However, GDPR fines are not intended to ruin your business or harm the economy or be the sole reason for GDPR compliance.
They are designed to put more weight on what GDPR advocates, make companies responsible for how they handle personal data, and make non-compliance non-profitable.
Since GDPR applies to a whole array of organizations, from small to medium to large enterprises, GDPR fines are scalable and flexible and the value of fines will greatly depend on multiple factors. It is important to note that there is no simple formula for calculating GDPR fines.
So let’s see how GDPR fines are grouped and what will affect the final decision by the supervisory authority.
Two tiers of GDPR fines
GDPR proposes two levels of GDPR fines depending on the severity of the violation.
1. GDPR fines for less severe violations
Less severe violations can result in penalties up to €10 million, or in the case of an undertaking, 2% of the organization’s global turnover of the preceding fiscal year, whichever is higher.
The lower tier applies mostly to violations of procedural or technical nature, like violations connected with record-keeping, data security, data protection impact assessments (DPIA), data protection by design and default, and data processing agreements, and include violations of:
- the obligations of the controller and the processor (Articles 8, 11, 25 to 39 and 42 and 43)
- the obligations of the certification body (Articles 42 and 43)
- the obligations of the monitoring body (Article 41(4))
2. GDPR fines for severe violations
For especially severe violations the fine framework can be up to €20 million, or up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.
Severe GDR fines are often issued for violations relating to data protection principles, the legal basis for processing, information to data subjects, the processing of sensitive data, denial of data subjects’ rights, and data transfers to non-EU countries.
- Basic principles for processing, including conditions for consent (Articles 5, 6, 7, and 9)- As an organization, you are obligated to process personal data based on one of the six lawful bases for processing. Processing must be done in lawful, fair, and transparent processing, among other things.
- Data subjects’ rights (Articles 12 to 22) – Respecting data subject rights and transparent information and communication for the exercise of those rights
- Transfers of personal data to a recipient in a third country or an international organization pursuant to Articles 44 to 49)
- Any obligations pursuant to Member State law
- Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority or failure to provide access in violation of Article 58(1)
- Non-compliance with an order by the supervisory authority
How are GDPR fines defined and calculated
Each EU country has a national data protection authority (DPA) – an independent public authority that supervises the application of the data protection law and defines the final amount of GDPR fines, among other things.
Data Protection Authorities are tasked with the imposition of effective, proportionate, and dissuasive fines and are responsible for taking all important aspects of the violation, the seriousness of the infringement, the effect it had on individuals, the level of cooperation the organization demonstrated in the process and use all those information to define the amount of GDPR fine.
What does the supervisory authority take into account when imposing a fine?
GDPR prescribes 11 important criteria that DPA uses to determine the amount of the penalty:
- Nature, gravity, and duration of the violation– the supervisory authority will take into account the number of data subjects that have been affected, the level of damage they underwent, the nature of the violation, why and how the violation occurred, and how long it lasted
- Intention– was the violation intentional or was it negligence
- Mitigation of the risk – did the organization take any type of action to mitigate the damage suffered by data subjects
- Responsibility – the degree of responsibility the organization has demonstrated so far regarding the implementation of appropriate technical and organizational measures
- Previous violations – any relevant previous infringements by the organization
- Level of cooperation – the level of cooperation with the supervisory authority that the organization demonstrated in order to remedy the violation and mitigate the possible effects
- Data categories– the categories of personal data affected by the violation
- Notification of the violation – whether (and to what extent) did the organization notified supervisory authority about the violation
- History – when imposing a fine the supervisory authority will take into account if any corrective measures were previously issued against the organization regarding the same subject.
- Codes of conduct – adherence to approved codes of conduct or approved certification mechanisms
- Aggravating or mitigating factors – applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the violation
Should you be worried about GDPR fines?
Getting a GDPR fine can undermine the company’s efforts to build relationships based on trust with its customers.
Aside from the financial repercussions, it also affects brand value, investor appeal, business operations, and external relationships and it is safe to say it brings bad publicity to the organization.
However, Data Protection Authority will most likely use the GDPR fine as a last resort, which will in some cases be preceded by warnings or interventions.
If the DPA investigation uncovers a gross intentional infringement of the GDPR, if the violation is persistent over a longer period of time, or if the organization knowingly and repeatedly violates GDPR and puts individuals’ personal data at risk, this will all add to the final amount of fine.
The DPA may take into account, among other factors, the nature, gravity, and duration of the infringement, the negligent character of the infringement, the size of the organization, and its turnover.
You will probably have the opportunity to influence the value of the fine. This is why it is extremely important to cooperate with the DPA, document everything, put adequate technical and organizational measures in place, and be able to demonstrate compliance on-demand.