What is the maximum fine related to GDPR violations?

In the European Union (EU) and European Economic Area (EEA), the General Data Protection Regulation (GDPR) has been in effect since May 2018. Its goal is to protect the privacy and personal data of EU residents and give them control over how it is used.

Since then, the GDPR has become the world’s most influential data privacy law, impacting legislation in other countries and affecting how companies do business in Europe.

One of the most newsworthy aspects of GDPR enforcement is the fines levied against some companies found to have violated the law. Any size of organization can be fined for a violation, but the news stories that make headlines usually involve large companies, often tech giants with global reach and billions of users. Those fines for misusing personal data have risen into the billions.

If an organization that processes personal data of EU residents is found to have violated the GDPR, there are several types of potential penalties (Art. 83 GDPR). Data protection authorities (DPA) in member countries can:

• issue warnings or reprimands
• temporarily or permanently impose restrictions on data processing
• order the erasure of personal data
• suspend international data transfers to third countries
• impose administrative fines
• impose criminal penalties

Administrative fines are probably the most well known penalty of the GDPR. There are two levels of administrative fines, depending on severity of the infraction.

First tier GDPR fines are generally for first time or less severe infractions. They can be up to € 10 million or two percent of global annual revenue for the preceding financial year, whichever is higher.

Second tier GDPR fines are generally for repeat violators or more severe infractions. They can be up to € 20 million or four percent of global annual revenue for the preceding financial year, whichever is higher.

Due to how GDPR breach fines are structured, the monetary amount of fines can vary widely. While not all fines levied to date are known, it is public information that the lowest fines have been in the “three-digit amount”, which would be less than € 1,000. As of July 2023, the highest fine for a GDPR violation was over € 1 billion.

On May 22, 2023, Ireland’s Data Protection Commission issued a new record biggest GDPR fine of € 1.2 billion (US $1.3 billion) to Meta (Meta Platforms, Inc.), parent company of social platforms Facebook, Instagram, WhatsApp, Threads, and other services. This fine exceeds the previous highest fine to Amazon Europe in 2021 by € 454 million.

Meta was also ordered to stop transferring data from Facebook users in Europe to the United States. Meta is headquartered in California.

The reason for the ruling was that Meta’s transfers of data of Facebook users to the US violated the GDPR’s international data transfer guidelines. The US and EU have not had an adequacy agreement for data transfers since 2020, following the court ruling invalidating the EU/US Privacy Shield. A new agreement was finalized in 2023, however, and the EU-U.S. Data Privacy Framework came into effect on July 10.

There have been hundreds of thousands of breach notifications sent to organizations under GDPR rules, and enforcement has ramped up every year since the law came into force in 2018. According to the GDPR Enforcement Tracker, there were 37,850 fines levied under the GDPR from July 2018 to June 2023.

Spain has issued the most GDPR fines to date, at 681, but Ireland has the highest dollar value for its 25 fines issued, totalling € 2,510,340,900.

Of the large tech companies, Meta has been fined the most times, at 10, if you include fines to Meta, Facebook, and WhatsApp. Google and its subsidiaries is next, at seven.

There are several levels of responsibility for GDPR compliance, and their degree of responsibility varies with whether they’re the entity requesting personal data and using it for stated purposes, or if it’s an entity working for someone else.

Also, within organizations there can be privacy experts—a legal requirement in some cases, like the Data Protection Officer role—who are responsible for that organization’s data privacy operations.

Data controllers and data processors are people or organizations actually collecting and processing—using, sharing, selling—personal data of EU residents.

Those entities have day to day responsibility for data privacy and security. They must have a viable legal basis for collecting data, use it per GDPR guidelines, maintain reasonable security, and ensure data subjects are informed about their rights and the use of their data.

Data controllers’ responsibilities require them to:

• securely maintain records of consent preferences
• maintain data accuracy
• respond to requests regarding data, including correction or deletion (with exceptions)
• implement and maintain reasonable organizational and technical measures for data protection

Data processors typically work for data controllers. An example could be a third-party vendor handling advertising or communications for a company. Data processors’ responsibilities include:

• implementing appropriate technical and organizational measures to protect data
• notifying the data controller of any data breaches
• keeping records of their processing activities
• compliance with data deletion requirements after processing

While both controllers and processors have responsibilities under the GDPR, ultimately data security and privacy compliance responsibilities lie with the controller.

In the EU and EEA, each member state has its own authoritative body to investigate alleged violations and enforce compliance with the GDPR. These independent public agencies are known as data protection authorities, or DPAs. These organizations also enforce other local or regional privacy-related laws.

