In some cases, a violation of the municipal regulation is a fine. Not for any violation of the General Regulation, the administrator may be warned, for example, that the intended processing operation is likely to be in breach of the general regulation or that an administrator whose processing operation has violated the General Regulation may be advised or may be ordered to comply the data subject’s request. Administrators may also be ordered among others to bring the processing into compliance with the general regulation.
Administrative fines are imposed on each individual case. In deciding whether to impose an administrative fine and deciding on the amount of an administrative fine in individual cases, due consideration shall be given to the following circumstances:
- the nature, gravity and duration of the infringement taking into account the nature, extent or purpose of the processing in question, as well as the number of data subjects concerned and the extent of the damage caused to them;
- whether the infringement was committed intentionally or negligently;
- steps taken by the administrator or processor to mitigate damage to data subjects;
- the level of responsibility of the administrator or processor, taking into account the technical and organizational measures introduced by the controller;
- all relevant prior infringements by the administrator or processor;
- the level of cooperation with the surveillance authority to remedy the breach and mitigate its potential adverse effects;
- the category of personal data affected by the breach;
- how the Supervisory Authority learned of the breach, in particular whether the administrator or the processor of the breach had reported and, if so, to what extent;
- where measures have been previously imposed on the administrator or processor in relation to the same subject matter, the fulfillment of those measures;
- compliance with approved codes of conduct or an approved certification mechanism; and
- any other aggravating or attenuating circumstance relating to the circumstances of the case, such as the financial gain obtained or the avoidance of losses, whether directly or indirectly resulting from the breach.
The amount of the fines is divided into two groups according to the violation the administrator has committed. A fine may be granted up to a maximum of EUR 10 000 000 (or up to 2% of the total worldwide annual turnover in the case of an undertaking) or up to EUR 20 000 000 (or up to 4% of the total worldwide annual turnover if it´s a company). The division into two groups reflects the importance of breached obligations where the higher rate group has obligations whose breach is expected to increase the extent of interference with the right to protection of personal data provided by the General Regulation.