GDPR fines or penalties can range from warnings to fines worth millions of dollars or, in extreme cases, jail time. Even if a business doesn’t operate in the European Union (EU), it’s not immune to such penalties if it processes the personal data of EU citizens.
While complying with these regulations may sound challenging at first, we’re here to help. In this article, you’ll learn all about GDPR fines, common reasons businesses get them, and the best compliance tips to prevent them.
Ensure GDPR compliance on Shopify and prevent fines by adopting a cookie banner, automatically collecting user consents, and more with one app
Try TinyCookie nowWho can be fined by the GDPR?
GDPR can fine any company or individual who has to comply with the regulation. This includes:
- Businesses and individuals from the EU. Businesses or projects that operate in any member country of the European Union must comply with GDPR.
- Businesses and individuals that process EU citizen data. Even if your business or project isn’t from any member of the European Union but still processes data of EU citizens, GDPR applies to your business. For example, if a business operates in California but collects data of Europeans, it can still be fined for non-compliance with GDPR.
Types of GDPR fines and penalties
Non-compliance doesn’t immediately result in the largest fine. The penalty depends on the severity of the case. So, here are different fines or penalties that GDPR applies:
1. Reprimand or warning for minor violations
If it’s a minor GDPR violation and it hasn’t harmed website visitors in a significant way, then the company is likely to get a warning or reprimand first. However, in case of a more severe infringement, it may get a reprimand on top of a monetary fine.
2. Ban on personal data processing
According to the European Commission, if the company adopts unlawful data handling practices, this can result in a temporary processing ban. In extreme cases, the ban can become permanent, which could potentially lead the non-compliant business to cease operations.
3. Administrative fines
Fines depend on the severity of GDPR infringements, according to the official GDPR site. For less serious violations, businesses can get a fine of up to €10 million (around $11 million), or 2% of the firm’s global annual revenue from the previous financial year (depending on which one is higher). Some examples of violations that could result in such fines include:
- Not adhering to data protection rules or lawful basis for processing
- Not appointing a data protection officer (DPO)
- Not keeping records regarding data processing
Meanwhile, more severe infringements can cost a business up to €20 million (roughly $22 million), or 4% of the firm’s global annual revenue from the previous financial year (depending on which one is higher). Here are a few examples of when a business could get a fine this size:
- Not getting user consent for collecting personal data
- Violating user rights
- Data leak
- Not deleting user data when required by law (for example, when asked by the data subject)
- Transferring data to third countries without complying with GDPR
4. Jail time
While such cases are extremely rare, non-compliance with GDPR could potentially lead to jail time.
For example, in 2021, the Danish Data Protection Authority reviewed documentation from the Municipality of Helsingør and decided to ban personal data processing using Google Chromebooks and Workspace for education.
According to the Danish Data Protection Agency, in case of failure to adhere, “Violation of a ban announced by the Danish Data Protection Authority is punishable… with a fine or imprisonment of up to 6 months, cf. section 41, subsection 1” (Translated from Danish).
Common reasons for GDPR penalties
According to the GDPR fines database by the International Network of Privacy Law Professionals (INPLP), common reasons why businesses get fines or penalties include:
- Lack of legal basis for processing user data
- Failure to adhere to data subject rights (such as not letting users access, delete, or correct information)
- Failure to protect the personal data of customers (including unauthorized access to user data or data breach)
- Not getting user consent for processing data
- Storing data for an excessive duration
- Violating the right to know – not providing transparent information about data collection practices
- Failure to ensure ongoing confidentiality of personal data
- Sending unauthorized messages, including marketing messages, without consent
- Personal data processing for purposes that weren’t originally intended
- Video surveillance usage without a legal basis
However, these are not the only violations that could result in a fine. Keep in mind that GDPR penalties and fines apply to businesses of any size that aren’t compliant with the regulation.
How to prevent GDPR fines?
Preventing GDPR fines involves meeting such requirements as obtaining and collecting user consent, providing withdrawal options, informing about data usage, protecting personal information, and more. So, here’s how to comply with GDPR on your website:
- Get a cookie consent banner. A cookie consent tool like TinyCookie on Shopify ensures each of your website visitors is informed about data usage as soon as they enter the site.
- Collect user consents. Most cookie consent tools automatically collect user consent as soon as it appears on the website.
- Write a privacy policy. Make sure you write a GDPR-compliant privacy policy that includes information about what data is collected and reasons on a legal basis, data retention period, data sharing with third parties, and more. You can use the privacy policy template provided by the GDPR project for guidance.
- Add a cookie policy. You can write a cookie policy as a separate page or a section in the privacy policy. It requires stating what users are agreeing to when they consent, what cookies are used, how to withdraw consent, and user rights.
- Adopt data protection measures. Make sure you prevent unauthorized access to data by getting employee IDs, using antivirus software, and taking other measures. You should also hire or assign a data protection officer to ensure data is always secured.
Conclusion
GDPR penalties range from warnings, reprimands, and personal data processing bans for businesses to administrative fines or even jail time.
For less severe cases, fines can be up to €10 million or 2% of the firm’s global annual revenue, depending on which is bigger. Meanwhile, more serious violations can result in fines of up to €20 million or 4% of the firm’s global annual revenue of the previous year.
The best way to prevent getting GDPR fines is by adopting a cookie consent banner like TinyCookie to collect consent as soon as users enter the website. Additionally, compliance requires adopting a privacy and cookie policy and assigning a DPO.
Frequently asked questions
The €1.2 billion ($1.3 billion) fine is the biggest GDPR fine at the time of writing and was imposed on Meta – an American multinational technology conglomerate formerly known as Facebook. The reason for the penalty was the illegal transfer of EU Facebook users' data to servers in the United States.
Google has received multiple fines due to GDPR violations. In 2021, Google LLC was fined €90 million and Google Ireland was fined €60 million due to not providing YouTube users with an easy cookie withdrawal option. Meanwhile, in 2019, Google France had to pay a €50 million fine for failure to provide transparency and obtain valid consent.
Severe infringements, including data breaches, can result in a fine of up to €20 million (roughly $22 million) or 4% of the firm’s global annual revenue from the previous financial year, depending on which one is higher.
