Log in Contact

Penalties

Topics

Data Analysis Tools & Methods
Want to see the platform in practice?
Get in touch with us

What are the GDPR penalties for non-compliance?

GDPR penalties make non-compliance an expensive mistake for organisations of any size.
Under Article 83, fines are applied on a tiered basis, depending on the seriousness of the breach.


What are the tiers of GDPR penalties?

  • Lower tier: Up to 2% of annual global turnover or €10 million, whichever is higher. Applies to administrative failures, such as not maintaining proper records or failing to report a breach.
  • Upper tier: Up to 4% of annual global turnover or €20 million, whichever is higher. Applies to serious violations, such as breaching data subjects’ rights or core GDPR principles.


What factors influence GDPR fines?

Each EU member state’s data protection authority (DPA) determines penalties based on:

  • Nature and gravity: What part of the GDPR was breached and how severe it was.
  • Scope and impact: How many individuals were affected and the level of harm caused.
  • Duration: How long the infringement lasted.
  • Intent: Whether it was deliberate or due to negligence.
  • Type of data: Whether sensitive data was involved.
  • Mitigation: Steps taken to reduce harm.
  • Accountability: Evidence of technical and organisational measures in place.
  • History: Any previous violations or corrective actions.
  • Cooperation: Willingness to work with authorities.
  • Notification: How promptly the breach was reported.
  • Codes of conduct: Whether approved standards or certifications were followed.
  • Proportionality: Ensuring the fine is fair, effective, and dissuasive.


Where can I see examples of GDPR fines?

You can explore real enforcement cases in the GDPR Enforcement Tracker — a public database of penalties issued by data protection authorities across the EU.


How does the GDPR differ from the previous Directive?

The GDPR is a regulation, meaning it applies directly and uniformly across all EU countries.
The previous Data Protection Directive required national implementation, leading to inconsistencies. GDPR ensures a single, enforceable standard across the EU.


Do non-EU companies need to comply with the GDPR?

Yes. Any organisation that processes the personal data of individuals in the EU must comply — even if it is not based in the EU.
This includes companies that:

  • Offer goods or services to people in the EU, even if free of charge.
  • Monitor behaviour of individuals within the EU.
    Non-EU organisations must also appoint a representative within the EU.


What if my company operates outside the EU but employs EU citizens?

Non-EU employers with EU staff must comply with GDPR requirements.
EU citizens retain their data protection rights even if their employer is located outside the EU.


Do we need to comply if we don’t charge for our services?

Yes. GDPR applies to all organisations processing personal data, regardless of whether services are paid or free.


Does the GDPR apply to manual (non-automated) data processing?

Yes, if personal data is stored in a structured filing system — for example, organised paper files or searchable databases.
If the processing is one-off and not structured, the GDPR may not apply.