GDPR: penalties in the new European Data Protection Regulation

Posted by media on February 6, 2018 at 9:00 AM


The entry into force of the European Data Protection Regulation will mean that companies and entities will have to review their data protection measures in order to adapt and suit them to the new requirements.

Those who fail to comply face much higher penalties than those laid down in the previous directive.

In the following post, we will define the repercussions of failing to comply with the legal precepts regarding data protection and the economic implications for companies who disregard the handling of personal data.

This post is also available in Spanish.


Penalties in the new European Data Protection Regulation

The new GDPR creates new obligations for companies to comply with and strengthens the applicable penalty regime, increasing the amounts of the penalties.

The penalties are intended to achieve effective protection of personal data, strengthening both the rights of stakeholders as well as the obligations of those entities and companies that handle personal data.


 The right to claim if the GDPR is not respected

Chapter VIII of the GDPR, in particular Article 77, stipulates that any European citizen who considers their fundamental right to data protection to have been infringed and has evidence of this, may bring it to the attention of the competent body for the purpose of sanctioning the infringer in order for the infringement to cease.

Article 77 Right to lodge a complaint with a supervisory authority

1.   Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.


What is a control authority?

Each Member State shall designate a public institution responsible for proactively ensuring the imposition of the Regulation.


Characteristics of the imposition of fines

Article 83 of the regulation lays down the general conditions for the imposition of administrative fines.

The European legislator has stated that administrative fines must meet a number of characteristics in their imposition:

  • Individual. Administrative fines shall be imposed, depending on the circumstances of each individual case

  • Effective. In order to meet their objective, penalties must be applied in a certain way.

  • Proportionate. The penalty must be fair and appropriate, taking into account the principles underlying it and the aims it pursues.

  • Deterrent. The aim of penalties is none other than to deter citizens from infringing the regulation.  

Each control authority is responsible for ensuring that each sanctioning action complies with these characteristics.


Criteria for imposing penalties

Article 83.2 of the GDPR establishes, in a general way, the criteria for imposing penalties.

Some of the general circumstances to be assessed by the authorities in setting penalties will be:

  • The severity of the infringement. Taking into account, for example, the number of claimants involved and the level of damages they have suffered.

  • The intentionality or negligence of the infringement.

  • The measures taken to reduce the damage caused and to remedy the situation created by the infringement.

  • The degree of responsibility of the data controller or processor, according to the technical or organisational measures they have applied.

  • The cooperation between the company and the supervisory authority.

  • The category of personal data affected by the infringement.

  • The manner in which the inspection authority became aware of the infringement.

  • Adherence to codes of conduct under article 40 or to approved certification mechanisms.

  • Any previous infringement committed by the data controller or processor.

  • Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains obtained or losses avoided by means of the infringement, either directly or indirectly.


In case of non-compliance with the GDPR, what are the penalties?

Article 83 of the Regulation sets out the amount of the fines to be imposed and separates them into two ranges:

     1. Severe penalties

A maximum of EUR 10 million or, in the case of a company, an amount equivalent to a maximum of 2% of the overall total annual turnover of the previous financial year, whichever is greater, in the case of the following infringements:
    • The obligations of the person responsible and the official under Articles 8, 11, 25 to 39, 42 and 43

    • The obligations of certification authorities under Articles 42 and 43 (certification and certification body).

    • The obligations of the control body (supervision of approved codes of conduct).

     2. Very severe penalties

A maximum of EUR 20 million or, if it is a company, an amount equivalent to 4% of the total annual turnover of the previous financial year, whichever is greater, if the following rules are not respected:
    • The basic principles for processing, including the requirements for consent (principles relating to processing, lawfulness of processing, conditions for consent, and processing in special categories of personal data).

    • The rights of the data subjects (transparency and methods, information and access to personal data, right of rectification and suppression, right of opposition and automated individual decisions).

    • Transfers of personal data to a recipient in a third country or an international organisation (general transfer principle, transfers based on an adjustment decision, transfers using appropriate safeguards, mandatory corporate rules, transfers or communications not authorised by union law, and exceptions for specific situations).

The processing of data without the explicit consent of the data subject:

Currently: maximum penalties of €300K.

Under the GDPR: 20M euros or 4% of the total annual turnover of the previous financial year.


In addition to the above, the GDPR allows Member States to lay down rules on criminal penalties for infringements of the GDPR.

These penalties could even result in deprivation of the profits obtained as a result of the processing in question in violation of the provisions of the regulations.


The electronic signature of Signaturit is a fast and cost-effective solution to obtain the unambiguous and / or explicit consent.

To transform the tacit consents into unambiguous and / or explicit, Signaturit's electronic signature is presented as the best solution.

A practical, safe and legal mechanism that converts consent through electronic signature into a clear affirmative act, which is what the GDPR requires.

The electronic signature, with its timestamp, allows to prove the integrity of the consent, converting this act in an easy and safe process with full legal guarantees.


Compensation for damages

Another important point of the GDPR is the provision, in Article 82, of the right of claimants who have suffered material or immaterial damages as a result of an infringement of the GDPR to receive compensation from the data controller for the damages suffered.

The GDPR allows the claimant to exercise their right by means of a mandate to an entity, organisation or non-profit association to present and pursue the claim on their behalf.

It can therefore be expected that the number of complaints received by companies and entities will increase substantially.


There is no doubt that, with the new GDPR, all entities and companies are being forced to review their data protection performance and security measures in order to avoid the unpleasant consequences of non-compliance.

This is not only about the high level of penalties, which has a clear deterrent purpose, but also about the damage to the reputation of companies that may result from non-compliance, given the growing concern of citizens about the abuse and misuse of their personal data.

It is our understanding that the various national laws will have to specify even further all those aspects that the new European legislation has not developed: issues concerning the specific graduation of penalties, or the limitation of both infringements and penalties.

This post is also available in Spanish.

New Call-to-action

Topics: GDPR

Blog Subscription

Recent Posts