This website uses cookies. View our cookie policy

GDPR enforcement and penalties

The EU GDPR (General Data Protection Regulation) has attracted media and business interest because of the increased administrative fines for non-compliance. Not all infringements of the GDPR will lead to those serious fines.

The GDPR grants the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun Toimisto) a mandate to impose administrative fines. The Office may impose fines on organisations that are found to be in breach of the GDPR.

Speak to one of our experts today to find out how your organisation can become GDPR compliant and avoid the risk of a penalty.

Speak to an expert

What is the maximum administrative fine under the GDPR?

There are two tiers of administrative fines that can be levied as penalties for non-compliance:

  1. Up to €10 million, or 2% annual global turnover – whichever is greater.
  2. Up to €20 million, or 4% annual global turnover – whichever is greater.

The administrative fines are discretionary rather than mandatory; they must be imposed on a case-by-case basis and must be “effective, proportionate and dissuasive”.

The fines are based on the specific articles of the Regulation that the organisation has breached. Infringements of the data processing principles or an individual’s privacy rights will be subject to the higher level.

Making sure your organisation is GDPR compliant can reduce the change of incurring an administrative fine.

Learn more about the steps you need to take to demonstrate GDPR compliance >>

How are GDPR fines applied?

When deciding whether to impose a fine, the Tietosuojavaltuutetun Toimisto must consider:

  • The nature, gravity and duration of the infringement;
  • The intentional or negligent character of the infringement;
  • Any action taken by the organisation to mitigate the damage suffered by individuals;
  • Technical and organisational measures that have been implemented by the organisation;
  • Any previous infringements by the organisation or data processor;
  • The degree of cooperation with the regulator to remedy the infringement;
  • The types of personal data involved;
  • The way the regulator found out about the infringement;
  • The manner in which the infringement became known to the supervisory authority, in particular whether and to what extent the organisation notified the infringement;
  • Whether and, if so, to what extent the controller or processor notified the supervisory authority of the infringement; and
  • Adherence to approved codes of conduct or certification schemes.

Liability for damages

The GDPR also gives individuals the right to compensation for any material and/or non-material damages resulting from an infringement of the Regulation. In certain cases, not-for-profit bodies can bring representative action on behalf of individuals. This opens the door for mass claims in cases of large-scale infringements.

How IT Governance can help you get GDPR-ready

The possible penalties for non-compliance with the Regulation underline the importance of preparing your organisation.

Browse our range of comprehensive solutions, services and products to help you meet your GDPR compliance objectives.

Download our free GDPR resources

Shop our GDPR products

Speak to a GDPR advisor

IT Governance’s specialists can help your organisation become GDPR-compliant and avoid costly administrative fines. Contact our GDPR team for advice and guidance on our products and services.