(Reading time: 4 - 7 minutes)

f is for fines in GDPRThere are many reasons for getting a fine under the GDPR and there are ways of influencing the ‘whether you get one’ probability and the height of a fine. Before you continue to read, I suggest grabbing an extra cup of something, because minds will be blown and heads might burst. But let’s start easy.

The criteria for getting a fine as a controller

There are a few criteria to determine whether you as controller even get a fine and how high the fine will ultimately be:

  • the nature, gravity and duration of the infringement
  • whether it was intentional or negligent character of an infringement
  • what you or your processor did to mitigate the damage suffered by data subjects
  • if you have taken responsibility of implementing appropriate technical and organizational measures
  • whether you or your processor have had previous infringements / breaches
  • whether you cooperate with the Supervisory Authority
  • what categories of personal data were affected
  • whether you or your processor notified the Supervisory Authority or that they found out through someone else
  • whether you or your processor have had any measures taken against you in the past, or whether you or your processor were asked to take certain measures and you or your processor didn’t take appropriate action
  • whether you adhere to an approved code of conduct or have an approved certification mechanism in place
  • any other aggravating or mitigating factor applicable to the circumstances, such as financial benefits gained, losses avoided, directly or indirectly from the infringement


Why you need to audit your vendors

Have you noticed how the above keeps mentioning ‘you as controller AND your processor’? So, in other words, you are also responsible for your processor (to a certain degree). The GDPR requires you (as controller) to audit your vendors before you enter into an agreement with them and again whilst the processing agreement is in place (check out A is for Audit). There is no fixed frequency to audit but yearly is the standard and sooner and more frequent if necessary (if you know that your vendor had a data breach – even if it wasn’t your personal data but that of another client of theirs).
You must know beforehand what you’re getting yourself into and make a conscious decision to continue with the particular processor, also after every audit you make that conscious decision to continue. You must have a record of this because you have to prove your accountability.  


Where are the fine amounts mentioned?

Obviously, the height of the fine depends on the criteria above, among other things. What other things, you might ask? Well, I can only speak for the Dutch system, but the Dutch Data Authority goes by the bandwidth of fine amounts that are printed in the Government Gazette (No 14586 – 14th of March 2019). The Dutch Data Authority has classified the violations of the GDPR and the other laws that it supervises for each statutory maximum of fines in 3 or 4 categories of fines, to which there are increasing fines. This classification is dictated by the gravity and seriousness of the breached standard and the relationship with the other standards in data protection law.

Each penalty category is then linked to a specific penalty bandwidth of a minimum and a maximum amount. The amount of the fine bandwidth must be sufficiently dissuasive for potential offenders. The Dutch Data Authority has always set a basic fine within the different fine bandwidths. This amount forms the basis for the Dutch Data Authority for the calculation of the fine in an individual case.


Sounds complicated right? Well it is! Let’s see an example (and grab your second cup of coffee)

I’m not gonna lie. You’re going to need an ibuprofen at the end of this example and / or a strong another cup of coffee before we start. I’ll wait,,. I’m going to try to break it down as much as possible but at the same time I hope you understand how complicated it is.


From the 4 main Penalty categories that the Dutch Data Authority uses, I’m going to use category 2 as an example. The Government Gazette says: “Violations with a statutory maximum fine of € 20,000,000 or, for a company, up to 4% of the total worldwide annual turnover in the previous financial year, if this figure is higher.”

Category 2 has 4 sub-categories with each their own penalty bandwidth and basic fine:


Penalty bandwidth

Basic fine


between € 0 and € 200,000

€ 100,000


between € 120,000 and € 500,000

€ 310,000


between € 300,000 and € 750,000

€ 525,000


between € 450,000 and € 1,000,000

€ 725,000


Skip this part if you don’t like math and don’t care how the fines are calculated

The amount of the basic fine is set at the minimum of the bandwidth plus half the bandwidth of the penalty category associated with a violation. For category III the sum looks like this:

First, we need to calculate the difference between the highest part of the bandwidth and the lowest part € 750,000 – €300,000 = €450,000. Then we divide that number by 2 = €225,000 and add that to the minimum number €300,000.


How high are the fines for a specific violation?

All articles in the GDPR are categorized into main Categories (Categories 1 to 4). Each Category has its own sub-categories. Each article in its entirety or per paragraph has been designated a place in one of the categories and subcategories.

  • Article 6 – lawfulness of processing:  Category 2, sub-category III
    You may only process personal data if for instance you have consent. If that is your lawful basis but you don’t have or can’t prove consent the fine could be €525,000

  • Article 12, 3rd, 4th and 5th paragraph (Transparent information, communication and modalities for the exercise of the rights of the data subject) = Category 2, sub category II
    The controller shall provide information of requests by data subjects without undue delay, or tell data subject why controller isn’t able to give information, and under reasonable circumstances the controller may not ask for a fee to provide data subject with its own information.
    If you as controller do not comply with this article and its sub-paragraphs the fine could be €310.000


Not to worry. I’m insured! (but is that enough?)

It could be, but I wouldn’t just assume. Have you even read the fine print in your insurance papers? If you did, you’re probably one of very few. But kidding aside, it could very well be that if you didn’t have appropriate measure in place to protect the personal data (see D is for data breach and E is for Encryption) that the insurance company will say that you didn’t hold up your end of the deal and, yeah, good luck paying the fine.
Ask yourself, are you willing to lose your car, your house, or pay off the debt during your lifetime? Not trying to sound harsh, but it is a harsh reality.


I have an Ltd. (in Dutch B.V.) – so I’m protected. Or am I?

Also, don’t think that your personal liability is covered by the construction of your business (B.V. or Ltd) because under different laws and regulations under certain circumstances you can still be held personally accountable if can be proven that you did not do your due diligence when entering into a processing agreement, have proper risk management in place and so on.


Would you like to forget what you just read and leave it up to a professional?

Please don’t hesitate to contact me for advice on how you can avoid penalties under the GDPR.


Can’t get enough? Sign up for the 60 Day Privacy & Risk Challenge

If for some strange reason you were able to follow this without ibuprofen and a strong cup of coffee, follow the 60 Day Privacy and Risk Management where I promise you will learn how to avoid penalties and be able to protect your organization and the personal data it holds.  Sign up now