General conditions for the imposition of administrative fines
Each supervisory authority shall ensure that the administrative fines imposed under this Article for the violations of this Regulation specified in paragraphs 4, 5 and 6 are effective, proportionate and dissuasive in each case.
Administrative fines shall, depending on the circumstances of the particular case, be imposed in addition to or instead of the measures referred to in points (a) to (h) and (j) of Article 58(2). In deciding whether to impose an administrative fine and the amount thereof, the following shall be duly taken into account for each specific case:
the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question as well as the number of data subjects affected and the extent of the harm suffered by them;
the intentional or negligent nature of the infringement;
the measures taken by the controller or processor to mitigate the harm suffered by data subjects;
The extent to which the controller or processor is responsible in view of the technical and organizational measures it has implemented in accordance with Articles 25 and 32;
previous relevant breaches by the controller or processor;
The extent of cooperation with the supervisory authority to remedy the breach and mitigate its potential negative consequences;
The categories of personal data affected by the breach;
how the supervisory authority became aware of the breach, in particular whether, and if so to what extent, the controller or processor notified the breach;
compliance with the measures referred to in Article 58(2), to the extent that they were previously taken with respect to the controller or processor in question with respect to the same matter;
joining approved codes of conduct under Article 40 or approved certification mechanisms under Article 42; and
any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains made, or losses avoided, which may or may not directly result from the infringement.
If a controller or processor intentionally or negligently violates multiple provisions of this Regulation with respect to the same or related processing activities, the total fine shall not exceed that for the most serious violation.
Violations of the provisions below are subject to administrative fines of up to EUR 10 000 000 or, in the case of a company, up to 2% of its total annual worldwide turnover in the preceding fiscal year, whichever is higher, in accordance with paragraph 2:
the obligations of the controller and processor under Articles 8, 11, 25 to 39, and 42 and 43;
the obligations of the certifying body in accordance with Articles 42 and 43;
The obligations of the supervisory body in accordance with Article 41, paragraph 4.
Violations of the following provisions are subject to administrative fines of up to EUR 20 000 000 or, in the case of a company, up to 4% of its total annual worldwide turnover in the preceding fiscal year, whichever is higher, in accordance with paragraph 2:
The basic principles of processing, including conditions of consent, in accordance with Articles 5, 6, 7 and 9;
the rights of data subjects in accordance with Articles 12 to 22;
transfers of personal data to a recipient in a third country or an international organization in accordance with Articles 44 to 49;
all obligations under law established by member states under Chapter IX;
non-compliance with an order or temporary or permanent processing restriction or suspension of data flows by the supervisory authority in accordance with Article 58(2), or failure to grant access in violation of Article 58(1).
Non-compliance with an order of the supervisory authority referred to in Article 58(2) shall be subject to administrative fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4% of its total annual worldwide turnover in the preceding fiscal year, whichever is higher, in accordance with paragraph 2 of this Article.
Without prejudice to the powers of corrective action of supervisory authorities under Article 58(2), each Member State may adopt rules concerning whether and to what extent administrative fines may be imposed on public authorities and public bodies established in that Member State.
The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in conformity with Union and Member State law, including effective remedy and due process.
Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a way that fines are initiated by the competent supervisory authority and imposed by competent national courts, ensuring that these remedies are effective and have an equivalent effect to administrative fines imposed by supervisory authorities. In any case, the fines shall be effective, proportionate and dissuasive. Those Member States shall notify the Commission of the legislative provisions they adopt pursuant to this paragraph by May 25, 2018, and without delay of any subsequent amendments thereto and of any amending legislation affecting them.
