Article 83 of the GDPR1 provides for two levels of administrative fines: a lower level – maximum of €10 million or 2% of the global turnover – for violations relating to record-keeping, data security, data protection impact assessments, data protection by design and default, and data processing agreements; and a higher level – maximum of €20 million or 4% of the global turnover – for violations relating to data protection principles, the legal basis for processing, information to data subjects, the prohibition of processing sensitive data, denial of data subjects’ rights, and data transfers to non-EU
In addition to setting two levels of administrative fines, Article 83 of the GDPR provides criteria that national supervisory authorities must apply when setting administrative fines. On 3 October 2017, the Article 29 Working Party – a body now called the European Data Protection Board (“EDPB”) – issued guidelines (“EDPB Guidelines”) on the setting of
The purpose of this article is to consider the criteria for setting administrative fines under Article 83 of the GDPR in light of the EDPB Guidelines, case law of the CJEU and national courts. Where applicable, we will compare the criteria in Article 83(2) of the GDPR with those used in setting administrative fines for competition law violations, as well as with the methodology used by authorities in the United States for setting fines. We will also consider procedural safeguards under Article 6 of the European Convention on Human Rights.
Clique aqui e leia o artigo completo.