Top 10 operational impacts of the GDPR: Part 10 - Consequences for GDPR Violations

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.

Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.

The previous installments in this series have outlined nine significant changes to Europe’s data protection regime under the GDPR. Those changes, however, only impact privacy professionals to the extent they create a risk of enforcement. The introduction of heightened fines and a robust enforcement mechanism suggest that the Regulation’s provisions should be taken seriously. This final installment examines what happens when companies violate the GDPR.

This is the last installment in a series of articles addressing the top 10 operational impacts of the GDPR.

Consequences for GRPR Violation: Complex administrative procedures and hefty fines

More than any new substantive right or complex procedure, the new GDPR measure most likely to draw attention from the C-suite is the provision on penalties and fines. In a stark departure from previous privacy legislation in Europe or elsewhere, the GDPR authorizes regulators to levy remarkably steep fines in amounts exceeding 20 million euros or four percent of annual global turnover, whichever is higher.

This article first sets forth the judicial remedies available to data subjects and then discusses how supervisory authorities may pursue complaints administratively. It concludes with an examination of the Regulation’s administrative fines and penalties.

Circumstances giving rise to fines and factors to be considered

The GDPR empowers supervisory authorities to assess fines that are “effective, proportionate and dissuasive.” It sets forth both mitigating and aggravating factors to help DPAs assess the amount of a fine. For example, intentional violations are worse than negligent ones. Mitigating factors include adherence to a code of conduct or certification mechanisms, minimizing the use of sensitive categories of data, and employing appropriate technical and organizational safeguards. In the event of non-compliance, moreover, controllers or processors may limit the amount of a fine by mitigating “the damaging nature, gravity and duration of the violation,” reporting the violation as soon as possible and cooperating with the supervisory authority.

Aggravating factors generally include the opposite actions – not seeking to mitigate harm or acting contrary to the mitigating factors.

Two “tiers”

The GDPR creates two tiers of maximum fines depending on whether the controller or processor committed any previous violations and the nature of violation. The higher fine threshold is four percent of an undertaking’s worldwide annual turnover or 20 million euros , whichever is higher. The lower fine threshold fine is two percent of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher.

These amounts are the maximum, meaning supervisory authorities are empowered to assess lower but not higher fines. Specifically, Recital 148 authorizes a DPA to issue a reprimand in place of a fine in cases of a minor infringement where the fine would constitute a disproportionate burden on a natural person. Additionally, fines are not compounded for multiple violations arising from the same incident; the total fine cannot exceed the fine for the gravest violation.

When fines are imposed on a natural person, as opposed to a corporate controller or processor, their general income level and personal economic situation will inform the appropriate amount of fine.

Higher fine threshold

Fines in the higher threshold are assessed for more serious violations by controllers and processors, such as the violation of a data subject’s rights. Specifically, higher fines are assessed for violating,

  • Basic principles for processing data, including consent (Articles 5-7, 9)
  • Data subjects’ rights (Articles 12-22)
  • Data transfer provisions (Articles 44-49)
  • Obligations to Member State laws including the right to freedom of expression and information, collection and use of national identification numbers, employment processing, secrecy obligations, and data protection rules for churches and religious associations. (Chapter IX)
  • Non-compliance with an order or a temporary or definitive limitation on processing or suspension of data flows by a supervisory authority (Articles 58(1), 58(2))

Lower fine threshold

Fines in the lower tier are assessed on controllers, processors, certification bodies or monitoring bodies. Violations of most other provisions are subject to the lower fine tiers or penalties. There are some notable obligations that are specifically subject to the lower fines.

  • Obligations of controllers and processors include:

o   Obtaining a child’s consent according to the applicable conditions in relation to information society services (Article 8);

o   Notifying the supervisory authority of a personal data breach (Article 33);

o   Notifying the data subject of a personal data breach (Article 34); and

o   Designating a data protection officer (and the data protection officer has related obligations to their position). (Articles 37-39).

There are also obligations of certification bodies (Articles 42, 43), and obligations of monitoring bodies (for monitoring of approved codes of conduct) to take appropriate action to enforce code violations (Article 41(4)).

Applicability and consistency of fines in Member States

The national laws of two of the Member States, Denmark and Estonia, do not allow for the imposition of administrative fines as set out in the GDPR. Consequently, Recital 151 provides an exception for those two Member States, allowing competent national courts to impose the fines as criminal sanctions in Denmark and through a misdemeanor procedure framework in Estonia. In those Member States, the supervisory authority refers the case to the relevant courts to initiate the fines. The national courts should, however, “take into account the recommendation by the supervisory authority initiating the fine.”

In general, where the Regulation does not impose administrative fines for infringements, or for other special cases such as serious violations, Member States are required to implement a penalty system. Member States must notify the Commission of any legislation or legislative changes adopted to create penalties for violations outside administrative fines. Similar to administrative fines, penalties must be “effective, proportionate and dissuasive.” Unlike fines, penalties may be criminal under the national law of a Member State.

Lead and concerned supervisory authorities

The Regulation attempts to harmonize administrative proceedings across multiple Member States, each of which must appoint their own competent supervisory authorities (often referred to as “Data Protection Authorities” or “DPAs”) under Article 55. To avoid multiple parallel administrative proceedings, and to ensure decisions are enforceable, the GDPR sets out in Article 51a that each controller or processor will be subject primarily to the authority of a single “lead supervisory authority.” The lead supervisory authority is the DPA of the Member State where the controller or processor has its “main establishment.” If the controller or processor has offices in multiple jurisdictions, the main establishment is “the place of its central administration in the Union” (i.e., its headquarters, in most cases). For controllers or processors located in only one Member State, that State’s DPA will serve as the lead.

