GDPR penalties: you have to expect these fines

Violations of the GDPR can result in severe penalties. In this article we explain what fines you can expect.

GDPR penalties: what do the fines depend on?

The General Data Protection Regulation has been in force since May 2018. It is supposed to regulate data protection uniformly across the EU and at the same time has caused a lot of furor and fear. This is not only due to the complicated regulations, but also to the impending punitive measures in the event of violations.

• The regulatory authority imposes fines. In Germany, this task is the responsibility of the data protection officer of the respective federal state.
• The supervisory authority has extensive investigative and remedial powers. It can thus get a comprehensive picture of compliance with the GDPR among responsible parties and processors. It can also issue warnings and order measures, such as remedying legal violations or preventing data processing.
• If the supervisory authority imposes fines, it can do so instead of or in addition to its remedial powers.
• When determining the amount of the sentence, the data protection supervisory authority must assess and take into account some circumstances. These are, for example, the type and severity of the violation and how long it has been going on.
• It is also important whether measures have already been taken to remedy the problem, how good the cooperation with the supervisory authority is and whether there have been violations before.

Fines for breach of the controller's obligations

The regulations on fines can be found in Article 83 of the GDPR. The principle applies that fines must be effective, proportionate and dissuasive.

• In the event of violations of the duties of the person responsible or the processor, fines of up to EUR 10 million are due or, for companies, up to two percent of the worldwide turnover of the previous year. The higher amount counts.
• The same applies if certification bodies or monitoring bodies violate their obligations.
• Examples are that there is no list of processing activities, that the security measures for data processing are inadequate or that the company data protection officer is not performing his duties properly.
• This also includes compliance with the requirement that children only be allowed to consent to data processing from the age of 16. Incidentally, this also had an impact on the use of Facebook and WhatsApp.

Violations of data processing principles

The penalties are even tougher if the basic provisions of data processing are violated. The question here is whether data can be collected and processed at all and whether the provisions for this have been complied with.

• Those who process data, although they are actually not allowed to do so, can expect fines of up to 20 million euros or up to four percent of the company's turnover in the previous year. The amount that is higher also applies here.
• Anyone who opposes an instruction from the supervisory authority must expect the same fines.
• Offenses in this category exist, for example, if data are processed without the data subject's prior consent or if the rights of the data subject are violated.
• This can already be the case if a company does not meet its obligation to provide information to those concerned about data processing or if there is no deletion concept. Data subjects have the right to be forgotten if the purpose for data processing no longer applies.
• The same penalties are imposed if personal data is transferred to third countries or international organizations and the GDPR paragraphs specifically provided for it are disregarded.

If you operate your own website, you should implement all the requirements of the GDPR with particular care. Otherwise you run the risk of getting caught in bad warning firms, which are less concerned with data protection than with making money. Read what you should consider as a website operator in the following article.