GDPR penalties and fines

GDPR has attracted media and business interest because of the increased administrative fines for non-compliance.

However, not all infringements of the GDPR will lead to data protection fines.

Supervisory authorities such as the Data Protection Commission (DPC) in Ireland has a range of corrective powers and sanctions to enforce the GDPR.

These include:

• Issuing warnings and reprimands;
• Imposing a temporary or permanent ban on data processing;
• Ordering the rectification, restriction or erasure of data, and;
• Suspending data transfers to third countries.

In addition, data subjects have a right to take legal proceedings against a controller or a processor if he or she believes that his or her rights under GDPR have been infringed.

What is the maximum GDPR fine?

There are two tiers of administrative fines that can be levied as penalties for non-compliance:

1. Up to €10 million, or 2% annual global turnover – whichever is higher.
2. Up to €20 million, or 4% annual global turnover – whichever is higher.

The fines are based on the specific articles of the Regulation that the organisation has breached and calculated in the total worldwide annual turnover of the preceding financial year.

Infringements of the organisation’s obligations, including reporting of data security breaches, will be subject to the lower level, whereas infringements of an individual’s privacy rights will be subject to the higher level.

The two tiers of GDPR fine

Lower level of GDPR penalties

Fines of up to €10 million or 2% of annual global turnover can be issued for infringements of articles:

• 8 (conditions for children’s consent);
• 11 (processing that doesn’t require identification);
• 25 – 39 (general obligations of processors and controllers);
• 42 (certification); and
• 43 (certification bodies).

Higher level of GDPR penalties

Fines of up to €20 million or 4% of annual global turnover can be issued for infringements of articles:

• 5 (data processing principles);
• 6 (lawfulness of processing);
• 7 (conditions for consent);
• 9 (processing of special categories of data);
• 12 – 22 (data subjects’ rights); and
• 44 – 49 (data transfers to third countries or international organisations).

How are GDPR fines applied?

When deciding whether to impose a fine and the level, the Data Protection Commission (DPC) must consider:

• The nature, gravity and duration of the infringement;
• The intentional or negligent character of the infringement;
• Any action taken by the organisation to mitigate the damage suffered by individuals;
• Degree of responsability of the controller or processor taking into technical and organisational measures that have been implemented by them;
• Any previous infringements by the organisation or data processor;
• The degree of cooperation with the supervisory authority to remedy the infringement;
• The types of personal data involved;
• The manner in which the infringement became known to the DPC, in particular whether and to what extent the organisation notified the infringement;
• Compliance, or non-compliance, with any measures previously ordered by the DPC;
• Adherence to approved codes of conduct or approved certification schemes;
• Any other factors applicable, such as financial benefits gained or losses avoided, from the infringement.

Liability for damages

The GDPR also gives individuals the right to compensation of any material and/or non-material damages resulting from an infringement of the GDPR.

In particular, where the processing may give rise to discrimination, identity theft, financial loss, damage to reputation or any other significant economic or social disadvantage, where individuals might be deprived of their rights and freedoms.

In certain cases, not-for-profit bodies can bring representative action on behalf of individuals.

This opens the door for mass claims in cases of large-scale infringements.