• Courses
      • Executive Management Courses
      • Global Series of National Privacy Laws
      • Netherlands Privacy Academy (in Dutch)
      • Caribbean Data Protection Academy
    • Resources
    • Join GADPPRO ACADEMY
      • Join GADPPRO Academy as an Official Partner
      • Become an Official GADPPRO Training Entity
      • Join the GADPPRO Business Academy
      • Secretariat & International Training Centre
      • Contact Us
    •  
      • RegisterLog in
    Privacad GADPPRO Academy
      • Courses
        • Executive Management Courses
        • Global Series of National Privacy Laws
        • Netherlands Privacy Academy (in Dutch)
        • Caribbean Data Protection Academy
      • Resources
      • Join GADPPRO ACADEMY
        • Join GADPPRO Academy as an Official Partner
        • Become an Official GADPPRO Training Entity
        • Join the GADPPRO Business Academy
        • Secretariat & International Training Centre
        • Contact Us
      •  
        • RegisterLog in

      Blog

      GDPR General conditions for imposing administrative fines

      • Categories Blog, Business, Free Data Protection Resources
      • Date August 29, 2020

      Article 83 GDPR

      General conditions for imposing administrative fines

      1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

      2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

      (a)  the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

      (b)  the intentional or negligent character of the infringement;

      (c)  any action taken by the controller or processor to mitigate the damage suffered by data subjects;

      (d)  the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

      (e)  any relevant previous infringements by the controller or processor;

      (f)  the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

      (g)  the categories of personal data affected by the infringement;

      (h)  the manner in which the infringement became known to the super­ visory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

      (i)  where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

      (j)  adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

      (k)  any other aggravating or mitigating factor applicable to the circum­ stances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

      3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

      4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

      (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

      (b) the obligations of the certification body pursuant to Articles 42 and 43;

      (c) the obligations of the monitoring body pursuant to Article 41(4).

      5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:(a)  the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

      (b)  the data subjects’ rights pursuant to Articles 12 to 22;

      (c)  the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;

      (d)  any obligations pursuant to Member State law adopted under Chapter IX;

      (e)  non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

      6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

      7. Without prejudice to the corrective powers of supervisory auth­orities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

      8. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.

      9. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.

      • Share:
      User Avatar
      Privacy Professor

      Professor mr drs Romeo F. Kadir MA MSc LLM LLM (Adv) EMBA EMoC

      At present Romeo Kadir serves as the President of the Global Association of Data Protection Professionals Europe (GADPPRO). GADPPRO is a thought leader self-regulatory association of data protection professionals based in the European Union, active around the globe and the first European Association of data protection professionals open for members outside the EU. Please visit www.gadppro.org for more information.

      First appointed Data Protection Officer (DPO) ever in the Netherlands (European Union) at a semi-public entity. Seasoned European Privacy and Data Protection Expert (22+ years of practical experience in EU Privacy and Data Protection Law, Business Management, Compliance and Ethics).

      Studied European and International Law, Political Sciences and Business Administration. Romeo Kadir is EIPACC EADPP Professor European Privacy & Data Protection Law at Universitas Padjadjaran UNpad (Indonesia) and Honorary Visiting Research Fellow with O.P. Jindal Global University (New Delhi), Senior Associate Fellow with Vidhi Centre for Legal Policy (New Delhi), Lecturer Science Honours Academy and Lecturer at the International Molengraaff Institute, Utrecht University (UU, Netherlands). In 2010 he was founder of the first European Data Protection Academy focusing on privacy-only executive education.

      Present Occupations in European Data Protection Law

      Member of the International Bar Association (IBA)
      Member of the International Board of Experts with EuroPrivacy Certification Scheme (Geneva and Luxembourg)
      Member of the International Strategic Board with EuroPrivacy Certification Scheme (Geneva and Luxembourg)
      Member of the Swiss-Chinese Law Association (SCLA)

      Former Occupations in European Data Protection Law

      President European Institute for Privacy, Audit, Compliance & Certification (EIPACC)
      Co-Founder/Vice-President European Association for Data Protection Professionals (EADPP)
      Chair EADPP Certification Committee Data Protection Professionals,
      Chair EADPP Academic Board
      Chair EADPP Expert Committee on Cybersecurity
      Chair EADPP Expert Committee on Artificial Intelligence (AI)
      President Supervisory Board of the Dutch Privacy Complaints Office (NPKI)
      Rapporteur to UN Monitoring Commission Human Rights on behalf of the Dutch Privacy Foundation (SPN)

      Publications

      'Handbook DPO - A Practical Guide', Privacy Publishing Group (2017)
      Editor-in-Chief of ‘Data Protection Dictionary’, authored, edited and coordinated ‘Handbook for the Data Protection Officer – A practical Guide’, ‘The Ultimate GDPR Business Guide – Six Volumes’ and other relevant books in the field of privacy and data protection (www.dataprotectionbooks.com)

      www.romeokadir.eu

      Previous post

      GDPR Right to compensation and liability
      August 29, 2020

      Next post

      GDPR Penalties
      August 29, 2020

      You may also like

      Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679
      29 November, 2020

      Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.3  Risks to free flow of personal data within the Union 44. Where the objection will refer to this particular risk, the CSA will need to clarify why it …

      Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679
      29 November, 2020

      Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.2  Risks to fundamental rights and freedoms of data subjects 39. The issue at stake concerns the impact the draft decision as a whole would have on the data …

      Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679
      29 November, 2020

      Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.1  Meaning of “significance of the risks” 35. It is important to bear in mind that the goal of the work carried out by SAs is that of protecting …

      Search

      Categories

      • Blog
      • Business
      • Design / Branding
      • Free Data Protection Resources
      • Nederlandse Privacy Academie
      • Uncategorized
      Facebook-f Linkedin-in

      © Privacad 2020

      For all your questions about courses

      students@privacad.com

      For all your questions about Privacad for business

      info@privacad.com

      Links

      • Courses
      • Become a GADPPRO Academy Official Training Entity
      • Resources
      • Free Data Protection Resources
      • Blog
      • Profile
      • Students Stewards Network (SSN)

      Support

      • Privacy Policy
      • Terms of Use
      • FAQs
      • Contact

      © GADPPRO Academy | Privacad 2023

      GADPPRO Academy 2023

      Login with your site account

      Lost your password?

      Not a member yet? Register now

      Register a new account

      Are you a member? Login now