5.4 Enforcement, Remedies & Fines
Key Takeaways
- The GDPR has two administrative-fine tiers under Article 83: up to EUR 10 million or 2% of total worldwide annual turnover for the lower tier, and up to EUR 20 million or 4% for the higher tier, whichever is higher in each case
- The higher 4% / EUR 20M tier covers breaches of the basic principles, lawful-basis and consent conditions, data subject rights, and the rules on international transfers (Article 83(5))
- Article 83(2) lists the factors a DPA weighs when setting a fine, including the nature, gravity, and duration of the breach, intent or negligence, mitigation, and prior infringements
- Data subjects have judicial remedies: the right to an effective remedy against a DPA (Article 78) and against a controller or processor (Article 79), and the right to compensation for material or non-material damage (Article 82)
- Under Article 82, a controller is liable for damage caused by non-compliant processing, while a processor is liable only where it breached processor-specific obligations or acted outside lawful instructions
The Two-Tier Fine System (Article 83)
The GDPR's administrative fines come in two tiers, and the exam expects you to map a violation to the correct tier. In each tier the regulator takes whichever is higher — the fixed euro cap or the percentage of total worldwide annual turnover of the preceding financial year. "Whichever is higher" matters: for a multinational, 4% of turnover usually dwarfs EUR 20 million.
| Tier | Maximum fine | Triggers |
|---|---|---|
| Lower tier | Up to EUR 10 million or 2% of global annual turnover | Controller/processor obligations: records (Art. 30), security (Art. 32), breach notification (Arts. 33-34), DPIA (Art. 35), DPO designation (Arts. 37-39), child-consent verification (Art. 8), certification body and monitoring duties, and processor terms (Art. 28) |
| Higher tier | Up to EUR 20 million or 4% of global annual turnover | Basic principles incl. consent (Arts. 5, 6, 7, 9), data subject rights (Arts. 12-22), international transfers (Arts. 44-49), and non-compliance with a DPA order under Article 58(2) |
Memory hook: the higher tier protects the things closest to the data subject — the principles, their rights, and where their data goes. Where one act breaches several provisions, Article 83(3) caps the total at the amount of the gravest infringement, not the sum.
Factors That Set the Fine (Article 83(2))
Fines must be effective, proportionate, and dissuasive. When deciding whether to fine and how much, the DPA weighs the Article 83(2) factors:
- The nature, gravity, and duration of the infringement and the number of data subjects affected and damage suffered
- Whether the infringement was intentional or negligent
- Action taken to mitigate damage to data subjects
- The degree of responsibility considering technical and organisational measures implemented (Arts. 25 and 32)
- Any relevant previous infringements by the same controller or processor
- The degree of cooperation with the supervisory authority to remedy the infringement
- The categories of personal data affected (e.g., special-category data)
- How the DPA became aware of the breach (self-reporting can be a mitigating factor)
- Adherence to approved codes of conduct (Art. 40) or certification (Art. 42)
- Any other aggravating or mitigating factor, including financial benefits gained
Fines are not mandatory for every breach. Under Article 58(2) a DPA can instead, or in addition, issue a warning, reprimand, compliance order, or processing ban. The EDPB now publishes a harmonised fine-calculation methodology, but you only need to know the factors, not the arithmetic.
Judicial Remedies and Compensation (Articles 77-82)
Beyond regulator action, data subjects have their own enforceable rights:
- Article 77 — Right to lodge a complaint with a supervisory authority, typically in the Member State of residence, work, or the alleged infringement.
- Article 78 — Effective judicial remedy against a supervisory authority, e.g., if a DPA fails to handle a complaint or does not inform the complainant within three months.
- Article 79 — Effective judicial remedy against a controller or processor, brought in the courts of the Member State where the controller/processor has an establishment, or where the data subject resides.
- Article 80 — Representation by a not-for-profit body, organisation, or association on a data subject's behalf (and, where national law allows, without a mandate).
- Article 82 — Right to compensation for material or non-material damage (including distress and reputational harm).
Under Article 82(2)-(3), the controller is liable for damage caused by non-compliant processing; a processor is liable only where it breached processor-specific obligations or acted outside or against the controller's lawful instructions. A party escapes liability only if it proves it is not in any way responsible for the event causing the damage. Where multiple controllers/processors are involved, each can be held liable for the entire damage to ensure the data subject is fully compensated (joint and several liability), then seek contribution from the others.
Notable Enforcement Patterns
You do not need to memorise individual case amounts, but understanding the pattern helps with scenario questions:
- The largest fines have targeted major technology and social-media platforms, frequently via the Article 65 binding-decision route after concerned authorities objected to an Irish or Luxembourg draft decision.
- Common themes: lack of a valid lawful basis for advertising and behavioural processing (e.g., relying on "contract" where consent was needed), inadequate transparency under Articles 13-14, and unlawful international transfers to the United States before the EU-US Data Privacy Framework adequacy decision was adopted in July 2023.
- Fines for transfer violations, lawful-basis failures, and rights breaches sit in the higher (4%) tier, which is why these cases produce the headline numbers — sometimes well above EUR 1 billion for the very largest platforms.
- DPAs increasingly issue processing bans, suspension orders, and compliance orders alongside fines; an order to stop a data flow can be far more disruptive than the monetary penalty itself.
The exam takeaway: the biggest exposure comes from the higher-tier violations — principles, rights, and transfers — not from the administrative/process obligations in the lower tier.
Member-State Sanctions and the Public Sector
Article 83 administrative fines are not the whole picture. Article 84 requires Member States to lay down rules on other penalties — including criminal sanctions — for infringements not covered by Article 83, and to make those penalties effective, proportionate, and dissuasive. This is why some national laws criminalise, for example, the unlawful obtaining or selling of personal data.
Article 83(7) lets each Member State decide whether, and to what extent, administrative fines may be imposed on public authorities and bodies established in that state; several countries cap or exclude such fines, which is why public-sector enforcement often relies on reprimands and compliance orders rather than monetary penalties. Finally, remember that a single course of conduct can attract both a regulatory fine under Article 83 and a private compensation claim under Article 82 — the two tracks are independent, and paying a fine does not extinguish a data subject's right to damages.
A global company is found to have transferred EU personal data to a third country without any valid Chapter V safeguard. Under Article 83, what is the maximum administrative fine the supervisory authority can impose?
A data subject suffers genuine emotional distress after a controller unlawfully publishes their personal data, even though they lose no money. Can they recover compensation under the GDPR?