Intrastat thresholds 2024  Learn more  |  United Kingdom: End of the transition period for EU exporters Learn more
Search
Close this search box.

What are the penalties for not complying with GDPR?

Reading time: 6 minutes

GDPR specifies various penalties to penalise non-compliant companies.

The General Data Protection Regulation came into force in May 2018. The GDPR applies to data processing carried out by companies located in the European Union, but also to processing of personal data carried out by companies located outside the EU that offer goods and/or services. It not only specifies the regulations that govern data protection, but also the fines and penalties to which non-compliant companies will be liable. There are various penalties specified for not complying with the GDPR and they can have serious repercussions for companies.

Regulatory bodies: the data protection authorities

The Data Protection Authorities (DPA) are independent public bodies responsible for ensuring compliance with GDPR and its correct application.

The supervisory authority in the country where your company is based is generally the main point of contact to get information about GDPR. If you don’t have a site in the European Union, the “One-Stop-Shop” system does not apply: your company does not come under one main authority but all the authorities in the countries where the people whose data you process are located. Some states have a national authority; others, like Germany, have several authorities in different regions. The European Commission has created a list of DPA in the different EU countries.

The supervisory authorities, such as the Commission nationale de l’informatique et des libertés (CNIL) in France, have several roles, including:

  • Supplying expert advice on matters related to data protection.
  • Handling complaints submitted about breaches of the General Data Protection Regulation and related national legislation.

To do so, they are authorised to inspect entities subject to GDPR and to impose penalties on non-compliant entities.

What fines and penalties are specified by GDPR?

Obligations imposed by GDPR

Entities and organisations subject to GDPR must fulfil a certain number of obligations, in particular:

  • Guarantee the best security for personal data.
  • Base the various personal data processing activities on one of the six legal grounds specified by the GDPR.
  • Be transparent in data processing. This is a duty to inform and advise data subjects.
  • Uphold the rights of data subjects when processing data.
  • Keep a data processing register, apart from rare exceptions.
  • Appoint a Data Protection Officer (DPO), if required.
  • Perform impact analyses before processing personal data. This makes it possible to anticipate and therefore manage any risks during processing in advance (e.g. a personal data leak).
  • Appoint a representative in the EU if the company is located outside the EU and offers products or services to people located inside the European Union.

Failure to comply with one or more of the requirements listed above can lead to various penalties.

Fines and penalties

Entities not complying with GDPR can face different types of penalties. These penalties may vary in strength depending on the type and severity of the offence. While the majority of these penalties are fines of various amounts, the most serious offences can lead to criminal sanctions.

Administrative fines

Article 83 of the GDPR specifies the general conditions for imposing administrative fines on an entity not complying with the GDPR. All these parameters must be applied so as to ensure that the sum of fines is effective, proportionate and dissuasive.

There are currently two levels of administrative penalties depending on the level of the offence.

For “small” offences, 2% of global turnover for the companies or a fine of 10 million euros. This level of fine is most frequently imposed for infringements of the following obligations:

  • The obligations for which the data controller or subcontractor is responsible,
  • The obligations for which the certification body is responsible,
  • The obligations for which the body overseeing codes of conduct is responsible.

For serious offences, fines imposed will be a sum of 4% of global turnover if it is a company or a fine of 20 million euros. This level of fine is most frequently imposed for infringements of the following obligations:

  • The obligation to obtain consent from the data subject before collecting, processing or storing personal data,
  • The other rights of data subjects,
  • Transfers of personal data to a recipient located in another country or an international organisation,
  • All the obligations arising from the law of Member States,
  • Failure to comply with an injunction, a temporary or permanent restriction on processing or the suspension of data flows ordered by a supervisory authority.

Criminal sanctions

As specified by article 84 of the GDPR, European Union Member States can implement their own system of penalties for failure to comply with the Regulation. This system supplements the penalties already implemented by the GDPR. In particular, this makes it possible to sanction offences not subject to the conditions specified by article 83 of the GDPR.

