The General Data Protection Regulation (“GDPR”) stipulates that national authorities within the European Union (E.U) must assess certain GDPR penalties (including GDPR fines) for specific data protection violations by businesses/individuals. The processing of data is generally not allowed under the GDPR, and violating GDPR guidelines regarding the limited exceptions where personal data processing is allowed can bring stiff penalties.
Violations of the GDPR which can warrant GDPR penalties and fines can be revealed through self-reporting of infringements, customers and potential customers, unsatisfied employees, data protection authorities, or through investigative journalism.
This article will discuss the following topics:
- What penalties can be imposed under the GDPR?
- How penalties are determined under the GDPR
- Fines under the GDPR and how they are issued
- Option for businesses in potential violation of the GDPR
Penalties under the GDPR
Member states are given authority to assess these penalties, also known as corrective powers in Art. 58 of the GDPR, including:
- To issue warnings to a business likely to infringe upon personal data;
- To issue a reprimand to a business where operations have infringed upon personal data;
- To order a business to bring data processing operations within compliance of the GDPR with a specific time period;
- To order a business to notify data subjects of a personal data breach;
- To impose a temporary or permanent ban on data processing;
- To decline certifications to businesses not in compliance with the GDPR or to withdraw certifications if violations occur;
- To order the suspension of data flow to recipients in other countries; and
- To impose administrative fines.
While it is up to individual member states of the E.U. to take necessary measures to ensure the GRPR regulations are implemented, fines imposed by member states must be “effective proportionate and dissuasive.”
How are GDPR penalties determined?
Member states refer to certain criteria listed in Art. 83 of the GDPR when they determine the severity of a penalty to be assessed for a data protection violation. The following actions could lead to even more severe penalties for data protection violation if is it is determined that a business:
- Intentionally infringed on personal data;
- Failed to take measures to limit the damage from the personal data infringement; or
- Failed to collaborate with the respective authorities during the investigation of a potential GDPR violation.
GDPR fines and how they are issued
Fines for infringements under Art. 83(5) of the GDPR can be eye-popping: up to 20,000,000 EUR! When deciding whether to impose a fine and the amount of the fine for each individual case, the following guidelines are used:
- The nature, gravity, and duration of the infringement taking into account the scope and purpose of the data processing;
- The number of data subjects affected and the level of damage suffered by them;
- The intentional or negligent character of the infringement;
- Actions taken (or not taken) by the business to mitigate the damage caused;
- The degree of responsibility of the business when taking into account the technical and organizational safeguards put in place to deter the infringement;
- The past history of infringement by the business;
- The level of cooperation with the relevant authorities in remedying or mitigating the effects of the infringement;
- The categories of personal data affected by the infringement;
- Whether the business notified the relevant authorities of the infringement, and if so, the extent of the transparency provided;
- Whether the previous corrective measures had been issued against the business and the level of compliance regarding the corrective measures;
- Adherence to applicable industry codes of conduct or certification mechanisms; and
- Any other mitigating factors to the individual case, such as financial benefits gained (or avoided losses) due to the infringement.
Infringements related to the following provisions can subject a business to GDPR fines up to 10,000,000 EUR or up to 2 percent of the total worldwide annual turnover from the prior financial year (whichever is higher):
- Conditions related to the child’s consent to information society services (i.e. businesses must make a reasonable effort to ensure consent is given by the legal guardian or child);
- Data processing which requires no identification (i.e. if the business is not in a position to identify a data subject, the business should inform the data subject of such fact);
- Default and designed data protection measures taken by the business (i.e. businesses should implement appropriate technical and organizational measures, such as pseudonymization);
- Duties of the Data Protection Officer (i.e. to act as the contact point for the applicable supervisory authority on issues related to personal data processing); and
- Certification mechanisms and the organizations which implement them to ensure the existence of data protection safeguards (i.e. accreditation of certification bodies may be revoked when actions taken by the body infringe on the GDPR).
The GDPR fines for infringements only get steeper for more severe violations. Infringements related to the following provisions can subject a business to fines up to 20,000,000 EUR or up to 4 percent of the total worldwide annual turnover from the prior financial year (whichever is higher):
- Principles related to the processing of personal data (i.e. personal data is processed lawfully, fairly and in a transparent manner;
- The lawfulness of processing personal data (i.e. the data subject has given consent or there is a different lawful basis for the processing of his or her personal data);
- Conditions for the consent of processing personal data (i.e. the request for consent is clearly distinguishable from other matters, is presented in an easily accessible form and uses clear and plain language);
- Processing of special categories of personal data (i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or sexual orientation);
- Transparent access and communication with data subjects when the data subject exercises their rights to their data (i.e. the business must provide the information to the data subject without undue delay and within one month of receipt of the request);
- Automated decision making (i.e. the data subject has the right to not be subject to a decision based on automated processing, including profiling); and
- Principles related to the transfer of personal data (i.e. the data subject has explicitly consented to the data transfer in the absence of other safeguards).
Options for businesses potentially in violation of the GDPR
Fines issued under the GDPR are steadily increasing month-to-month. GDPR fines and penalties to date can be seen here. It’s also not just major businesses and tech companies that are fined. Here are a few examples of small businesses that were issued fines:
- A real estate company was fined 2,500 EUR for disclosing the personal information of buyers to third parties without a legal basis.
- A street vendor was fined 5,000 EUR for failing to obtain consent from customers to process their personal data.
- A local grocery store chain was fined 36,800 EUR for not having a legal basis to distribute video surveillance of children on their premises.
What if you are worried that you or your business may have violated the GDPR? Luckily, Art. 83(8) of the GDPR ensures that member states must provide safeguards such as due process and judicial remedies for businesses.
Member states are authorized to advise businesses when consulted on procedures related to personal data processing. Further, member states will issue opinions, approve codes of conduct, accredit certification bodies, as well as issue certifications related to personal data processing.
The best way to avoid GDPR penalties, however, is to ensure violations never occur in the first place.