What are the penalties for non-compliance with GDPR?
There are two tiers of GDPR fines depending on the severity of violations, as defined in Articles 82-84.
- The lower tier fines are for less severe violations and can go up to €10 million or 2% of a firm’s annual revenue from the previous financial year, depending on which amount is higher.
- The higher tier of fines are for serious violations and can go up to €20 million or 4% of a firm’s annual revenue from the previous year, depending on which amount is higher.
The exact fine will depend on numerous factors such as the severity of non-compliance, potential number of data breaches, infringement of data subject rights and so on. However, not all GDPR infringements lead to monetary fines. Data protection authorities (DPA) can take other actions such as reprimands and warnings, temporary bans, suspension of data transfers to third countries etc.