惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
Cyberwarzone
Cyberwarzone
The GitHub Blog
The GitHub Blog
云风的 BLOG
云风的 BLOG
P
Proofpoint News Feed
小众软件
小众软件
Recent Announcements
Recent Announcements
博客园 - 三生石上(FineUI控件)
Security Archives - TechRepublic
Security Archives - TechRepublic
W
WeLiveSecurity
Cloudbric
Cloudbric
博客园 - 司徒正美
美团技术团队
N
News and Events Feed by Topic
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
PCI Perspectives
PCI Perspectives
宝玉的分享
宝玉的分享
H
Help Net Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Google DeepMind News
Google DeepMind News
Help Net Security
Help Net Security
Last Week in AI
Last Week in AI
S
Schneier on Security
N
News | PayPal Newsroom
B
Blog RSS Feed
L
LINUX DO - 最新话题
T
Troy Hunt's Blog
S
Secure Thoughts
雷峰网
雷峰网
aimingoo的专栏
aimingoo的专栏
L
Lohrmann on Cybersecurity
G
Google Developers Blog
Microsoft Azure Blog
Microsoft Azure Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
T
Tenable Blog
S
Securelist
L
LangChain Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
I
InfoQ
H
Heimdal Security Blog
Cisco Talos Blog
Cisco Talos Blog
F
Full Disclosure
Y
Y Combinator Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
K
Kaspersky official blog
T
Tailwind CSS Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
阮一峰的网络日志
阮一峰的网络日志
C
Cisco Blogs

Blog of Simple Analytics

The EU wants to kill cookie banners Google is tracking you (even when you use DuckDuckGo) German court rules Meta’s tracking tech violates GDPR Closing the data gap - Simple Analytics x Usercentrics The EU-US data deal may be dead in the water You are missing 20% of your website data with GA4 How a reverse trial will push Simple Analytics to the next level Google will start tracking all your devices (WTF?) Big Tech Fails EU’s Digital Services Act: Only Wikipedia Passes the Test Meta fined $102 million by the Irish Data Protection Commission Europeans spend 575 Million hours per year clicking cookie banners The most interesting GDPR fines Google loses key antitrust case Web Analytics for Crypto Companies Web analytics for publishers Google pulls Uno Reverse card: Rolls back decision to kill third-party cookies Privacy Monthly July 2024 Privacy Perspectives June 2024 Privacy Monthly June APRA fumbles targeted advertising Privacy Monthly May Meta loses key privacy battle Google delays cookie phase-out once again Privacy Monthly April 2024 Web Analytics and Consent Cookies 101 Privacy Monthly March 2024 German authority cracks down on cookie banners Google Tag Manager vs Google Analytics Google search alternative Data retention in Google Analytics Guide to Google Analytics and Cookie consent What are Google Analytics' identifiers? How to export data from Google Analytics Privacy Monthly February 2024 The Criteo case: a big deal for Big Tech Privacy Monthy January 2024 What the Digital Markets Act means for privacy Google Settles in $5B Incognito Mode Lawsuit Legal troubles for Adobe Analytics Web analytics for nonprofits HIPAA and mental health Why Meta subscriptions are under attack, and why it matters for privacy Privacy Monthly: December Simple Analytics AI Host analytics on Cloudflare Zaraz Add Google Analytics to Convertkit Google Analytics Pricing - Paid vs Free Road to 1 Million ARR - October update CCPA and Data Protection: all there is to know Analytics without a cookie banner Enterprise Analytics Privacy Monthly: November 2023 Delete Act: all you need to know Mobile App Tracking Under Fire The road to 1 Million ARR - September Update Privacy Monthly: October 2023 HIPAA violations First challenge to the EU-US data transfer framework Direct Marketing under GDPR Road to 1 million ARR - August Update CCPA vs CPRA: what is new? Privacy Monthly: September 2023 A/B Testing with Simple Analytics Dobbs v. Jackson ruling is a privacy mess Privacy Monthly: August 2023 What are your rights under the CCPA? When does the CCPA apply? How does the HIPAA compare to the CCPA and GDPR? Why Meta is in a world of trouble CJEU: cookie-based analytics collects sensitive data Road to 1 million ARR - July update All about the new Data Transfer Framework Road to 1 Million ARR - June update What is PHI under HIPAA? Sweden declares Google Analytics illegal Searching for GA4 Alternatives? Top 10 Reliable Options for Google Analyticss Ultimate HIPAA Compliance Checklist: Essential Steps for Healthcare Providers Privacy Monthly: June 2023 More troubles for Google Analytics The path to 1M ARR - May Update Data Processing Agreements Minimal Product Analytics Facebook data transfers declared illegal Is Google Analytics CCPA-compliant? Help us with your input Cookie banners: How to stay GDPR compliant? GDPR Compliance Checklist Privacy Monthly: May 2023 Simple Analytics: Privacy-first website analytics Improve your e-commerce performance with analytics European Facebook blackout is closer than we think Know your website’s Carbon Emissions - and how to reduce it The path to 1M ARR - April 2023 How to add video tracking using Google Tag Manager? How to track form submissions using Google Tag Manager? Why is my Simple Analytics data different from Google Analytics? Debug Simple Analytics script How to Import Google Analytics Data to Simple Analytics
GDPR and fines: all there is to know
Carlo Cilent · 2024-09-17 · via Blog of Simple Analytics

The GDPR has a reputation for big and scary fines. Record fines like €Meta’s 1.2 billion fine over data transfers and Amazon’s €745 million fine made the news and sparked some healthy discussion about compliance and privacy. But what are GDPR fines and how do they work exactly?

