DE | EN | RU (0)69 76 75 77 80Mon. - Fri. from 8am to 8pm, Sat. from 8am to 5pm

New Model For Fines For GDPR Violations

New Model For Fines For GDPR Violations

When the General Data Protection Regulation (GDPR) came into force more than four years ago, the introduction of fines as a penalty for data protection violations caused quite a stir. For the most part, the horrendous fines feared at the time did not materialize. This may now change as a result of the recent decision of the European Data Protection Board (EDPB), a body that promotes the consistent application of data protection regulations.

Imposition of fines by supervisory authorities

The GDPR provides that fines may be imposed for data protection violations. The supervisory authorities are responsible for this. They can impose fines of up to EUR 20,000,000 or, in the case of a company, up to four percent of its total annual international sales for the previous fiscal year. The decisive factor here is which of the two amounts is higher.

Moreover, repeated violations will result in higher fines. How high these are in a specific individual case is determined by the respective responsible supervisory authorities.

As a result of this assessment, the amount of the imposed fines differs significantly in the European member states. For example, a large number of fine cases are based on the processing of personal data due to insufficient legal basis. While, for example, Hungary places this type of violation by companies within a fine range of EUR 560 to 97,150, fines in Spain for such violations by companies range from EUR 4,000 to 3,000,000.

New calculation model for fines

On May 12, 2022, the EDSA adopted a new fine model. The model is aimed at national supervisory authorities and sets binding rules for them on how fines must be calculated in the future. This is intended to realign the fines imposed for GDPR violations and prevent further divergence in the fining practices followed in the individual Member States.

Higher fines as a result

The application of the new fine model suggests higher fines, particularly for companies that generate high turnover. The background here is that the model encourages the supervisory authorities to make greater use of the sales of the offending company when determining the basis for calculation.

After assessing the relevant circumstances of the individual case, which influence the amount of the fine, the supervisory authorities shall also consider whether the amount they calculate is effective, proportionate and dissuasive. The latter may also have an adverse effect on the amount of the fine. This is because the higher the fine, the more deterrent its effect is.

Your advisors on the subject of GDPR fines

We will not only provide general advice in the area of data protection compliance in order to avoid the imposition of fines, but will also represent you in pending fine proceedings before the supervisory authorities. If there is any doubt about the amount of a fine imposed, we will pursue a review in court on your behalf. Our experts in data protection law can easily be reached by e-mail ( or by phone (+49 69 76 75 77 80).

Continue reading:
Data Protection Compliance in Germany in Three Steps
Compensation For GDPR Damages Only in The Event of Damage That Has Actually Occurred

Stefan Winheller

Attorney Stefan Winheller has specialized in tax law for about 20 years, especially in the areas of cryptocurrencies, foundations/nonprofits and international tax law.

>> show profile

Leave a Comment

Your email address will not be published. Required fields are marked with *

WINHELLER Blog via Newsletter

Subscribe to our free newsletter and receive regular updates on German business law by e-mail. (Mandatory fields are marked with *)

German Business Law News (4 times a year)
I would like to subscribe to the selected newsletter and for that purpose give my consent to WINHELLER to process my above mentioned data. I have read the "Information for Data Processing in the Newsletter Subscription". I understand that I can revoke my consent at any time with effect for the future by clicking the unsubscribe button within the newsletter. *