« 82. Right to compensation and liability | 84. Penalties » |
CHAPTER VIII Remedies, liability and penalties
83. General conditions for imposing administrative fines
Each supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 concerned as well as the number of data subjects affected and the level of damage suffered by them;
the intentional or negligent character of the infringement;
any action taken by the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 or processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 to mitigate the damage suffered by data subjects;
the degree of responsibility of the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 or processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
any relevant previous infringements by the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 or processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8;
the degree of cooperation with the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
the categories of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 affected by the infringement;
the manner in which the infringement became known to the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21, in particular whether, and if so to what extent, the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 or processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 notified the infringement;
where measures referred to in Article 58(2) have previously been ordered against the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 or processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 concerned with regard to the same subject-matter, compliance with those measures;
adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
If a controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 or processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 intentionally or negligently, for the same or linked processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
the obligations of the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 and the processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
the obligations of the certification body pursuant to Articles 42 and 43;
the obligations of the monitoring body pursuant to Article 41(4).
Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
the basic principles for processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2, including conditions for consent‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. GDPR Article 4 Paragraph 11, pursuant to Articles 5, 6, 7 and 9;
the data subjects’ rights pursuant to Articles 12 to 22;
the transfers of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 to a recipient‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. GDPR Article 4 Paragraph 9 in a third country or an international organisation‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries GDPR Article 4 Paragraph 26 pursuant to Articles 44 to 49;
any obligations pursuant to Member State law adopted under Chapter IX;
non-compliance with an order or a temporary or definitive limitation on processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 or the suspension of data flows by the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
Non-compliance with an order by the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
The exercise by the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.
Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.
Recitals
Recital 148
In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21, compliance with measures ordered against the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 or processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.
Recital 150
In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.
Recital 151
The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the supervisory authority‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 GDPR Article 4 Paragraph 21 initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.
Posts regarding this GDPR Paragraph:
- Austria: 38 GDPR Fines in 2019 13/08/2020
FAQs regarding this GDPR Article:
GDPR Fines based on this article
Title | GDPR Country | Number of involved data records | GDPR Fine |
---|---|---|---|
Fine against Bisnode Polska | Poland | 5 700 000 | 220,000 € |
Penalty for refusal to provide data | Hungary | 1 | 3,200 € |
CNIL imposes 50 million fine on Google | France | unknown | 50,000,000 € |
Penalty against Uber | Great Britain | 2 700 000 | 440,000 € |
Penalty against British Bible Society | Great Britain | 417 000 | 115,000 € |