1. GDPR Goal
2. Tiered Infractions
3. Mitigating Factors
4. Interested in learning more about GDPR compliance?

GDPR fines are a concern for many companies and organizations. Non-compliance can result in fines of 12 million dollars, or two percent of worldwide yearly revenue of the previous financial year (whichever amount is higher). Such a penalty could stem from the following article violations:

  • Processors and controllers under Articles 8 to 11, 25 to 39, 42, and 43
  • Certification body under Articles 42 and 43
  • Monitoring body under Articles 41 and 44

For GDPR organizations that are in violation of GDPR, the fine can run up to 4 percent of annual worldwide turnover or 24 million dollars (whichever amount is greater). Such a fine amounts to the maximum fine that can be levied on serious infractions (Ex. Having an insufficient customer consent to process such data or the violation of Privacy by Design concepts).

Moreover, such a fine could manifest if the following articles are violated:

  • Basic processing principles: Articles 5 through 7, and 9
  • Data subject rights under Articles 12 to 22
  • Transfer of personal data to a receiver in a third-party nation or other international body under articles 44 to 49
  • Any duties pertaining to Member State law under Chapter IX


The goal of GDPR is to protect EU citizens from data and privacy breaches at a time when the world is increasingly data-driven. The directive is vastly different from the one issued in 1995, and GDPR is considered an upgrade to its previous version.

The same principles still apply from the previous incarnation, but many of the changes have been added to the regulatory policy. In addition, GDPR jurisdiction has been considered the largest change to the regulatory arena of data privacy, and it applies to all companies that process personal data of citizens within the EU, regardless of company location.

Before, the territorial reach of the directive was unclear, referring to data processes “in contact of an establishment.” Such confusion has manifested in numerous high-profile court cases, but GPDR makes the directive clearer by stating that personal data processing that extends to processors or controllers within the EU is subject to GDPR guidelines.

In addition, GDPR also extends personal data processing outside of the EU in cases where:

  • An entity offers goods or services to citizens of the EU (regardless of payment)
  • Behavior monitoring takes place within EU Borders
  • Non-business processing of EU citizen data needs to have an EU representative

Tiered Infractions

In addition, failing to notify authorities of any data open to breaching, or failing to commence an impact assessment, could result in fines. Also, a company can be fined two percent for not having organized records. Such rules apply to both processors and controllers, which means that clouds are also subject to GDPR directives.

The exact fine depends on how severe the infraction is and the ramifications that could arise if a data breach took place. Other factors come into play:

  • Measures that need to be completed in order to be GDPR compliant
  • The manner in which an organization or company failed to establish essential mechanisms to prevent data breaches or alerting data subjects of requests rights they possess, the willingness to answer to these requests, and the manner in which Privacy by Design is honored
  • Additional rights and measures when consent is the opted legal groundwork for lawful processing and more

Mitigating Factors

Other factors will be considered, such as how many people were affected, any damage suffered, infringement duration, and processing purpose. Intention is key, which means the infraction was negligent or intentional.

Mitigation is another factor, meaning that the actions taken to manage any damage done to data subjects. Also, an organization’s history is taken into consideration, which could be interrupted under the Data Protection Directive and the GDPR. Past administration corrections under the GDPR, including bans and warnings on processing, are factored in as well.

Cooperation is another key step in determining how severe the penalty would be. If an organization works with supervisory authorities in fixing the issue, they could receive a lower-cost fine. The type of data breached is another issue that authorities determine as well.

Companies must notify authorities as soon as possible because the time frame in notifying authorities is a key step in determining the level of proper punishment.

Do you need to know more about GDPR fines? To find out more, submit your legal inquiry to our UpCounsel marketplace. UpCounel’s top lawyers will help you in areas pertaining to EU law and what you can do to remain compliant under EU data governance and the securing the data of consenting subjects. Further, our lawyers will represent you in cases where breaches may arise, or if you find yourself in violation of any EU codes of conduct or directives.

Interested in learning more about GDPR compliance?

Download UpCounsel's free GDPR Compliance Whitepaper and learn the tools you need to put your company on the path to compliance. Included is a list of 10 practical steps to help organize efforts on GDPR, develop a compliance plan, and mitigate risk.