GDPR penalties

The EU GDPR (General Data Protection Regulation) attracts so much coverage because of the increased administrative fines for non-compliance. However, not all infringements of the GDPR will lead to serious fines.

Besides the power to impose fines, the Swedish Authority for Privacy Protection has a range of corrective powers and sanctions to enforce the GDPR. These include:

  • Issuing warnings and reprimands;
  • Imposing a temporary or permanent ban on data processing;
  • Ordering the rectification, restriction or erasure of data; and
  • Suspending data transfers to third countries.

What is the maximum administrative fine under the GDPR?

There are two tiers of administrative fines that can be levied as penalties for non-compliance:

  1. Up to €10 million, or 2% annual global turnover – whichever is higher.
  2. Up to €20 million, or 4% annual global turnover – whichever is higher.

The fines are based on the specific articles of the Regulation that the organisation has breached. Infringements of the organisation’s obligations, including data security breaches, will be subject to the lower level, whereas infringements of an individual’s privacy rights will be subject to the higher level.

Data controllers and processors face administrative fines of

  • the higher of €10 million or 2% of annual global turnover for infringements of articles:
    • 8 (conditions for children’s consent),
    • 11 (processing that doesn’t require identification),
    • 25-39 (general obligations of processors and controllers),
    • 42 (certification), and
    • 43 (certification bodies)
  • the higher of €20 million or 4% of annual global turnover for infringements of articles:
    • 5 (data processing principles),
    • 6 (lawful bases for processing),
    • 7 (conditions for consent),
    • 9 (processing of special categories of data),
    • 12-22 (data subjects’ rights), and
    • 44-49 (data transfers to third countries).

When deciding whether to impose a fine and the level, the Swedish DPA Authority for Privacy protection must consider:

  • The nature, gravity and duration of the infringement;
  • The intentional or negligent character of the infringement;
  • Any action taken by the organisation to mitigate the damage suffered by individuals;
  • Technical and organisational measures that have been implemented by the organisation;
  • Any previous infringements by the organisation or data processor;
  • The degree of cooperation with the supervisory authority to remedy the infringement;
  • The types of personal data involved;
  • The way the supervisory authority found out about the infringement;
  • The manner in which the infringement became known to the supervisory authority, in particular whether and to what extent the organisation notified the infringement;
  • Whether, and, if so, to what extent, the controller or processor notified the infringement; and
  • Adherence to approved codes of conduct or certification schemes.
Learn more about the steps you need to take to comply with the GDPR >>

Liability for damages

The GDPR also gives individuals the right to compensation of any material and/or non-material damages resulting from an infringement of the GDPR. In certain cases, not-for-profit bodies can bring representative action on behalf of individuals. This opens the door for mass claims in cases of large-scale infringements.


Start your journey to becoming GDPR compliant today

The possible remedies, liabilities and penalties that may result from non-compliance with the GDPR underline the importance of preparing your organisation.

Browse our range of comprehensive solutions, services and products today to help you meet your GDPR compliance objectives.

Download our free GDPR resources


Shop our range of GDPR products and services


Speak to a GDPR expert

If you’re looking for help with your GDPR project, get in touch with our experts who can advise you on which of our products and services are best suited to your needs.

 

top
SAVE 25% ON
FOUNDATION
TRAINING