There are two tiers of administrative fines for infringement of the Regulation:
Lower level of GDPR penalties
Fines of up to €10 million or 2% of annual global turnover can be issued for infringements of articles:
- 8 (conditions for children’s consent);
- 11 (processing that doesn’t require identification);
- 25 – 39 (general obligations of processors and controllers);
- 42 (certification); and
- 43 (certification bodies).
Higher level of GDPR penalties
Fines of up to €20 million or 4% of annual global turnover can be issued for infringements of articles:
- 5 (data processing principles);
- 6 (lawfulness of processing);
- 7 (conditions for consent);
- 9 (processing of special categories of data);
- 12 – 22 (data subjects’ rights); and
- 44 – 49 (data transfers to third countries or international organisations).
As well as the power to issue fines, the supervisory authority (the ICO (Information Commissioner’s Office) in the UK) has the power to “impose a temporary or definitive limitation including a ban on processing” (Article 58(2)(f)) – in other words, it can stop organisations processing personal data altogether, effectively shutting them down.
In addition, data subjects have the right to lodge a complaint with the supervisory authority if they consider that the processing of their personal data infringes the Regulation, and the right to an effective judicial remedy against data controllers and processors if they consider their rights have been infringed by processing that does not comply with the Regulation.
The Regulation is clear that data subjects should receive “full and effective compensation for the damage they have suffered” – whether material or non-material.