Artifact GuideEU

EU GDPR penalties and fines

Use this guide to separate GDPR administrative-fine tiers from the factors supervisory authorities weigh before imposing a fine.

Grounded in Article 83, Article 58, GDPR accountability provisions, breach-notification guidance, and CJEU case-law summaries on fine conditions.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

GDPR fine exposure is not just a maximum-number lookup. Article 83 sets two administrative-fine tiers, requires fines to be effective, proportionate, and dissuasive, and lists case-specific factors that can raise or reduce the amount. Article 58 also matters because a supervisory authority can use warnings, reprimands, compliance orders, processing bans, erasure orders, data-flow suspensions, and fines depending on the facts.

Section 1

Article 83 fine tiers

Start with the tier, then test the facts. Article 83(4) covers several operational obligations, including controller and processor duties in Articles 8, 11, 25 to 39, certification duties, and monitoring-body duties. That tier can reach EUR 10,000,000, or for an undertaking, 2 percent of total worldwide annual turnover of the preceding financial year, whichever is higher.

Article 83(5) covers higher-tier infringements: basic processing principles and consent conditions, data-subject rights, international-transfer rules, certain Member State law obligations under Chapter IX, and non-compliance with Article 58 access, limitation, suspension, or order powers. Article 83(6) also puts non-compliance with a supervisory-authority order in the higher tier. The higher tier can reach EUR 20,000,000, or for an undertaking, 4 percent of total worldwide annual turnover of the preceding financial year, whichever is higher.

  • Use the EUR 10 million or 2 percent tier for Article 83(4) operational obligations before considering assessment factors.
  • Use the EUR 20 million or 4 percent tier for Article 83(5) principles, rights, transfers, certain Chapter IX obligations, and Article 58 non-compliance.
  • Where several provisions are infringed in the same or linked processing operations, Article 83(3) caps the total administrative fine at the amount specified for the gravest infringement.
  • Article 83(7) leaves room for Member States to decide whether and to what extent administrative fines apply to public authorities and bodies established in that Member State.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 83 provides the two administrative-fine tiers, the gravest-infringement cap, and the public-authority caveat.
Section 2

Article 83 assessment factors

The fine tier is only the ceiling. Article 83(2) requires the supervisory authority to consider the circumstances of the individual case when deciding whether to impose a fine and when setting the amount.

A useful internal assessment should mirror the Article 83(2) list: what happened, how long it lasted, how many people were affected, what harm occurred, whether conduct was intentional or negligent, what mitigation happened, what technical and organisational measures existed, whether there were previous infringements, and how the organisation cooperated with the authority.

  • Document the nature, gravity, duration, processing purpose, number of affected data subjects, and level of damage.
  • Record whether the infringement appears intentional or negligent, because CJEU summaries in the grounding state that Article 83 fines require intentional or negligent infringement.
  • Keep mitigation evidence: containment steps, user-protection steps, remediation owners, completion dates, and proof that damage to data subjects was reduced where possible.
  • Show the degree of responsibility with Article 25 privacy-by-design records, Article 32 security measures, risk reviews, control tests, and decision approvals.
  • Record cooperation, notification route, affected data categories, prior Article 58 measures on the same subject matter, approved code or certification reliance, and any financial benefit gained or loss avoided.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 83(2) lists the factors for deciding whether to impose an administrative fine and how much it should be.
CJEU fact sheet on protection of personal data
Summarizes CJEU rulings that Article 83 fines require an intentional or negligent infringement and that Member States cannot add substantive fine conditions beyond the GDPR.
Section 3

Article 58 powers before and beside fines

Do not treat an administrative fine as the only enforcement result. Article 58 gives supervisory authorities investigative powers, corrective powers, and advisory or authorization powers. Article 83 says fines may be imposed in addition to, or instead of, several Article 58 corrective measures depending on the individual case.

For response planning, the highest-risk Article 58 outcomes are not always monetary: an order to comply, a temporary or definitive processing limitation, a processing ban, an erasure or restriction order, a breach-communication order, or suspension of data flows can be more urgent than the fine amount.

  • Prepare for investigative powers: information requests, audits, certification reviews, alleged-infringement notices, access to personal data, and access to premises or processing equipment where procedural law allows.
  • Prepare for corrective powers: warnings, reprimands, orders to satisfy data-subject requests, orders to bring processing into compliance, breach-communication orders, processing limits or bans, erasure or restriction orders, certification withdrawal, fines, and data-flow suspension.
  • Track Article 58 orders as evidence inputs for Article 83 because repeat non-compliance with measures on the same subject matter is an assessment factor.
  • Escalate any Article 58 order or access request to legal, privacy, security, and the accountable business owner immediately, with a single evidence owner for the response file.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 58 lists supervisory-authority investigative and corrective powers, including administrative fines and data-flow suspension.
Section 4

Accountability evidence that reduces uncertainty

The evidence file should prove the Article 83 factors, not merely assert compliance. Build it around the processing operation, the controller or processor role, the affected data categories, the specific infringement question, and the corrective steps taken.

