The German Data Protection Authorities (“DPAs”) released a paper on fines under Art. 83 General Data Protection Regulation (“GDPR”) in July 2017. Fines are hanging like a Sword of Damocles over the organizations that are getting ready for GDPR, since the upper limits of fines have been increased substantially. For example, German DPAs can currently impose fines of up to EUR 300,000. Under the GDPR, fines can amount to up to EUR 20 million or 4% of the worldwide annual turnover.
Levels of fines
The DPAs explain the different levels of fines that can be imposed against a controller or processor, and give examples of the relevant cases.
- Fines of up to EUR 10 million or, in case of an “undertaking”, 2% of the total worldwide annual turnover of the preceding business year, whichever is higher, can be imposed, e.g., for the failure to implement appropriate technical and organizational security measures.
- “Particularly serious infringements” can result in fines up to EUR 20 million or, in case of an “undertaking”, 4% of the total worldwide annual turnover of the preceding business year, whichever is higher. Particularly serious infringements include violations of the rights of data subjects or processing without a justification.
- Non-compliance with an order by the supervisory authority under Art. 58 (2) GDPR may be subject to fines up to EUR 20 million or, in case of an “undertaking”, 4% of the total worldwide annual turnover of the preceding business year, whichever is higher.
Continue Reading Fines under GDPR – German DPAs provide guidance