GDPR and fines: all there is to know

Image of Carlo Cilento

Published on Sep 17, 2024 by Carlo Cilento

The GDPR has a reputation for big and scary fines. Record fines like €Meta’s 1.2 billion fine over data transfers and Amazon’s €745 million fine made the news and sparked some healthy discussion about compliance and privacy. But what are GDPR fines and how do they work exactly?

This blog explains all there is to know about GDPR fines: how they are issued and calculated, how they can be challenged, how they differ from other enforcement tools, and more. Let’s dive in!

  1. The basics
    1. What is a GDPR fine?
    2. How do you get fined under the GDPR?
    3. Who issues GDPR fines?
    4. Are fines damages?
  2. The practicalities
    1. How are GDPR fines calculated?
    2. What is the maximum for GDPR fines?
    3. Are fines public?
    4. Can you be fined over a data breach?
  3. The procedure
    1. How are GDPR fines issued?
    2. How are GDPR fines challenged?
Logo of MichelinMichelin chose Simple AnalyticsJoin them

The basics

What is a GDPR fine?

GDPR fines are administrative acts, not rulings. This has important consequences on how fines work and how they can be challenged.

There isn’t much more to say, really. You know what a fine is: you break a rule, you get caught, you have to pay.

How do you get fined under the GDPR?

Any GDPR violation may lead to a fine. Organizations get fined for all sorts of reasons: illegally collecting personal data, failing to secure data transfers, implementing poor cybersecurity, failing to report a severe data breach, and so on.

Just because you can be fined over these violations, does not mean you will. Organizations sometimes get off with a warning and an order to get their compliance sorted out. This typically happens when a small organization makes an honest mistake without dire consequences on individuals.

Who issues GDPR fines?

GDPR fines are issued by data protection authorities (a.k.a. DPAs or supervisory authorities).

DPAs are administrative authorities that enforce the GDPR in their country. Every country in the EU and European Economic Area has a DPA (or several, in the case of federal States).

DPAs do more than just issuing fines. For instance, they can order an organization to temporarily stop an operation that involves the use of personal data, or even shut down such an operation for good. These sanctions can sometimes impact organizations more than fines.

Are fines damages?

Fines and damages both play an important role in GDPR enforcement but they are not the same.

Damages and fines come from different enforcers: courts award damages and DPAs issue GDPR fines. Courts and DPAs have different powers and neither can do the other’s job.

Damages and fines also have different purposes because damages are a form of compensation while fines are a tool for punishment and deterrence.

In practice, this means that individuals only have a damage claim when the mishandling of their data resulted in some sort of damage (including “non-material damage”, as we say in legalese). On the other hand, you can be fined over a violation whether you caused damage or not- just like you can get a speeding ticket without having caused a road accident.

None of this is special to the GDPR, by the way. That’s just how damages work in civil law jurisdictions.

The practicalities

How are GDPR fines calculated?

The GDPR includes a really long and complex list of criteria. So, we need to grossly simplify.

One of the main criteria is the impact of the violation. Fines tend to be higher for highly harmful and impactful violations- for instance, poor cybersecurity leading to a large-scale data breach.

Other important criteria are whether the infringement is intentional, whether an organization has a history of non-compliance, and whether a violation involves sensitive data (in the specific sense of GDPR, not in the generic everyday sense).

An organizations’ behavior after a violation also matters. Fines are lower when organizations collaborate with the investigation and make an effort to correct their mistakes before the fine comes. This encourages organizations to work with DPAs towards compliance rather than wage legal war against enforcement.

Last but not least, common sense plays a crucial role. An honest mistake from a small business is not treated the same way as intentional non-compliance from a multinational corporation.

What is the maximum for GDPR fines?

Fines are capped at €10M or 2% of annual worldwide turnover, whichever is higher. These limits are doubled for egregious violations such as the unlawful collection of sensitive data: so, the actual maximums are €20M or 4% of annual worldwide turnover.

That 4% can be a massive number for corporations because it can be calculated based on the turnover of entire corporate groups. This is how Meta got its record €1.2 billion fine: the amount was calculated on the turnover for the entire Meta group even though the case was (nominally) against Meta Platforms Ireland alone.

Are fines public?

Different jurisdictions have different rules. Some authorities publish most or all their decisions while others do not. For instance, some authorities treat publication like an additional punishment that may only be inflicted when appropriate. Others restrict the publication of the decision until it can no longer be challenged- that’s why we still cannot read the motivation for Amazon’s €746 fine.

Can you be fined over a data breach?

Yes, you can. But you don’t automatically get fined for a data breach.

The GDPR requires organizations to implement appropriate security, not perfect security. You only get fined if you did not do enough to secure the data. Conversely, you may be fined for implementing poor security even if no data breach occurs.

It is also worth mentioning that organizations must self-report serious data breaches to DPAs (and in some cases, even to the affected individuals). Failure to self-report is grounds for a fine.

The procedure

How are GDPR fines issued?

GDPR fines are issued by DPAs after an investigation. DPAs can investigate complaints or start an investigation of their own volition. In practice, most investigations follow a complaint.

Fines are regulated not only by the GDPR but also by national administrative law. The procedure for issuing a fine changes from country to country, as do the rights and role of the parties in the investigation.

The procedure for cross-border cases is more complicated because it can involve several DPAs.

How are GDPR fines challenged?

The addressee of a fine has the right to have the fine reviewed by a court. This is a core principle of administrative law and holds true in every EU jurisdiction.

The procedure for challenging a fine varies greatly between jurisdictions. For instance, an administrative appeal can sometimes be available in addition to judicial review (but can never replace it). This means that the addressee of a fine can have it reviewed not only by a court, but also by an administrative body with the power to overturn the DPA's decision.

We at Simple Analytics care about privacy. This is why we do our best to explain GDPR and privacy law to everyone, without the legalese.

If you care about privacy too, why not give our web analytics tool a try? We built Simple Analytics with innovation, user-privacy, and ease of use in mind. Simple Analytics collects no personal data from your visitors and comes with a brand new AI Assistant to provide you exactly with the insights you want.

If this sounds good to you, take Simple Analytics out for a spin with our two-week trial!

GA4 is complex. Try Simple Analytics

GA4 is like sitting in an airplane cockpit without a pilot license

Start 14-day trial