HomeInsightsArticle 29 Data Protection Working Party adopts Guidelines on application and setting of administrative fines for purposes of General Data Protection Regulation (2016/679/EU)


+44 (0)20 7612 9612

The Working Party explains that under the new GDPR, data controllers and data processors have “increased responsibilities” to ensure that personal data of individuals is protected effectively.  Supervisory authorities have powers to ensure that the principles of the GDPR, as well as the rights of the individuals, are upheld according to the wording and the spirit of the Regulation.  In fact, the GDPR significantly increases the amount by which a data controller can be fined.  Data processors can also now be fined.  The maximum fine is €20 million or 4% of annual worldwide turnover, whichever is the higher.

The Working Party says that consistent enforcement of the data protection rules is central to a harmonised data protection regime.  Administrative fines are a central element in the new enforcement regime introduced by the GDPR, being a powerful part of the enforcement toolbox of the supervisory authorities together with the other measures provided by Article 58.

The Working Party says that the Guidelines are intended for use by the supervisory authorities to “ensure better application and enforcement of the Regulation”.  The document expresses the supervisory authorities’ common understanding of the provisions of Article 83, as well as its interaction with Articles 58 and 70 and their corresponding Recitals.

The Working Party explains that the Guidelines are not exhaustive, neither do they provide explanations about the differences between administrative, civil or criminal law systems when imposing administrative sanctions in general.  However, in order to achieve a consistent approach to the imposition of the administrative fines, the European Data Protection Board and individual supervisory authorities have agreed to use the Guidelines as a common approach.  To access the Guidelines, click here.