Under the GDPR, there is a two-tier system for fines. The maximum penalty under the first tier is €10 million or 2% of global turnover, whichever is greater. The maximum penalty under the second tier is €20 million or 4% of global turnover, whichever is greater.
Which tier will be used?
Whether the first tier or the second tier is used depends on the type of breach. The first tier is used when organisations do not adhere to certain responsibilities under the GDPR, including (amongst other things) failing to:
- implement appropriate security measures to safeguard personal data
- introduce data protection policies and procedures
- enter into GDPR compliant contracts,
- appoint a Data Protection Officer (if required)
- carry out Data Protection Impact Assessments (if required)
- report a personal data breach (if required)
The second tier is used for more serious breaches such as not:
- complying with the Data Protection Principles
- having a legal basis for processing personal information
- obtaining valid consent
- responding appropriately when an individual wishes to exercise their rights under the GDPR
Transferring personal data outside the EU without adequate safeguards in place will also use the second tier.