A comprehensive guide to understanding GDPR enforcement actions, from the basics of how fines are issued to the maximum penalties organizations can face.

The Fundamentals

GDPR fines are administrative actions, not court rulings. Any violation of the regulation can potentially result in a fine. These penalties are issued by data protection authorities (DPAs) in each EU member state. Importantly, fines are distinct from damages -- they serve different purposes and are enforced by different bodies.

How Fines Are Calculated

Several factors influence the size of a GDPR fine: the scope and impact of the violation, whether it was intentional or negligent, the organization's compliance history, whether sensitive data was involved, and the level of cooperation with the investigating DPA.

The maximum penalty is EUR 20 million or 4% of annual worldwide turnover, whichever is greater. For corporate groups, turnover can be calculated across the entire group, not just the individual entity that committed the violation. Whether fines are made public varies by jurisdiction.

Data Breach Fines

Organizations can be fined specifically for data breaches if their security measures were inadequate. The GDPR also requires organizations to self-report serious breaches to the relevant DPA, and failure to do so can result in additional penalties.

The Enforcement Process

Fines are typically issued following a DPA investigation, which is usually triggered by a complaint. Organizations can challenge fines through judicial review, and in some jurisdictions, through administrative appeal processes.