Data subjects may file complaints with the DPA of the Member State in which they reside, where they work, or where the alleged infringement occurred. A DPA also may pursue infringement actions on its own accord when there has been an infringement in its Member State or which affects the residents of that State. If the controller or processor subject to the complaint has its main establishment in a Member State other than where the complaint is filed or launched, the original DPA must notify the lead DPA. The lead DPA has three weeks to decide whether to keep the case or delegate it back to the first DPA. In making its decision, it should consider whether the controller or processor has an establishment in the Member State where the action was initiated.

If the lead DPA declines to take the case, the original supervisory authority is allowed to keep it, subject to the procedures in Articles 61 and 62. These provisions mandate cooperation among the DPAs in pursuit of the case and set out specific rules for joint investigations and enforcement actions. If the lead DPA decides to pursue the case, Article 60 ('one-stop-shop mechanism') procedures apply. The original supervisory authority is invited to submit a draft decision to the lead, who “shall take utmost account” of the draft.

Article 54a “one-stop shop” cooperation

Assuming an infringement proceeding involves a controller or processor with establishments in multiple Member States, the lead supervisory authority must cooperate with the other “concerned” supervisory authorities in preparing a decision, incorporating appropriate suggested changes or objections. Article 65 creates a mechanism by which the European Data Protection Board may resolve any disputes among the DPAs. Decisions of the Board and decisions jointly agreed upon by lead and concerned supervisory authorities become binding.

In any case, the lead DPA must notify the accused controller or processor of any final decision, whereas the DPA where the complaint was originally lodged must notify the complainant. The complainant retains its right to an effective judicial remedy against a legally binding decision of a supervisory authority or where the supervisory authority fails to deal with a complaint or inform a data subject about the outcome of a case within three months. Additionally, under Article 83 the “exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in conformity with Union law and Member State law, including effective judicial remedy and due process.”

Damages and compensation for data subjects

Similar to the Directive, the GDPR allows data subjects to seek monetary damages in court from controllers who violate their rights and from processors as well if the processors are liable for a data breach, violate the processor-specific provisions of the GDPR, or act outside a controller’s lawful instruction.

Under Article 79, data subjects may bring an action for damages or compensation before the courts of the Member State state where they reside. They also may bring the action in any Member State State where the controller or processor has an establishment. The GDPR encourages courts to stay proceedings in favor of the first-filed case when a controller or processor faces lawsuits in many jurisdictions for the same incident. Individual causes of action are independent from and without prejudice to an action by a supervisory authority to impose administrative fines.

Data subjects may ask non-profit public interest organizations to bring an action on their behalf, and such organizations may bring an action independently where permitted by Member State state law. Because data subjects have a right to “an effective judicial remedy,” moreover, the GDPR empowers a data subject to bring an action against supervisory authorities in the courts of their Member State when they do not “deal with a complaint” or timely inform a data subject of the complaint’s progress or outcome.

Any non-compliant controller involved in data processing faces liability for damages under Article 82. Processors, however, face liability only when they have not complied with processor-specific regulations or with the controller’s lawful instructions. Both are immune from liability if they can prove they are “not in any way responsible for the event giving rise to the damage.” In other words, after a data subject demonstrates an infringement, the burden shifts to the controller or processor to prove they are not personally responsible.

When the controller and processor are joined in the same judicial proceedings, or when more than one controller is concerned, the data subject is entitled to receive full compensation from any one of the parties. Liability for damages subsequently may be apportioned among them according to their respective responsibility for the harm. When those controllers and processors are also involved in the same processing, each is liable for the entire harm.

Article 26 provides specific provisions for when “two or more controllers jointly determine the purposes and means of processing,” termed joint controllers. Joint controllers are required to create an agreement determining their respective duties to comply with the Regulation. The agreement must be available for data subjects, who may enforce their rights against each of the controllers irrespective of the terms of the agreement. In other words, joint controllers remain jointly and severally liable to data subjects harmed by GDPR non-compliance even if they allocate liability among themselves by agreement.


The Regulation empowers data subjects to seek judicial relief for damages and file administrative complaints with supervisory authorities. The Regulation’s guidance on imposing fines replaces the patchwork enforcement structure of the Directive, while establishing accountability and consistency mechanisms also lacking under the Directive. The hefty fines and penalties for infringement not only encourage accountability, they may be the single most eye-catching feature of the Regulation, causing multinationals and local companies to invest more in compliance. The GDPR’s consistency mechanisms – encouraging supervisory authorities to cooperate and agree on infringement decisions, empowering the Board for dispute resolution, making final decisions binding – will ease burdens on controllers and processors doing business across Member State states by offering more efficient enforcement solutions.

Written By

Anna Myers, CIPM, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Privacy Core® e-learning Library Expands Again

Two innovative additions to our Privacy Awareness curriculum coming in April: Recognizing and Avoiding Social Engineering and Identifying Phishing Attacks.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

What an amazing Summit! Looking for session presentations? Click through to the webpage and look in the session's description for a link to view slides.

Canada Privacy Symposium 2017

Early Bird discounts may be gone, but not your chance to catch this year's stellar lineup! Register today.

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»