For example, in France, the French Criminal Code (articles 226-16 to 226-24) specifies penalties for “harm to the rights of the person resulting from computerised files or processing”. The sentences incurred may then go as far as 5 years’ imprisonments and a fine of 300,000 euros.

Examples of penalties

There are many examples of penalties awarded by the data protection authorities:

  1. In July 2020, the Belgian Data Protection Authority imposed a fine of 600,000 euros on Google Belgium for failure to comply with the right to be forgotten.
  2. In October 2020, the British data protection authority (ICO) ordered the airline British Airways to pay a fine of 20 million pounds sterling because the data of about 430,000 people had been made accessible, including first & last names, addresses and, for more than 200,000 of them, their bank details (card numbers and CVC codes).
  3. In December 2020, the CNIL (French data protection authority) ordered Amazon Europe Core to pay a fine of 35 million euros for having placed advertising cookies on users’ computers from the Amazon France site without prior consent and without satisfactory notification.
  4. On 12 May 2021, the Dutch authority announced that it had inflicted a fine of 525,000 euros on a Canadian company for not meeting the obligation to appoint a representative in the EU for companies not having a site there.

However, it should be noted that while the larger fines are noticed, it should not be believed that only large companies are affected. The data protection authorities deal with it daily and the majority of companies affected are small and medium-sized enterprises. Fines for a lesser sum are actually far more numerous.

Extended powers of Data Protection Authorities

Beyond sanctions and fines, the data protection authorities have various means of intervening in companies not complying with the regulations.

In particular, they are authorised to conduct investigations, whether they cover companies suspected of being non-compliant or companies reported by third parties.

In addition, there is a cooperation process between European DPA to deal with transnational processing. This means that the DPA have a degree of room for manoeuvre, even when part of the processing involved takes place outside their country.

DPA can also impose practical penalties that can affect companies drastically, such as:

  • block non-compliant sites,
  • withdraw an approval or certification,
  • impose constraints,
  • make sentences public,

Compensation of parties wronged and loss of reputation

Payment of damages to victims of non-compliance

Pursuant to article 84 of the GDPR, European Union Member States are free to decide additional penalties that target, in particular, breaches not subject to administrative fines. Each Member State will therefore have specified its own applicable sanctions. Very often, wronged parties are considered by the European courts as victims of the actions of non-compliant companies. They are therefore entitled to lodge a complaint against the guilty entities and to claim compensation in the form of damages. The amount of compensation will then be decided by the Member States.. In particular, article 79 of the GDPR implements the right of data subjects to effective legal redress against a data controller or a subcontractor. In other words, the victims of non-compliant processing of their personal data can sue the person responsible for wrong processing of personal data.

Loss of reputation of non-compliant entities

Beyond financial penalties and criminal sanctions, sentences for infringements of the GDPR can also have a significant impact on companies’ reputations. Failure to comply with GDPR requirements can actually cause companies to lose customer confidence. In some cases, this can lead to contracts being terminated and drive potential customers to the competition.

In addition, the data protection authorities can make sentences public. For example, the CNIL in France can publish official releases containing the names of convicted companies, details of the infringements and the sanctions imposed. Of course, this can have repercussions in the press and on social media, which can indeed harm the companies affected.

In conclusion, it is interesting to emphasise that the GDPR has a very broad scope of application. It is therefore essential for all the companies involved – inside or outside the EU – to comply. The authorities take the sanctions very seriously and continue to take more stringent action. Decisions to penalise infringements are increasing. 

ASD Group can put you in contact with its preferred partners to help you achieve compliance with the obligations imposed by the Regulation. Do you have questions? Contact us.

ASD Group, your preferred expert contact in international development, VAT and international taxes, customs operations, social regulations and business strategy.

ASD Group works for you using the latest software technologies available and the advanced skills of our teams. Contact us for more information!

you might be interested in these articles

Tax representation

What is tax representation in Portugal?

Tax representation in Portugal refers to the obligation for certain foreign entities to appoint a local tax representative for its VAT obligations. This generally applies…

contact our experts

Do you want to find out more about our offers?
Contact us and our expert will answer you as soon as possible.
Mini contact
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.