The GDPR has functioned for more than three years, and during this time, organizations that have violated the rules for processing personal data amassed 2,761,586,432 euros in fines. The largest fines are €746 million for Amazon, that targeted ads without user consent, Instagram, €406 million for violating children's privacy, Facebook, €256 million for leaking user data, and Google, €90 million for using non-compliant cookie consent procedure, so it was difficult for users to refuse cookies on Google and YouTube.
Our GDPR lawyers will help you figure out what determines the size of the GDPR fines and what to do to reduce it.
Criterias for determining penalties under the GDPR
The regulation defines two levels of fines depending on the severity of the violation.
Less severe violations result in fines of up to 10 million euros or up to 2% of the organization's turnover for the previous financial year, whichever is higher. Usually, such violations are formal and do not have negative consequences. For example, the absence of a Data protection officer in the company or a violation of the technical encryption of information.
Severe violations, the maximum fine can be up to 20 million euros or up to 4% of the previous financial year's turnover, whichever is higher. You may receive such a fine if you violated the principles of GDPR compliance, did not respond to customer requests, processed their personal data without consent or other legal grounds, and did not take technical measures to avoid data leakage.
The biggest GDPR fine of €746 million was imposed on Amazon Europe by the Luxembourg National Commission for Data Protection (CNPD). The supervisory authority found that the online store did not obtain user consent before storing advertising cookies.
Often huge fines consist of several separate ones, assigned for different violations. If the supervisory authority learns about several independent violations at the same time, a separate fine is assigned for each of them, which is then calculated individually.
What does the supervisory authority take into account when determining a GDPR sanction?
The GDPR defines 10 criteria that the supervisory authority takes into account to determine the amount of the fine.
- The nature, gravity and duration of the GDPR violation. The supervisory authority will take into account the number of data subjects affected by the breach of data protection regulation, the extent of the damage, the nature of the breach, why and how it happened, and how long it lasted.
For example, Facebook leaked the personal information of 533 million users who could then become victims of fraud, spam, phishing, smishing, and the risks were high. The breach continued for more than a year. Therefore, the supervisory authority considered such damage significant and imposed a fine of 256 million euros.
- Intention. Whether the GDPR breach was intentional or negligent will be determined.
In the Facebook case, the supervisory authority decided that the lack of technical and organizational measures in the social network’s IT system was negligent.
- Risk reduction. The penalty under GDPR will be reduced if the organization has taken action to mitigate the harm caused to data subjects.
Facebook immediately took action and reduced the likelihood of further mass parsing of users' personal data.
- Responsibility. The supervisory authority will establish the extent of the organization's liability and analyze previous violations and history of the company. Any such previous violations will be counted as aggravating factors. In addition, corrective actions for the organization that were taken earlier on the same issue are taken into account.
In the Facebook case, it was found that there were no similar violations, and this factor became a mitigating factor.
- The level of cooperation with the supervisor that the organization has demonstrated to address the breach and mitigate possible consequences.
- The categories of data affected by the breach.
The categories of personal data made public through the Facebook platform included users' mobile phone numbers, names, gender, location, occupation, and marital status. This personal information, by its nature, carries the risk of infringing the rights of data subjects, such as the risk of fraud. Parsers could combine the data that became public through the fault of the social network, and those that were posted by users in public accounts. This increases the risk of fraud and is taken into account by the supervisory authority as an aggravating factor.
- Infringement notice. It will be established whether the organization has reported the violation to the supervisory authority.
- Codes of conduct. The supervisory authority will determine whether the organization has adhered to approved codes of conduct or certification mechanisms.
- And other aggravating or mitigating factors. For example, whether financial benefits were obtained or losses averted.
How to minimize the GDPR fine?
If you have violated GDPR requirements, we advise you to act proactively in order to reduce the fine.
- Immediately after a violation is identified, take technical, organizational and legal measures to eliminate the violation and minimize damage. Don't delay resolving the issue, the longer the violation lasts, the higher the fine will be.
- If the violation becomes known to the supervisor, cooperate with it to demonstrate a willingness to promptly correct the consequences, implement technical and organizational measures, and ensure that the situation does not happen again.
- Report the data breach to the supervisory authority. For concealment, the supervisory authority determines the largest fines.