The grounding supports accountability evidence for controllers and processors: Article 5(2) requires controllers to be able to demonstrate compliance, Article 24 requires appropriate technical and organisational measures that are reviewed and updated where necessary, Article 31 requires cooperation with supervisory authorities, and Article 83 applies administrative-fine tiers to controller and processor obligations where relevant.

Does every GDPR infringement automatically receive the maximum Article 83 fine?

No. Article 83 sets maximum tiers and requires case-by-case assessment. The authority must consider factors such as gravity, duration, affected data subjects, damage, intent or negligence, mitigation, responsibility, prior infringements, cooperation, data categories, notification, earlier Article 58 measures, codes or certifications, and other aggravating or mitigating factors.

Can an Article 58 corrective order matter even before a fine is imposed?

Yes. Article 58 allows warnings, reprimands, compliance orders, processing limits or bans, erasure or restriction orders, breach-communication orders, certification withdrawal, fines, and suspension of data flows. Article 83 also treats compliance with earlier Article 58 measures on the same subject matter as a fine-assessment factor.

  • Keep ROPA entries, lawful-basis analysis, consent records where relevant, data-subject-right request logs, DPIAs or risk assessments, processor contracts, SCC or transfer files, security-control evidence, breach records, and supervisory-authority correspondence.
  • For processor-related exposure, keep the Article 28 contract or other legal act, controller instructions, sub-processor approvals, assistance records, breach escalation records, and evidence that processing stayed within the controller's documented instructions.
  • For breach-related exposure, keep the detection time, awareness assessment, risk assessment, notification decision, reasons for any delay, data-subject communication evidence, containment and recovery steps, and the documented breach-notification procedure.
  • For remediation, keep rejected alternatives, management approvals, control-test results, affected-service changes, customer or data-subject communications, and the owner who can show completion.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Articles 5(2), 24, 28, 30, 32, 33, 34, 35, 58, and 83 support accountability, evidence, breach, processor, authority-power, and fine planning.
WP29 personal data breach notification guidelines
Referenced in the grounding as the breach-notification guidance endorsed by the EDPB; supports breach documentation and delayed-notification evidence for fine exposure.
Section 5

Boundaries for this penalties guide

This page intentionally stays at the GDPR and grounded EU-source level. It does not list national penalty procedures, authority-specific fine formulas, criminal sanctions, public-authority exceptions by Member State, appeal deadlines, settlement procedures, or enforcement statistics because those facts are not grounded for this artifact.

When a matter depends on local procedural law, the safe record is to cite Article 83(7), Article 83(8), or Article 83(9) only at the level the GDPR supports, then route the local question to jurisdiction-specific counsel or grounded national authority material.

  • Do not infer a Member State public-sector fine rule from Article 83(7) without a grounded national source.
  • Do not assume every supervisory authority follows the same procedure, deadline, publication practice, or settlement process.
  • Do not use breach-notification timing as the only penalty clock; Article 83 assessment depends on the underlying infringement and the case-specific factors.
  • Do not substitute certifications, supplier answers, or policy statements for evidence of actual technical and organisational measures.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 83(7) to 83(9) set limited Member State and procedural caveats without supplying national variants.
Recommended next step

Map Article 83 factors to the records your team can produce

Sorena can help convert the Article 83 tiers, Article 58 powers, and accountability evidence on this page into owner assignments, evidence requests, and review-ready response records.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about Article 83 tiers, Article 58 powers, breach evidence, and accountability records using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your GDPR fine-exposure evidence file, Article 83 factor mapping, and authority-response workflow with Sorena.

Explore next step
Primary sources

References and citations

CJEU fact sheet on protection of personal data
curia.europa.eu
Referenced sections
  • Summarizes CJEU rulings that Article 83 fines require an intentional or negligent infringement and that Member States cannot add substantive fine conditions beyond the GDPR.
"intentionally or negligently"
Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Article 83(7) to 83(9) set limited Member State and procedural caveats without supplying national variants.
"appropriate procedural safeguards"
WP29 personal data breach notification guidelines
ec.europa.eu
Referenced sections
  • Referenced in the grounding as the breach-notification guidance endorsed by the EDPB; supports breach documentation and delayed-notification evidence for fine exposure.
"Personal data breach notification"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.