Punit BhatiaThe EU General Data Protection Regulation (GDPR) is a significant legislation in the field of personal data privacy. The GDPR defines very high fines for non-complying companies. Let us understand what these penalties are.
These are the GDPR fines that can be applied
GDPR has two levels of fines. These fines are specified in EU GDPR Articles 83 and 84. The first level is € 10 million, or 2% of the global annual turnover of the company in the previous financial year. And, the second level is € 20 million, or 4% of the global annual turnover of the company in the previous financial year.
In each scenario, the higher GDPR fine would be the maximum fine applicable for your company. This means, if the company had global annual turnover of € 1 billion in the last financial year, and the first level of fine is applicable, the fine of 2% of € 1 billion, i.e., € 20 million, would be levelled because 2% of turnover is higher in comparison to € 10m. It might not sound logical, but if a company had annual revenue of € 500,000, and 2% of this would be € 10,000 – in this case, the € 10 million fine would be applicable because € 10 million is higher than 2% of annual turnover. In short, the higher fine is applicable.
Please note that the calculation demonstrates the highest possible fine and you may not be getting that in the first instance, unless the non-compliance is significant and due to gross negligence. Further, it remains to be seen how Supervisory Authorities will be treating smaller companies, because these maximum fines would kill small companies.
GDPR penalties: What fines are applied when?
Level-one fines, i.e., € 10 million or 2% of global annual turnover of the company, would be applicable when a company fails to provide an inventory of processing activities, does not cooperate with the Supervisory Authority, or does not communicate about personal data breaches. See also:
- The obligations of controllers towards Data Protection Authorities according to GDPR
- 5 steps to handle a data breach according to GDPR
And, level-two of, i.e., € 20 million or 4% of global annual turnover of the company, would be applicable when a company fails to demonstrate compliance with basic principles like applying fair conditions for consent, does not process personal data for legitimate purposes, fails to respect rights of data subjects, or transfers personal data to a recipient in a third country without safeguards. See also:
- Is consent needed? Six legal bases to process data according to GDPR
- Understanding 6 key GDPR principles
The criteria for applying GDPR fines
Fines would normally be decided by the Supervisory Authority on a case-by-case basis, and the decision on impositions of fines shall include factors like:
- nature, gravity, and duration of infringement
- infringement being intentional or due to negligence
- categories of personal data affected
- number of data subjects and the impact on them
- measures that were in place to protect data
- level of cooperation with the Supervisory Authority
- adherence to industry standards
- history of previous infringements
Companies should also be concerned about…
Whilst fines in EU GDPR are significant, companies need to be concerned about two more things. One is the fact that data subjects must have the option to ask for compensation if controller or processor actions lead to damages. The second is that the fines are also likely to create reputational damages, which cannot be easily quantified.
As you can see, GDPR fines are very significant. There is a lot of discussion about fines, but the best is to stop talking and start preparing to get compliant. So, don’t wait and act before it is too late.
To learn more about the fines, register for this free EU GDPR Foundations online course.