Sovy recognised by KuppingerCole Independent Analysts More Info
  • Home
  • |
  • Log In
  • |
  • Contact
  • |
  • 0
Sovy
  • Products
    • Sovy GDPR Privacy Essentials℠
    • Sovy Academy℠
    • Sovy Advisory Services
    • All Products
    • Free GDPR Scan
    • Free GDPR Readiness Survey
  • Resources
    • Free GDPR Scan
    • Free GDPR Readiness Survey
    • Knowledge Portal
    • Data Privacy News
  • Pricing
  • About Sovy
    • Mission
    • Team
    • Investor Relations
    • Partnerships
    • Contact Us
  • Products
    • Sovy GDPR Privacy Essentials℠
    • Sovy Academy℠
    • Sovy Advisory Services
    • All Products
    • Free GDPR Scan
    • Free GDPR Readiness Survey
  • Resources
    • Free GDPR Scan
    • Free GDPR Readiness Survey
    • Knowledge Portal
    • Data Privacy News
  • Pricing
  • About Sovy
    • Mission
    • Team
    • Investor Relations
    • Partnerships
    • Contact Us

Data Privacy News

December 14, 2020

GDPR Fines and Penalties

The most widely discussed aspect of the GDPR are the fines and penalties. We explain how organisations can incur penalties for non-compliance and explore their impact.

GDPR Maximum Fines

The GDPR imposes maximum fines of €20 million or 4% of annual worldwide turnover, whichever is higher. This can be applied if an organisation fails to comply with:

  • Data protection principles, such as transparency, fairness, accountability, data accuracy and minimisation.
  • Individual rights, such as access, rectification, restriction, portability, or erasure.
  • Rules surrounding the transfer of data to “third countries” (outside the EEA and without an ‘adequacy’ designation by the EU).

GDPR Standard Maximum Fines

There is a standard maximum fine of €10 million or 2% of annual worldwide turnover, whichever is higher. This can be applied if an organisation fails to fulfil its obligations under the GDPR, such as:

  • Gaining improper consent of a child
  • Implementing data protection by design and default measures (e.g. pseudonymisation)
  • Establishing a designated representative in the EU (for businesses without an establishment in the EEA)
  • Processing personal data in breach of contract with the data controller
  • Failing to adequately secure personal data

Processing Bans and Other Correctional Powers

Under the GDPR, Data Protection Authorities also have powers to correct existing issues and prevent future non-compliance. These powers include:

  • Issuing warnings
  • Issuing reprimands
  • Ordering an organisation to bring their processing activities into compliance
  • Ordering an organisation to communicate a personal data breach to affected individuals
  • Imposing a ban on processing data
  • Ordering the rectification, restriction or erasure of data
  • Ordering the suspension of data flows to a third country or international organisation

Will the maximum fines always be applied?

Data Protection Authorities do have the powers to apply the full fines in cases of non-compliance. However, it is highly unlikely that the maximum penalties will be applied in anything but the most serious of cases.

Instead, Data Protection Authorities are expected to issue fines based on the perceived impact to individuals, the scale of the issue and the organisation’s response to the issue. Fines should be effective, proportionate and dissuasive.

Have any fines been issued under the GDPR yet?

As of December 2018, a small number of fines have been issued by Data Protection Authorities:

  • Austria issued a €4,800 fine for illegal video surveillance.
  • Portugal issued a €400,000 fine for insufficient data access concept.
  • France issued a €250,000 fine for inadequate security measures.
  • Germany issued a €20,000 fine for a failure to protect personal data.
  • The UK issued a £17 million fine for unlawful data processing.

Why haven’t there been many fines?

Data Protection Authorities need time to investigate cases of organisations who have failed to comply with the GDPR. This allows them to determine whether an infringement has taken place and the appropriate enforcement action – including how much the organisation will be fined.

Whilst the penalties for non-compliance with the GDPR are intended to be an effective deterrent, businesses should focus on getting up to scratch with their compliance strategy and have effective processes in place should an audit or data breach occur. Read our post Is GDPR Is Good For Business? to find out how compliance can help your business grow.

Previous StoryIs The GDPR Good For Business?
Next StoryCNIL fines Google LLC and Google Ireland with a total of €100 million for Using Cookies illegally

SEARCH

CATEGORIES

  • 2020 (13)
  • CCPA (5)
  • Charities (1)
  • Coronavirus (3)
  • COVID-19 (3)
  • Events (1)
  • GDPR (51)
  • Google (1)
  • New Bytes (34)
  • News & Blog (48)
  • Opinions (25)
  • Workplace Conduct (1)

TAG CLOUD

2020 BEUC Brexit CCPA Charities China CJEU CNIL cookies coronavirus COVID-19 cybersecurity data breach data privacy data protection DfE DPC EDPB Facebook fine fines GDPR Google guidance H&M IAPP ICO LGDP LGPD mark zuckerberg Marriot marriott Microsoft notification online education oracle PIPEDA privacy shield salesforce Schrems II tik tok Uber UK US vodafone italy

ARCHIVES

  • February 2021 (1)
  • January 2021 (3)
  • December 2020 (4)
  • November 2020 (4)
  • October 2020 (4)
  • September 2020 (1)
  • August 2020 (1)
  • July 2020 (2)
  • June 2020 (3)
  • May 2020 (2)
  • April 2020 (2)
  • March 2020 (1)
  • February 2020 (1)
  • January 2020 (3)
  • December 2019 (3)
  • November 2019 (1)
  • July 2019 (3)
  • May 2019 (3)
  • March 2019 (2)
  • January 2019 (3)
  • December 2018 (3)
  • November 2018 (2)
  • September 2018 (1)
  • July 2018 (1)
  • June 2018 (2)

LATEST POSTS

  • Tik Tok Accused of Noncompliance with the GDPR
  • EDPB launches guidelines on Examples of Data Breach notification
  • GDPR at the End of 2020
  • The European Data Protection Board launches a series of recommendations following the CJEU’s decision C-311/18 (Schrems II)
  • CNIL fines Google LLC and Google Ireland with a total of €100 million for Using Cookies illegally

QUICK LINKS

  • About Us
  • Resources
  • Privacy Policy
  • Terms
  • Manage Consent
  • Contact Us

Sovy GDPR Privacy Essentials

  • Subscription Benefits
  • Pricing
  • Log in
  • GDPR for Small Businesses
  • GDPR for Enterprises
  • GDPR for Sole Traders
  • GDPR for Charities

SOVY LOCATIONS

Ireland HQ

Registered Office
St Gall's House
St Gall Gardens South
Milltown, Dublin 14
D14 Y882

Trading Office
Meath Enterprise Centre
Trim road, Navan
Co. Meath, C15 TKX6
Ph: +353 (0)1 669-4774

Brussels

Rond-Point Schuman 11
1040 Brussels
Belgium

London

Registered Office
Kemp House
152-160 City Road
London EC1V 2N

Trading Office
9-10 Staple Inn
2nd Floor
London WC1V 7QH

New York

NY Metropolitan Area
2037 Lemoine Ave
Suite 452,
Fort Lee, N.J. 07024, USA

ASSOCIATIONS

Copyright © 2020 Sovy Trust Solutions Limited. All Rights Reserved. Registered in Ireland, No. 610835 and No. 605069