CIPP/E Study Guide
Ch 13.6 - Sanctions and penalties

Administrative fines: the two tiers and how they are set (Article 83)

The fines regime (Article 83) has two tiers. The lower tier (Art 83(4)) caps fines at €10 million or 2% of total worldwide annual turnover, whichever is higher. The higher tier (Art 83(5)) caps them at €20 million or 4%, whichever is higher. Which tier applies depends on which articles were infringed. All fines must be effective, proportionate and dissuasive, and the DPA must weigh the Article 83(2) factors (nature/gravity/duration, intent vs negligence, mitigation, cooperation, prior infringements, etc.). An 'undertaking' means an economic unit, which can - but need not - include a whole group's turnover.

The two fining tiers and which infringements fall into each
Lower tier - Article 83(4)Higher tier - Article 83(5)
Cap (undertakings)Up to the higher of €10 million or 2% of total worldwide annual turnover (preceding year)Up to the higher of €20 million or 4% of total worldwide annual turnover (preceding year)
Cap (non-undertakings, e.g. public authorities)Up to €10 millionUp to €20 million
UK GDPR equivalent~£8.7 million~£17.5 million
Articles coveredArts 8, 11, 25–39, 42 and 43 (controller/processor); Arts 42–43 (certification bodies); Art 41(4) (monitoring bodies)Arts 5, 6, 7, 9, 12–22, 44–49, and 58(1) and (2)
Typical issuesChild consent, data protection by design and default, engaging processors, records of processing, security, breach notification, DPIAs, DPOs, codes and certificationsData protection principles, lawfulness, consent, special category data, data subject rights, international transfers, ignoring the DPA's investigatory/corrective powers
Whichever is HIGHER

For undertakings the cap is the higher of the fixed figure or the percentage - not whichever is lower. So a large company could face far more than €20m. Multiple breaches straddling both tiers can be taken at the higher level (Art 83(3): the total cannot exceed the amount for the most serious breach).

  • Article 83(2) factors include: nature, gravity and duration; intentional or negligent character; mitigation taken; degree of responsibility (Arts 25 & 32); previous infringements; degree of cooperation; categories of data affected; how the DPA found out (self-reporting); adherence to codes/certifications; any other aggravating/mitigating factor
  • Article 83(7): member states may decide whether and how far fines apply to public authorities, possibly taking them out of the regime
  • Group turnover may be used where the group is a single economic unit - a rebuttable presumption applies where a parent holds ~100% of a subsidiary

Key terms - quick answers

What is “Article 83(4)”?
The lower fining tier: up to €10 million, or 2% of total worldwide annual turnover for undertakings, whichever is higher.
What is “Article 83(5)”?
The higher fining tier: up to €20 million, or 4% of total worldwide annual turnover for undertakings, whichever is higher.
What is “Undertaking”?
An economic unit engaged in commercial activity (companies). Recital 150 ties it to TFEU Arts 101–102 competition law, so a group acting as one unit may be treated as a single undertaking.
What is “Effective, proportionate and dissuasive”?
The mandatory character of all administrative fines under Article 83(1).