This blog explains all there is to know about GDPR fines: how they are issued and calculated, how they can be challenged, how they differ from other enforcement tools, and more. Let’s dive in!

  1. The basics
    1. What is a GDPR fine?
    2. How do you get fined under the GDPR?
    3. Who issues GDPR fines?
    4. Are fines damages?
  2. The practicalities
    1. How are GDPR fines calculated?
    2. What is the maximum for GDPR fines?
    3. Are fines public?
    4. Can you be fined over a data breach?
  3. The procedure
    1. How are GDPR fines issued?
    2. How are GDPR fines challenged?

Michelin chose Simple AnalyticsJoin them

The basics

GDPR fines are administrative acts, not rulings. This has important consequences on how fines work and how they can be challenged.

There isn’t much more to say, really. You know what a fine is: you break a rule, you get caught, you have to pay.

Any GDPR violation may lead to a fine. Organizations get fined for all sorts of reasons: illegally collecting personal data, failing to secure data transfers, implementing poor cybersecurity, failing to report a severe data breach, and so on.

Just because you can be fined over these violations, does not mean you will. Organizations sometimes get off with a warning and an order to get their compliance sorted out. This typically happens when a small organization makes an honest mistake without dire consequences on individuals.

GDPR fines are issued by data protection authorities (a.k.a. DPAs or supervisory authorities).

DPAs are administrative authorities that enforce the GDPR in their country. Every country in the EU and European Economic Area has a DPA (or several, in the case of federal States).

DPAs do more than just issuing fines. For instance, they can order an organization to temporarily stop an operation that involves the use of personal data, or even shut down such an operation for good. These sanctions can sometimes impact organizations more than fines.

Are fines damages?

Fines and damages both play an important role in GDPR enforcement but they are not the same.

Damages and fines come from different enforcers: courts award damages and DPAs issue GDPR fines. Courts and DPAs have different powers and neither can do the other’s job.

Damages and fines also have different purposes because damages are a form of compensation while fines are a tool for punishment and deterrence.

In practice, this means that individuals only have a damage claim when the mishandling of their data resulted in some sort of damage (including “non-material damage”, as we say in legalese). On the other hand, you can be fined over a violation whether you caused damage or not- just like you can get a speeding ticket without having caused a road accident.

None of this is special to the GDPR, by the way. That’s just how damages work in civil law jurisdictions.

The practicalities

The GDPR includes a really long and complex list of criteria. So, we need to grossly simplify.

One of the main criteria is the impact of the violation. Fines tend to be higher for highly harmful and impactful violations- for instance, poor cybersecurity leading to a large-scale data breach.

Other important criteria are whether the infringement is intentional, whether an organization has a history of non-compliance, and whether a violation involves sensitive data (in the specific sense of GDPR, not in the generic everyday sense).

An organizations’ behavior after a violation also matters. Fines are lower when organizations collaborate with the investigation and make an effort to correct their mistakes before the fine comes. This encourages organizations to work with DPAs towards compliance rather than wage legal war against enforcement.

Last but not least, common sense plays a crucial role. An honest mistake from a small business is not treated the same way as intentional non-compliance from a multinational corporation.

Fines are capped at €10M or 2% of annual worldwide turnover, whichever is higher. These limits are doubled for egregious violations such as the unlawful collection of sensitive data: so, the actual maximums are €20M or 4% of annual worldwide turnover.

That 4% can be a massive number for corporations because it can be calculated based on the turnover of entire corporate groups. This is how Meta got its record €1.2 billion fine: the amount was calculated on the turnover for the entire Meta group even though the case was (nominally) against Meta Platforms Ireland alone.

Are fines public?

Different jurisdictions have different rules. Some authorities publish most or all their decisions while others do not. For instance, some authorities treat publication like an additional punishment that may only be inflicted when appropriate. Others restrict the publication of the decision until it can no longer be challenged- that’s why we still cannot read the motivation for Amazon’s €746 fine.

Can you be fined over a data breach?

Yes, you can. But you don’t automatically get fined for a data breach.

The GDPR requires organizations to implement appropriate security, not perfect security. You only get fined if you did not do enough to secure the data. Conversely, you may be fined for implementing poor security even if no data breach occurs.

It is also worth mentioning that organizations must self-report serious data breaches to DPAs (and in some cases, even to the affected individuals). Failure to self-report is grounds for a fine.

The procedure

GDPR fines are issued by DPAs after an investigation. DPAs can investigate complaints or start an investigation of their own volition. In practice, most investigations follow a complaint.

Fines are regulated not only by the GDPR but also by national administrative law. The procedure for issuing a fine changes from country to country, as do the rights and role of the parties in the investigation.

The procedure for cross-border cases is more complicated because it can involve several DPAs.

The addressee of a fine has the right to have the fine reviewed by a court. This is a core principle of administrative law and holds true in every EU jurisdiction.

The procedure for challenging a fine varies greatly between jurisdictions. For instance, an administrative appeal can sometimes be available in addition to judicial review (but can never replace it). This means that the addressee of a fine can have it reviewed not only by a court, but also by an administrative body with the power to overturn the DPA's decision.

We at Simple Analytics care about privacy. This is why we do our best to explain GDPR and privacy law to everyone, without the legalese.

If you care about privacy too, why not give our web analytics tool a try? We built Simple Analytics with innovation, user-privacy, and ease of use in mind. Simple Analytics collects no personal data from your visitors and comes with a brand new AI Assistant to provide you exactly with the insights you want.

If this sounds good to you, take Simple Analytics out for a spin with our two-week trial!