Any organization that processes the data of EU residents and fails to comply with GDPR requirements can be fined. This includes data controllers and processors or the “joint controller”, where two or more entities jointly determine the purposes and means of processing personal data.

While violations tend to affect commercial entities, other types of organizations can be fined for data privacy violations under the GDPR as well, including nonprofit organizations and charities.

Yes. Data processors process personal data on behalf of and under the instruction and authority of data controllers, but are not immune from penalties. Data processors’ GDPR compliance failures could include not implementing appropriate security measures, processing data for purposes not stated or for which there is not a valid legal basis, or failing to work with the data controller to fulfill its obligations under the GDPR.

Generally, employees of organizations would not be fined under the GDPR, as responsibility tends to fall on the company (controller) or data processor(s), not individuals. Employees certainly play a role in GDPR compliance or violations, and can be partly responsible for a violation like a data breach. Where there is a deliberate or recklessly damaging action that results in a GDPR violation, an employee could be subject to disciplinary action by their employer, as well as be penalized by other relevant laws.

Organizations are expected to provide employees with appropriate training and guidelines for data security and handling, and companies should have clear, accessible policies around data access, security, and related concerns.

Private persons cannot be fined under the GDPR, but can be held liable for actions or negligence regarding data protection. Many countries have additional data privacy and security laws in addition to the GDPR, and individuals involved in a data breach, for example, could face criminal or civil legal consequences.

Cyber insurance, also known as cybersecurity insurance or data breach insurance, helps mitigate financial liabilities or losses from cybersecurity incidents and data breaches. It is also known as cybersecurity insurance or data breach insurance. Whether cyber insurance covers fines resulting from a GDPR violation depends on the specific terms and conditions of the policy.

Some cyber insurance policies may explicitly include coverage for GDPR fines and penalties. In some countries, however, insurance coverage for fines imposed for intentional or willful violations of the law is prohibited.

Upon leaving the European Union on January 31, 2020, the United Kingdom adopted a near-identical version of the GDPR, commonly referred to as the UK GDPR. Fines and penalties for noncompliance remain aligned with the original EU regulation. UK GDPR enforcement comes under the Information Commissioner’s Office.

As with the EU GDPR, there are two tiers of fines.

First tier UK GDPR fines are for first time or less severe infractions. They can be up to £8.7 million or two percent of global annual revenue for the preceding financial year, whichever is higher.

Second tier UK GDPR fines are for repeat violators or more severe infractions. They can be up to £17.5 million or four percent of global annual revenue for the preceding financial year, whichever is higher.

The best way to avoid GDPR fines is to ensure your organization understands its responsibilities and achieves and maintains compliance with the law’s requirements.

Organizations should implement data protection and privacy best practices, and regularly consult with a privacy expert like a Data Protection Officer (required under the GDPR in many cases) or qualified legal counsel.

Some compliance actions are required in some countries, but are just recommendations elsewhere. It is important to check on GDPR and other local regulations for requirements applicable to your business. To achieve GDPR compliance and avoid fines it is recommended for organizations to:

• conduct data audits to fully understand data collecting and current processing activities
• conduct data protection impact assessments (DPIA)
• implement data protection policies and procedures
• train employees on GDPR compliance and data security practices
• appoint a qualified and well-informed DPO, from outside the company in some cases to access sufficient expertise (a requirement in some jurisdictions/for some companies)
• work with trusted third-party vendors and service providers that are GDPR-compliant and have contracts in place regarding data processing operations
• use a comprehensive consent management solution to collect and store valid user consent on websites, apps, connected TV, etc.

Enforcement of the GDPR has increased every year since the law came into effect. Additionally, DPAs have announced specific enforcement focus as well. For example, France’s data protection authority CNIL announced expanded enforcement efforts on a number of fronts, including for apps. There is every reason to believe that enforcement will continue to grow, and that a new record highest fine will happen. At the same time, companies don’t have to be tech giants to risk noncompliance fines.

Organizations should also use comprehensive tools like a Website Consent Management Platform or App Consent Management Platform to inform users and securely collect and store user consent data when using consent as the legal basis for data processing under the GDPR.

Beyond just meeting regulatory requirements, being proactive about protecting user privacy is a competitive advantage. It builds user trust and engagement and improves user experiences and customer relationships long-term. That leads to more high-quality data for marketing operations and increased revenue.

If you have questions about GDPR compliance or implementing a consent management platform to help achieve compliance with privacy laws like the GDPR and around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.