Article 83 of the GDPR: General conditions for imposing administrative fines

Article 83 of the GDPR defines the rules for imposing administrative fines in case of non-compliance with the regulations. It establishes a grid for evaluating infringements and amounts of up to 20 million euros or 4% of global annual turnover.

Article 83 of the GDPR explained

The article provides:

Proportionate, dissuasive and effective administrative fines;
Assessment criteria such as the nature of the infringement, its intentional nature, the measures taken to mitigate the damage, or cooperation with the supervisory authority;
Two severity levels:
- Up to 10 million € or 2% of turnover for procedural obligations (register, subcontractors, DPO...);
- Up to 20 million € or 4% of turnover for people's fundamental rights (lawfulness, consent, transfer...).

This is a central lever of sanction and deterrence in terms of data protection.

Why is this article important for your GDPR compliance?

It highlights the major financial risk for any company that does not comply with the GDPR. Supervisory authorities, such as the CNIL, have the means to sanction proportionally to the breaches observed, with a wide margin of appreciation.

How to comply with Article 83 of the GDPR?

Implement serious and continuous GDPR governance (registry, audits, DPO, documentation);
Deploy corrective actions as soon as a breach is identified;
Cooperate fully with the supervisory authority in the event of an inspection or complaint;
Raise your teams' awareness of the risks associated with non-compliance, and train them regularly.

Examples of application of Article 83 of the GDPR

A company is sanctioned up to 3% of its turnover for having processed data without a legal basis;
An SME receives a reduced fine for actively cooperating with the CNIL after a data leak;
A start-up is penalized for not having kept a processing register.