The penalties/fines imposed by the GDPR have been a central focus for many since discussions surrounding the Regulation began. There are two tiers for the fines.

The first is 2% of the annual turnover, or 10 million euros, whichever is higher. Examples of non-compliances that can result in these fines include the company being unable to prove adequate security measures, or not appointing a DPO even though the company is clearly required to.

The second tier is 4% of the annual turnover or 20 million euros, whichever is higher. This tier will be applied when data subject’s rights are infringed, for non compliant data transfers, or for breaching the main principles of the processing.

In addition, each Member State can set rules for other penalties for infringement of the law that are not already covered in the Regulation.

While these fines are a good incentive for many companies, it is also a mistake to focus solely on them. The GDPR should be seen more as an opportunity than an obligation, one that will allow for more fair data processing, more security, and more transparency.


Articles: 58,70,83,84

Recitals: 148,149,150,151,152