The General Data Protection Regulation recognizes two levels of fines:
- The less severe violation can result in penalties up to €10 million, or in the case of an undertaking, 2% of the organization’s global turnover of the preceding fiscal year, whichever is higher Art. 83(4) GDPR. These fines are usually issued for violations connected with record-keeping, data security, data protection impact assessments, data protection by design and default, and data processing agreements
- For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to €20 million euros, or up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. For violations relating to data protection principles, the legal basis for processing, information to data subjects, the prohibition of processing sensitive data, denial of data subjects’ rights, and data transfers to non-EU countries.
According to Article 83, GDPR, each individual fine should be effective, proportionate, and dissuasive, taking into account:
- ➡️ the nature, gravity, and duration of the violation,
➡️ the intentional or negligent character of the infringement;
➡️ actions taken by the data controller or data processor to mitigate the damage suffered by data subjects
➡️ the degree of responsibility of the controller or processor (related to technical and organizational measures)
➡️ the previous violations by the data controller or data processor;
➡️ cooperation with the supervisory authority,
➡️affected categories of personal data
➡️how did the supervisory authority learn about the violation
➡️ where measures previously ordered against the controller or processor regarding the same subject
➡️ compliance with approved codes of conduct or approved certification mechanisms
➡️ any other factor applicable to the circumstances of the case