General Data Protection Regulation (GDPR)

7.

Enforcement, Remedies, and Penalties

7.1.

Supervisory Authorities

7.1.1.

Role and Powers

7.1.1.1.

Independence Requirements

7.1.1.1.1.

Institutional Independence

7.1.1.1.2.

Financial Independence

7.1.1.1.3.

Operational Independence

7.1.1.2.

Investigative Powers

7.1.1.2.1.

Information Orders

7.1.1.2.2.

Inspection Powers

7.1.1.2.3.

Access to Premises

7.1.1.2.4.

Access to Data and Equipment

7.1.1.2.5.

Obtaining Copies

7.1.1.3.

Corrective Powers

7.1.1.3.1.

Warnings and Reprimands

7.1.1.3.2.

Processing Orders

7.1.1.3.3.

Rectification Orders

7.1.1.3.4.

Restriction Orders

7.1.1.3.5.

Certification Withdrawal

7.1.1.3.6.

Administrative Fines

7.1.1.3.7.

Processing Bans

7.1.1.4.

Authorisation and Advisory Powers

7.1.1.4.1.

Prior Consultation

7.1.1.4.2.

Certification Schemes

7.1.1.4.3.

Codes of Conduct

7.1.1.4.4.

7.1.2.

Cooperation and Consistency Mechanism

7.1.2.1.

European Data Protection Board

7.1.2.1.1.

Composition and Structure

7.1.2.1.2.

Decision-Making Process

7.1.2.1.3.

Binding Decisions

7.1.2.2.

Cross-Border Processing Cases

7.1.2.2.1.

Lead Supervisory Authority

7.1.2.2.2.

Relevant Supervisory Authorities

7.1.2.2.3.

One-Stop-Shop Mechanism

7.1.2.3.

Mutual Assistance

7.1.2.3.1.

Information Exchange

7.1.2.3.2.

Operational Support

7.1.2.3.3.

Joint Operations

7.1.2.4.

Dispute Resolution

7.1.2.4.1.

Consistency Mechanism

7.1.2.4.2.

Binding Decisions

7.1.2.4.3.

Emergency Procedures

7.2.

Remedies, Liability, and Penalties

7.2.1.

Right to Lodge Complaint

7.2.1.1.

Complaint Procedures

7.2.1.2.

Supervisory Authority Choice

7.2.1.3.

Complaint Handling

7.2.2.

Right to Effective Judicial Remedy

7.2.2.1.

Against Supervisory Authority

7.2.2.2.

Against Controller or Processor

7.2.2.3.

Court Jurisdiction

7.2.2.4.

7.2.3.

Right to Compensation and Liability

7.2.3.1.

Material Damage

7.2.3.2.

Non-Material Damage

7.2.3.3.

Burden of Proof

7.2.3.4.

Liability of Controllers and Processors

7.2.3.4.1.

Controller Liability

7.2.3.4.2.

Processor Liability

7.2.3.4.3.

Exemption Conditions

7.2.3.5.

Joint and Several Liability

7.2.3.5.1.

Multiple Controllers

7.2.3.5.2.

Controller-Processor Chains

7.2.3.5.3.

Contribution Rights

7.2.4.

Representation of Data Subjects

7.2.4.1.

Not-for-Profit Bodies

7.2.4.2.

Mandates from Data Subjects

7.2.4.3.

Collective Actions

7.3.

Administrative Fines

7.3.1.

7.3.1.1.

Lower-Level Infringements

7.3.1.1.1.

Maximum 10 Million EUR

7.3.1.1.2.

2% Annual Turnover

7.3.1.1.3.

Technical and Organisational Measures

7.3.1.1.4.

Processor Obligations

7.3.1.1.5.

Certification Body Obligations

7.3.1.1.6.

Monitoring Body Obligations

7.3.1.2.

Higher-Level Infringements

7.3.1.2.1.

Maximum 20 Million EUR

7.3.1.2.2.

4% Annual Turnover

7.3.1.2.3.

Processing Principles

7.3.1.2.4.

Data Subject Rights

7.3.1.2.5.

International Transfers

7.3.1.2.6.

Legal Obligations

7.3.2.

Criteria for Imposing Fines

7.3.2.1.

Nature, Gravity, and Duration of Infringement

7.3.2.1.1.

Data Categories Affected

7.3.2.1.2.

Number of Data Subjects

7.3.2.1.3.

7.3.2.1.4.

Duration of Infringement

7.3.2.2.

Intentional or Negligent Character

7.3.2.2.1.

Deliberate Actions

7.3.2.2.2.

Negligent Behavior

7.3.2.2.3.

Knowledge of Infringement

7.3.2.3.

Mitigating and Aggravating Factors

7.3.2.3.1.

Cooperation with Authority

7.3.2.3.2.

Previous Infringements

7.3.2.3.3.

Technical and Organisational Measures

7.3.2.3.4.

Adherence to Codes of Conduct

7.3.2.3.5.

Financial Benefits

7.3.2.3.6.

Vulnerable Data Subjects

7.3.3.

Fine Calculation Methodology

7.3.3.1.

Turnover Assessment

7.3.3.2.

Proportionality Principle

7.3.3.3.

Deterrent Effect

7.3.4.

Public Undertakings

7.3.4.1.

State Aid Considerations

7.3.4.2.

Public Body Treatment

Previous

6. International Data Transfers

Go to top

Next

8. Special Categories and Specific Processing Situations