separated into two tiers. Less severe infringements can result in a fine of €10 million or 2% of a firm's annual revenue from the preceding financial year, depending on which amount is higher.

What are the 4 key components of GDPR? ›

Lawfulness, fairness and transparency. Purpose limitation. Data minimisation. Accuracy.

What is an example of a GDPR violation? ›

Failure to keep records of personal information processing activities. Failure to communicate a data breach to a supervisory authority within 72 hours of discovery. Failure to communicate a data breach to the end users it affects in a timely manner.

How many tiers of fines are there under the GDPR? ›

At a glance. The Information Commissioner can issue a monetary penalty for failing to comply with Part 3 of the Act. There are two tiers of penalty – the higher maximum and the standard maximum.

Can you go to jail for breaking GDPR? ›

What are the disadvantages of GDPR non-compliance? The severity for businesses to adhere to the GDPR doesn't just go as far as astronomical fines, but could in severe cases, result in a prison sentence for company directors.

How much compensation can you get for a breach of GDPR? ›

How much data breach compensation can I receive? The average monetary compensation for a data breach ranges from £1,000 to £42,900. In some situations, if a personal data breach causes you considerable emotional distress, you may be eligible to seek further compensation.

Can you be prosecuted for GDPR breach? ›

The ICO will decide whether or not to bring a GDPR related prosecution in the Courts; it will usually notify the individual concerned in writing of its intention to do so. This would usually be followed by a formal summons to Court for trial.

What happens if you accidentally breach GDPR? ›

Can I delay reporting until I have the full facts? Data controllers must notify a personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware unless the breach "is unlikely to result in a risk to the rights and freedoms of natural persons".


1. EU GDPR Explained - When is the GDPR Applicable?
(DataSec Teacher)
2. GDPR Fines
(Dr Eric Cole)
3. What are the 7 principles of GDPR?
(Privacy Kitchen)
4. The Six Biggest GDPR Fines So Far
(Secure Privacy)
5. GDPR Compliance Explained | What Is GDPR Compliance? | GDPR Explained | Email Marketing |Simplilearn
6. GDPR: how Europe's data law works
(Financial Times)
Top Articles
Latest Posts
Article information

Author: Eusebia Nader

Last Updated: 12/23/2022

Views: 6029

Rating: 5 / 5 (60 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Eusebia Nader

Birthday: 1994-11-11

Address: Apt. 721 977 Ebert Meadows, Jereville, GA 73618-6603

Phone: +2316203969400

Job: International Farming Consultant

Hobby: Reading, Photography, Shooting, Singing, Magic, Kayaking, Mushroom hunting

Introduction: My name is Eusebia Nader, I am a encouraging, brainy, lively, nice, famous, healthy, clever person who loves writing and wants to share my knowledge and understanding with you.