Fines?

The Dutch Data Protection Authority (DPA) monitors compliance with the regulation, and can impose fines. The maximum fine is 20 million euros or 4% of global annual sales (whichever is higher). Under EU law, sanctions must be effective, proportionate and dissuasive. This last point is probably why the maximum fines are so high. (Please note: this paragraph concerns fines posed by the Dutch Data Protection Authority (DPA)).

Violations

The GDPR lists two categories of violations. When a person (responsible for) processing data commits a violation of the more fundamental obligations of the GDPR, it can be punished with a fine of the highest category. This mainly concerns the violation of a data subject's rights, such as the right of access, the right to data erasure and the right to data portability, or, for example, transfers of personal data to countries or organizations outside the EU.

The second category mainly includes not following procedures from the GDPR, such as not appointing a data protection officer, not reporting data breaches or taking insufficient security measures.

Considerations when imposing a fine

It further follows from the GDPR that a supervisory authority must carefully consider whether imposing a fine is appropriate (effective, proportionate and dissuasive) for the violation. If the infringement is minor, it may be decided to reprimand the offender instead of imposing a fine. Supervisory authorities are allowed to set their penalty policies as they see fit.