EU GDPR Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

Which fines does GDPR designate for companies?

Author: Punit Bhatia

The EU General Data Protection Regulation (GDPR) is a significant legislation in the field of personal data privacy, and it defines very high fines for non-complying companies. Let us understand what these penalties are.

The fines that can be applied

GDPR has two levels of fines. These fines are specified in EU GDPR Articles 83 and 84. The first level is € 10 million, or 2% of the global annual turnover of the company in the previous financial year. And, the second level is € 20 million, or 4% of the global annual turnover of the company in the previous financial year.

In each scenario, the higher fine would be the maximum fine applicable for your company. This means, if the company had global annual turnover of € 1 billion in the last financial year, and the first level of fine is applicable, the fine of 2% of € 1 billion, i.e., € 20 million, would be levelled because 2% of turnover is higher in comparison to € 10m. It might not sound logical, but if a company had annual revenue of € 500,000, and 2% of this would be € 10,000 – in this case, the € 10 million fine would be applicable because € 10 million is higher than 2% of annual turnover. In short, the higher fine is applicable.

Please note that the calculation demonstrates the highest possible fine and you may not be getting that in the first instance, unless the non-compliance is significant and due to gross negligence. Further, it remains to be seen how Supervisory Authorities will be treating smaller companies, because these maximum fines would kill small companies.

What fines are applied when?

Level-one fines, i.e., € 10 million or 2% of global annual turnover of the company, would be applicable when a company fails to provide an inventory of processing activities, does not cooperate with the Supervisory Authority, or does not communicate about personal data breaches. See also:

And, level-two of, i.e., € 20 million or 4% of global annual turnover of the company, would be applicable when a company fails to demonstrate compliance with basic principles like applying fair conditions for consent, does not process personal data for legitimate purposes, fails to respect rights of data subjects, or transfers personal data to a recipient in a third country without safeguards. See also:

The criteria for applying fines

Fines would normally be decided by the Supervisory Authority on a case-by-case basis, and the decision on impositions of fines shall include factors like:

  • nature, gravity, and duration of infringement
  • infringement being intentional or due to negligence
  • categories of personal data affected
  • number of data subjects and the impact on them
  • measures that were in place to protect data
  • level of cooperation with the Supervisory Authority
  • adherence to industry standards
  • history of previous infringements

Companies should also be concerned about…

Whilst fines in EU GDPR are significant, companies need to be concerned about two more things. One is the fact that data subjects must have the option to ask for compensation if controller or processor actions lead to damages. The second is that the fines are also likely to create reputational damages, which cannot be easily quantified.

As you can see, GDPR fines are very significant. There is a lot of discussion about fines, but the best is to stop talking and start preparing to get compliant. So, don’t wait and act before it is too late.

To learn more about the fines, register for this free EU GDPR Foundations online course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on EU GDPR regulations.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *

Andrei Hanganu
Lead EU GDPR Expert


Upcoming free webinar
Privacy Notices under the EU GDPR
Wednesday – November 27, 2019



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.