Article 83 of the GDPR
The national supervisory authority has the power to impose administrative fines
The national supervisory authority has the power to impose administrative fines on a company that it considers to be in breach of the GDPR, pursuant to Article 83 of the GDPR. However, there is always a possibility for the company to appeal the decision and proceed with the process to court.
What are the general conditions for imposing administrative fines that the supervisory authority must comply with?
In accordance with Article 83(1) of the GDPR, the supervisory authorities must ensure that the imposition of administrative fines is dissuasive, effective and proportionate in each individual case. These are the general conditions for the imposition of administrative fines under the GDPR.
What breaches of the GDPR can lead to an administrative fine?
In practice, in principle, any infringement of the GDPR can lead to an administrative fine. However, not everyone usually does. The supervisory authority reviews the specific company and there are many factors that play a role in the decision. The more serious the infringement, the greater the risk of an administrative fine.
Both controllers and processors may receive administrative fines
Although it is the controller who bears the greatest responsibility for the processing of personal data, processors also have a responsibility. The national supervisory authority may impose administrative fines on both controllers and processors.
Data protection officer cannot receive an administrative fine
Some companies must appoint a data protection officer, who among other things is tasked with verifying that the company complies with the GDPR. The data protection officer shall also advise the company, check the internal control documents and be available to the data subjects, both internally to employees and externally to other data subjects. However, the data protection officer has no personal responsibility and therefore cannot be assigned an administrative fine by the supervisory authority. In addition, the controller is prohibited from penalising the data protection officer.
Can an administrative fine be combined with several measures?
Yes, the supervisory authority has the right to combine an administrative fine with several measures. In particular, the corrective measures set out in Article 58(2) of the GDPR.
What is the maximum amount of administrative fines that a company can be subject to for infringements of the GDPR?
The maximum amount of administrative fines that a company can be subject to in case of a serious infringement of the GDPR is EUR 20 million or up to 4% of the company’s total worldwide annual turnover of the preceding financial year (the highest of the options).
In the case of a minor infringement of the GDPR, the maximum amount of administrative fines that a company can be subject to is instead EUR 10 million or up to 2% of the company’s total worldwide annual turnover of the preceding financial year (the highest of the options).
Can a public authority or other public actors be subject to an administrative fine for infringements of the GDPR?
Each Member State is free to determine in its own national law whether administrative fines may be imposed on public authorities and bodies established in that Member State. This is stated in Article 83(7) of the GDPR. As regards the maximum amount of administrative fines that public operators can be subject to for breach of the GDPR, it is thus also up to each Member State to decide on.
What constitutes a serious infringement of the GDPR?
Article 83(5) of the GDPR sets out what constitutes a serious infringement of the GDPR. For infringements of the following articles of the GDPR, the supervisory authority may impose an administrative fine of a maximum of EUR 20 million or up to 4% of the company’s total worldwide annual turnover of the preceding financial year:
- 5, 6, 7 and 9 of the GDPR, regarding the data protection principles and the conditions for consent.
- 12-22 of the GDPR, pursuant to the rights of data subjects
- 44-49 GDPR, about the transfer of personal data to an international organisation or other recipient in a third country.
- All the obligations laid down in the national law of the Member States adopted pursuant to Articles 85 to 91 of the GDPR.
- Failure to comply with the decisions of the supervisory authority issued pursuant to Article 58 GDPR, concerning:
- an injunction.
- a temporary or permanent restriction on the processing of data.
- a decision to suspend data flows.
- failure to provide access to data.
What constitutes a serious infringement of the GDPR?
Article 83(4) of the GDPR sets out what constitutes minor infringements of the GDPR. For infringements of the following articles of the GDPR, the supervisory authority may impose an administrative fine of a maximum of EUR 10 million or up to 2 % of the company’s total worldwide annual turnover of the preceding financial year:
- 8, 11, 25-39, 42 and 43 of the GDPR, pursuant to the obligations of controllers and processors.
- 42 and 43 of the GDPR, regarding the obligations of the certification body.
- 41.4 of the GDPR, regarding the obligations of the monitoring body.
Example of how to calculate the amount of the administrative fine when it is maximum
Should the administrative fine be no more than up to 4% of the company’s total worldwide annual turnover of the preceding financial year or EUR 20 million? The short answer to the question is that it depends. The highest amount is taken as the starting point.
Example 1
If a company has a total worldwide annual turnover of the preceding financial year equivalent to EUR 1 billion, up to 4% of this is equivalent to EUR 40 million, which is higher than EUR 20 million. Therefore, the maximum amount of the administrative fine in this case shall be EUR 40 million.
Example 2
If the company instead has a total worldwide annual turnover of the preceding financial year equivalent to EUR 300 million, EUR 20 million is higher than up to 4% of the company’s global annual turnover. In such cases, the maximum administrative fine shall be EUR 20 million.
What factors does the supervisory authority take into account before deciding on a fine for infringement of the GDPR?
The supervisory authority takes into account many different factors in its decision on whether to impose an administrative fine in the event of a breach of the GDPR, and what the amount in such cases should be. They make a case-by-case assessment based on the circumstances of the case, taking into account in particular:
- the duration, nature and gravity of the infringement;
- the nature, scope and purpose of the processing;
- the number of data subjects affected by the infringement, including the damage suffered by the data subjects as a result of the infringement;
- whether the infringement was committed intentionally or through negligence or gross negligence;
- the measures taken by the company to minimise the damage caused by the infringement to the data subjects;
- the degree of responsibility of the company, taking into account the technical and organisational security measures implemented by the company;
- whether the company has previously infringed the GDPR;
- how much the company cooperates with the supervisory authority to resolve the situation and mitigate the potential adverse effects of the infringement;
- the categories of personal data affected by the infringement;
- how the supervisory authority became aware of the infringement, in particular whether the company notified the infringement to the supervisory authority and to what extent it was implemented in such cases;
- If the supervisory authority has previously ordered corrective measures against the company pursuant to Article 58(2) of the GDPR on the same subject matter, and whether the company has acted in accordance with these measures.
- If the company has applied approved codes of conduct in accordance with Article 40 of the GDPR.
- If the company has applied approved certification mechanisms in accordance with Article 42 of the GDPR.
- any other mitigating or aggravating factors applicable to the circumstances of the case. For example, if the infringement has, directly or indirectly, resulted in the company making a financial profit, or avoided a financial loss.
What does it mean if an infringement is committed intentionally or negligently
The supervisory authority assesses whether the infringement has occurred intentionally or negligently. If it has occurred because of intent, it is worse than if it happened through negligence, and often leads to more severe penalties. It may therefore be useful to know the difference between these two concepts:
If a company has the knowledge and is aware that the company does not comply with the rules of the GDPR, the infringement has occurred due to intent. For example, if a company processes credit card information and knows that security is not sufficient, but chooses not to do anything about it.
Non-compliance is when a company has no knowledge or intent behind the breach of the GDPR. Instead, the company has failed in its statutory duty of care.
Administrative fines are not available to data subjects
When a company is subject to an administrative fine, the amount must be paid to the supervisory authority, i.e. the State. This is not an amount that can be shared with data subjects. On the other hand, data subjects have the right to claim damages, but this is not something that the supervisory authority claims. Instead, in such cases, the data subject needs to bring a civil action against the company.
More about GDPR
Prohibition
A company may be prohibited by the national supervisory authority from carrying out a specific type of processing. This means that the processing must cease. Alternatively, the company may be ordered to comply with specific conditions regarding how the processing shall be carried out.