Administrative fine

The administrative fine is the central sanction under the General Data Protection Regulation that supervisory authorities use to penalise breaches of data protection law. Art. 83 GDPR provides two fining tiers. For infringements of formal obligations (such as Art. 8, 11, 25 to 39, 42 and 43 GDPR), fines of up to EUR 10 million or 2 % of the total worldwide annual turnover of the preceding financial year may apply, whichever is higher. For infringements of the basic processing principles, the lawfulness of processing, data subject rights (Art. 12 to 22) or the rules on third-country transfers, the ceiling doubles to up to EUR 20 million or 4 % of worldwide annual turnover.

The amount of a fine is determined case by case using the criteria in Art. 83(2) GDPR. Relevant factors include the nature, gravity and duration of the infringement, the number of data subjects affected and the level of damage suffered, the degree of fault (intentional or negligent), measures taken to mitigate the harm, the degree of responsibility in view of technical and organisational measures, any relevant previous infringements, the degree of cooperation with the supervisory authority and the categories of personal data concerned. The European Data Protection Board has issued Guidelines 04/2022 setting out a turnover-based calculation methodology to promote consistent application across the EU.

Procedurally, the competent supervisory authority imposes the fine in a formal administrative procedure; for cross-border processing the lead supervisory authority acts together with the authorities concerned under the consistency mechanism. In Germany the procedure follows the Act on Regulatory Offences (OWiG) in conjunction with Section 41 BDSG. Every fine must be effective, proportionate and dissuasive (Art. 83(1) GDPR). The fining decision can be challenged before the courts, and non-monetary corrective measures such as warnings, orders or processing bans under Art. 58 GDPR may be imposed in addition to or instead of a fine.