GDPR enforcement and penalties
The EU GDPR (General Data Protection Regulation) has attracted media and business interest because of the increased administrative fines for non-compliance. However, not all infringements of the GDPR will lead to those serious fines.
Denmark’s legal system does not allow for administrative fines as set out in the Regulation. Instead, in most cases, the fine is imposed by Danish national courts as a criminal penalty.
In addition, the Datatilsynet (Data Protection Agency) has a range of corrective powers and sanctions to enforce the GDPR. These include issuing warnings and reprimands, imposing a temporary or permanent ban on data processing, ordering the rectification, restriction or erasure of data, and suspending data transfers to third countries.
To avoid the risk of a penalty for non-compliance, speak to one of our experts today to find out how your organisation can become GDPR-compliant.
Speak to an expert
What is the maximum administrative fine under the GDPR?
There are two tiers of administrative fines that can be levied as penalties for non-compliance:
- Up to €10 million, or 2% of global annual turnover – whichever is higher.
- Up to €20 million, or 4% of global annual turnover – whichever is higher.
The administrative fines are discretionary rather than mandatory; they must be imposed on a case-by-case basis and must be “effective, proportionate and dissuasive”.
The fines are based on the specific articles of the Regulation that the organisation has breached. Infringements of the organisation’s obligations, including data security breaches, will be subject to the lower level, whereas infringements of an individual’s privacy rights will be subject to the higher level.
Making sure that your organisation is compliant with the GDPR can reduce the chance of incurring a fine.
Learn more about the steps you need to take to prepare for the GDPR and demonstrate compliance >>
How are GDPR fines applied?
When deciding whether to impose a fine and what the level should be, supervisory authorities such as the Data Protection Agency must consider:
- The nature, gravity and duration of the infringement;
- The intentional or negligent character of the infringement;
- Any action taken by the organisation to mitigate the damage suffered by individuals;
- The technical and organisational measures implemented by the organisation;
- Any previous infringements by the organisation or data processor;
- The degree of cooperation with the regulator to remedy the infringement;
- The types of personal data involved;
- The way the regulator found out about the infringement, in particular whether and to what extent the organisation reported the infringement;
- Whether it was the controller or processor that reported the infringement, and to what extent they did so; and
- Adherence to approved codes of conduct or certification schemes.
Liability for damages
The GDPR also gives individuals the right to compensation of any material and/or non-material damages resulting from an infringement of the GDPR. In certain cases, not-for-profit bodies can bring representative action on behalf of individuals. This opens the door for mass claims in cases of large-scale infringements.
Discover our quick wins to demonstrate GDPR compliance >>
How IT Governance can help you get GDPR-ready
The possible remedies, liabilities and penalties that may result from non-compliance with the GDPR underline the importance of preparing your organisation.
Browse our range of comprehensive solutions, services and products to help you meet your GDPR compliance objectives.
Download our free GDPR resources
Shop our GDPR products
Speak to a GDPR advisor
IT Governance’s specialists can help your organisation become GDPR compliant and avoid costly administrative fines. Contact our GDPR team for advice and guidance on our products and services.