Article 83 GDPR
General conditions for imposing administrative fines

1. Each supervisory authority shall ensure that the administrative pecuniary sanctions applied under this Article for violations of this Regulation, as referred to in paragraphs 4, 5 and 6, are effective, proportionate and dissuasive in each individual case.

2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or in lieu of the measures referred to in Article 58(2)(a) to (h) and (j). When deciding whether to impose an administrative fine and determining its amount, due consideration shall be given in each individual case to:

(a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing concerned, the number of data subjects affected and the extent of their damage;

(b) the intentional or unintentional nature of the infringement;

(c) actions taken by the controller or processor to minimise damage suffered by data subjects;

(d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures implemented by them pursuant to Articles 25 and 32;

(e) any relevant prior infringement by the controller or processor;

(f) the degree of cooperation with the supervisory authority with a view to removing the infringement and mitigating its possible adverse effects;

(g) the categories of personal data concerned by the infringement;

(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the administrator or processor has reported the infringement;

(i) if measures referred to in Article 58(2) have previously been imposed on the controller or processor concerned in the same case—compliance with those measures;

(j) the application of codes of conduct approved under Article 40 or certification mechanisms approved under Article 42; and

(k) any other burdensome or mitigating factors applicable to the circumstances of the case, such as those directly or indirectly obtained in connection with the financial gain or losses avoided.

3. If a controller or processor intentionally or unintentionally violates several provisions of this Regulation in the same or related processing operations, the total amount of the administrative fine shall not exceed the penalty for the most serious violation.

4. Violations of the following are subject, in accordance with paragraph 2, to an administrative fine of up to EUR 10,000,000, or, in the case of a company, up to 2% of its total annual worldwide turnover from the previous fiscal year, with the higher amount applying:

(a) the obligations of the controller and the processor referred to in Articles 8, 11, 25–39, and 42 and 43;

(b) the obligations of the certification body referred to in Articles 42 and 43;

(c) the obligations of the monitoring entity referred to in Article 41(4);

5. Violations of the following are subject, in accordance with paragraph 2, to an administrative fine of up to EUR 20,000,000 and, in the case of a company, up to 4% of its total annual worldwide turnover from the previous fiscal year, with the higher amount applying:

(a) the basic principles of processing, including the conditions for consent, as referred to in Articles 5, 6, 7, and 9;

(b) the rights of data subjects referred to in Articles 12–22;

(c) the transfer of personal data to a recipient in a third country or to an international organization, as referred to in Articles 44–49;

(d) any obligations arising under the law of a Member State adopted pursuant to Chapter IX;

(e) failure to comply with an order, a provisional or definitive restriction on processing, or a suspension of data flows issued by a supervisory authority pursuant to Article 58(2), or failure to provide access resulting in a breach of Article 58(1).

6. Failure to comply with an order issued by the supervisory authority pursuant to Article 58(2) shall, pursuant to paragraph 2 of this Article, be subject to an administrative fine of up to EUR 20,000,000, and in the case of an undertaking, up to 4% of its total worldwide annual turnover in the preceding financial year, whichever is higher.

7. Without prejudice to the supervisory authority’s remedial powers referred to in Article 58(2), each Member State may determine whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

8. The exercise by the supervisory authority of the powers entrusted to it under this Article shall be subject to adequate procedural safeguards in accordance with Union and Member State law, including the right to an effective judicial remedy and to a fair trial.

9. If the legal system of a Member State does not provide for administrative fines, this Article may be applied in such a way that the competent supervisory authority requests the imposition of a fine, and it is imposed by a competent national court, provided that the effectiveness of those legal remedies and the equivalence of their effect to an administrative fine imposed by a supervisory authority are ensured. The fines imposed must in any event be effective, proportionate, and dissuasive. Within the time limit set out in Article 91(2), such Member States shall notify the Commission of the provisions of their law which they have adopted in accordance with this paragraph by 25 May 2018, and thereafter without delay of any subsequent acts amending or changes affecting those provisions.