What are the Fines and Penalties for Non-Compliance with the GDPR?
The General Data Protection Regulation (GDPR), enacted by the European Union (EU) in May 2018, has significantly reshaped how organizations handle and protect personal data. One of its most discussed elements is its enforcement mechanism, which allows for substantial fines and penalties in the event of non-compliance. These fines can reach up to millions of euros, depending on the severity of the violation. Understanding the potential consequences of failing to comply with the GDPR is essential for any business handling personal data, whether they are within or outside the EU.
In this article, we will explore the fines and penalties for non-compliance under the GDPR, including the factors that determine the level of the fine and examples of companies that have faced penalties since the regulation came into force.
Categories of Fines Under GDPR
The GDPR divides fines into two categories, with different maximum limits based on the nature of the violation:
1. Fines Up to €10 Million or 2% of Global Annual Turnover
These fines apply to less severe violations, often related to procedural and administrative issues. Violations in this category include:
- Inadequate Record-Keeping: Failing to keep accurate records of data processing activities as required by Article 30.
- Failure to Appoint a Data Protection Officer (DPO): Under Articles 37-39, certain organizations are required to appoint a DPO, such as public authorities or companies engaged in large-scale monitoring of data subjects. Failing to appoint one could lead to this lower-level fine.
- Inadequate Data Security Measures: Failure to implement appropriate technical and organizational security measures to protect personal data as required by Article 32.
2. Fines Up to €20 Million or 4% of Global Annual Turnover
This higher level of fines is reserved for more significant violations that affect individuals’ privacy rights. Violations in this category include:
- Violating Data Subject Rights: This includes denying individuals their rights under Articles 12-22, such as the right to access their personal data, the right to erasure (the “right to be forgotten”), and the right to data portability.
- Non-Compliance with Consent Requirements: Under Article 7, consent must be freely given, specific, informed, and unambiguous. Failure to meet these consent standards can lead to substantial penalties.
- Unlawful Data Transfers: If a company transfers personal data outside the EU without adequate protection measures (e.g., using approved transfer mechanisms like standard contractual clauses or obtaining appropriate consent), it can face higher fines under Articles 44-49.
- Failure to Notify Data Breaches: Under Article 33, organizations must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. Failure to do so, or failing to notify affected individuals when required under Article 34, can lead to significant fines.
Factors Considered in Imposing Fines
Under Article 83(2) of the GDPR, regulators take into account several factors when determining the level of fines for non-compliance:
- Nature, Gravity, and Duration of the Infringement: More serious or long-term violations will attract higher fines. For instance, if the data breach involves sensitive personal data, such as health records or financial information, this will lead to more significant penalties.
- Intentional or Negligent Character of the Infringement: Whether the infringement was intentional or resulted from negligence plays a role in the penalty calculation. Deliberate violations, such as ignoring GDPR compliance requirements, often incur higher fines.
- Steps Taken to Mitigate Damage: If the company took prompt and effective steps to mitigate the damage after discovering a breach, the fine may be reduced. For example, quick notification of the breach and assistance to affected individuals can show a responsible response.
- Degree of Cooperation with Supervisory Authorities: Organizations that cooperate with the data protection authorities during the investigation may receive a lower fine. Full transparency and assistance with the investigation can be viewed favorably.
- Categories of Personal Data Affected: Fines are also influenced by the type of data involved in the breach. For example, if the breach exposes sensitive data, such as racial or ethnic origin, political opinions, religious beliefs, health information, or sexual orientation, higher penalties may be imposed.
- Previous Infringements: If the organization has a history of GDPR non-compliance, the fine may be increased. Recidivism is taken seriously by supervisory authorities.
- Adherence to Approved Codes of Conduct: Organizations that follow approved GDPR codes of conduct and certification mechanisms may demonstrate their commitment to data protection, which could result in lower penalties.
Examples of GDPR Fines
Several companies have been fined for GDPR violations, highlighting the wide range of penalties imposed for different types of non-compliance:
- Google (€50 million): In 2019, the French data protection authority, CNIL, fined Google €50 million for failing to provide sufficient transparency about how personal data was being processed and not obtaining valid consent for personalized advertising. This was one of the first major GDPR fines, and it demonstrated the severity with which EU regulators would treat non-compliance, particularly when it involves large tech companies.
- British Airways (€20 million): In 2020, British Airways was fined for a 2018 data breach that compromised the personal data of over 400,000 customers. Originally set at €183 million, the fine was later reduced to €20 million due to the airline’s financial hardships caused by the COVID-19 pandemic. British Airways was found to have inadequate security measures in place, which led to the breach.
- Marriott International (€18.4 million): The hotel chain was fined for a data breach that affected approximately 339 million guest records globally. The breach, which began in 2014 but was not discovered until 2018, exposed sensitive personal data, including names, contact details, and passport numbers.
- H&M (€35 million): The German data protection authority fined H&M for unlawfully surveilling employees by collecting excessive information about their personal lives, including details about their health and family issues. This fine illustrates the GDPR’s application not only to customer data but also to employee data.
The Importance of Proactive GDPR Compliance
The GDPR’s enforcement mechanism underscores the importance of proactive compliance measures. Organizations should not wait for a data breach or a regulator’s intervention to address compliance issues. Regular data protection impact assessments (DPIAs), ensuring transparency with customers and employees, and maintaining up-to-date security measures are critical steps.
Moreover, companies should invest in GDPR training for their staff, particularly for those in data management roles. Appointing a Data Protection Officer (DPO) where necessary and working closely with legal advisors specializing in data protection will help mitigate the risk of violations.
In conclusion, while the fines and penalties associated with GDPR non-compliance are significant, they can often be avoided by ensuring a robust data protection framework that adheres to the regulation’s core principles. With regulators increasingly focusing on enforcing GDPR rules, organizations must stay vigilant to avoid financial and reputational harm.
Need More Details?
Read the full GDPR text here.