Fines and GDPR

Updated: Apr 13


It is a known fact that organizations have been working really hard to comply with the GDPR for many reasons, one of which is to avoid fines. We’re talking about a lot of money here in amounts that could decapitate an entire business!


In a minor scale under GDPR, administrative fines can be given to data processors and data controllers. These fines will be given as one of them, or the replacement, measures to be given by the higher authorities.


In situations where the data processor fails to do what is asked of him/her or breached the instructions given by the data controller, the data processor will be held liable and be subjected to fine.


Data controllers, however, will have to carry the weight of every breach as non-compliance would also mean a failure on their part, therefore, making them accountable for the damage. For the case of data processors, they will be held responsible for non-compliance to the regulation if and only if there are claims for these and given evidence for the damage done or even proof that a legal duty has been violated by the processor.


Should a non-compliance occur, both the data controller and data processor are obligated to prove their innocence or to what extent are they accountable for the breach. If for example both of them are found guilty, they both share a liability which is equal to their share of damage. Either way, it should always be about giving data subjects a full compensation for the damage. Either party can claim back their respective parts in paying the fine if they can prove that they are not accountable for these alleged parts that he/she paid fines for. Fines, however, are not obligatory but flexible depending on the data subjects that are affected.

There are two tiers in approaching the fines where the entire company will be held accountable for and this will be dependent on the weight, length and, cause of the non-compliance.

Tier 1


2% OF THE COMPANY’S ANNUAL TURNOVER, OR €10 MILLION, WHICHEVER IS HIGHER.


This will be given to companies that:

 cannot prove that they have adequate security has no appointed Data Protection Officer has not established the agreement of the data processor 

Tier 2 4% OF THE COMPANY’S ANNUAL TURNOVER, OR €20 MILLION, WHICHEVER IS HIGHER.

This will be given to companies that: infringed the rights of data subjects have non-compliant data transfers happening internationally reaches the main principle of processing

Join our mailing list

© 2018 - 2020 GDPR Community Ltd

  • Facebook
  • Twitter
  • Instagram