IAPP Training · Module 11 - BoK IV.C / IV.D

Module 11 · Remedies, liabilities & administrative fines

The GDPR sets two fine tiers: up to €10 million or 2% of worldwide annual turnover (lower) and up to €20 million or 4% (higher), whichever is higher. Fines must be effective, proportionate and dissuasive. The WP29 fining guidelines list the factors SAs weigh, and individuals have remedies including complaints, an effective judicial remedy and compensation.

Fines must be effective, proportionate and dissuasive. The amount is capped under a two-tier system, taking whichever is higher of the euro figure or the percentage of worldwide annual turnover.

The two fine tiers
Tier	Cap (whichever is higher)	Nature of infringement
Lower tier	€10 million or 2% of worldwide annual turnover	E.g. controller/processor obligations, records, security, certification
Higher tier	€20 million or 4% of worldwide annual turnover	E.g. basic principles, lawful basis, data subject rights, international transfers

Under the WP29 "Guidelines on the Application and Setting of Administrative Fines" (still in effect, incorporated by the EDPB), an infringement may attract only a reprimand if it poses no significant risk, or where a fine would be a disproportionate burden on a natural person.

WP29 factors for setting the size of a fine
Factor	What it weighs
Number of data subjects	How many people are affected
Categories of data	Sensitivity (e.g. special-category data)
Purpose of processing	Why the data was processed
Intention vs negligence	Deliberate breach vs carelessness
Damage suffered	Harm caused to data subjects
How the SA learned of it	Self-report vs third-party tip-off
Duration	How long the infringement lasted
Previous infringements	Track record / repeat offences
Mitigation & adherence	Steps taken; codes of conduct / certifications

Complain to a supervisory authority
Right to an effective judicial remedy
Compensation for damage (rare in practice)
Representation by bodies (class-action-style)
Member States may set additional penalties

Enforcement case studies
Case	Fine	Reason
CNIL v Google (2019)	€50 million	Lack of transparency / valid consent for ad personalisation; one-stop-shop didn't apply; upheld on appeal 2020
H&M (German SA, 2020)	~€35.2 million	Secretly monitoring employees
Meta (Irish DPC, 2023)	€1.2 billion	US transfers contrary to Schrems II

Don't confuse the tiers

Lower tier = €10m or 2%; higher tier = €20m or 4%. Breaching basic principles, lawful basis, data subject rights or transfer rules attracts the higher tier.

Key terms - quick answers

What is “Administrative fine”?

A monetary penalty an SA may impose for GDPR infringement; must be effective, proportionate and dissuasive.

What is “Effective judicial remedy”?

An individual's right to take a controller, processor or SA to court over a GDPR infringement.

What is “Compensation”?

An individual's right to claim damages for material or non-material harm from a GDPR infringement (rare in practice).

What is “Reprimand”?

A corrective measure short of a fine, appropriate where an infringement poses no significant risk or a fine would disproportionately burden a natural person.

← Module 11 · The EDPB & the EDPS Exam Prep · The CIPP/E exam at a glance →