What You Need to Know About GDPR Fines

GDPR fines
What you should know about the GDPR fines. Photo by Didier Weemaels on Unsplash

Learn what you need to know about GDPR fines, as it is one of the most talked about aspects of the GDPR. Below is a short explanation of what triggers the GDPR fines and who awards them. This article will also discuss what you can do to mitigate the amount.

Reading time: 2 minutes.


Administrative fines are one of the sanctions if data is mistreated under GDPR. Sanctions are triggered when an organization violates the GDPR. There are higher and lower levels to these fines. Whether a supervisory authority award an organization a high or low fine depends on a variety of factors, namely the severity of the violation and the actions taken by the organization.

The largest possible fines

GDPR fines for lesser infringements may reach up to 10,000,000 EUR or up to 2% of the total worldwide annual turnover. Likewise, fines for greater infringements may reach up to 20,000,000 EUR or up to 4% of the total worldwide annual turnover.

There are a variety of different reasons that can trigger the lower level fines. For example, the non-performance of a DPIA when needed, not keeping records of processing activities or failing to maintain proper IT-security.

Similarly, as with the lower level of fines, there are many reasons that can trigger the high fines. For instance, include violating the basic principles for processing, violating data subject’s rights or non-compliance with the supervisory authority’s orders.

What determines the size of GDPR fines?

The size of the fines detailed above is the highest amount possible. It’s the supervisory authority that decides the size of a fine. The supervisory authority’s goal is an effective and proportionate fine. GDPR details specific factors if a violation should result in a fine and the supervisory authority makes its assessment based on this.

The main factor is the gravity of the infringement. The authority may also look at previous infringements, how they found out about the violation and how co-operative an organisation is with them.

For a practical example on how a DPA can resonate when determining a fine, see our article on the Swedish DPA:s first fine here.

How can we prevent GDPR fines?

The only safe way to prevent GDPR fines is to become GDPR compliant. You achieve this by working toward fostering a good privacy culture in your company. This includes drafting proper privacy policies, informing data subjects and training your employees.

Even if your organisation is not GDPR compliant, but is working toward this goal, it is a mitigating factor. This means that even if you get fined, the supervisory authority will take into account you are looking to improve. For more information regarding how to be prepared for an inspection by a supervisory authority, see here.

Sharp Cookie Advisors has extensive experience with helping organisations with their GDPR compliance. We’d like to help you as well. If you have any inquiries, don’t hesitate to contact us at [email protected]


Please enter your comment!
Please enter your name here