Fines and Penalties under Article 83 GDPR – A Comprehensive Guide
Introduction
Article 83 of the General Data Protection Regulation (GDPR) is one of the most significant provisions in European data protection law. It establishes the framework for administrative fines that supervisory authorities can impose on controllers and processors who violate the GDPR. Understanding this article is essential for anyone preparing for the CIPP/E certification exam, as it is frequently tested and underpins the enforcement mechanism of the entire regulation.
Why Is Article 83 Important?
Before the GDPR came into effect on 25 May 2018, data protection fines across the EU were relatively modest and varied enormously between Member States. The previous Data Protection Directive (95/46/EC) did not harmonise penalties, meaning that enforcement was inconsistent and often viewed as lacking teeth. Article 83 changed this landscape dramatically by introducing substantial, harmonised fines designed to ensure compliance across all Member States.
The importance of Article 83 can be summarised as follows:
• Deterrence: The scale of fines—up to €20 million or 4% of global annual turnover—sends a powerful message that non-compliance carries serious financial consequences.
• Harmonisation: By establishing uniform criteria for fines across the EU, Article 83 promotes consistent enforcement and a level playing field for organisations operating across borders.
• Accountability: Article 83 reinforces the GDPR's accountability principle by ensuring that organisations cannot simply ignore their obligations without consequences.
• Proportionality: The article requires supervisory authorities to ensure that fines are effective, proportionate, and dissuasive in each individual case, not arbitrary.
• Rights Protection: Ultimately, the fine regime protects the fundamental rights and freedoms of data subjects by incentivising organisations to take data protection seriously.
What Is Article 83?
Article 83 sets out the general conditions for imposing administrative fines for infringements of the GDPR. It is structured into several key sub-articles:
Article 83(1) – General Requirements
Each supervisory authority shall ensure that the imposition of administrative fines shall in each individual case be effective, proportionate, and dissuasive. This three-part test is a guiding principle that supervisory authorities must apply every time they consider a fine.
Article 83(2) – Criteria for Determining Fines
This is one of the most critical sub-sections for the CIPP/E exam. Article 83(2) lists the factors that supervisory authorities must consider when deciding whether to impose a fine and how much it should be. These factors include:
a) Nature, gravity, and duration of the infringement, taking into account the nature, scope, or purpose of the processing, the number of data subjects affected, and the level of damage suffered.
b) Intentional or negligent character of the infringement – deliberate violations are treated more severely.
c) Actions taken to mitigate damage – any steps the controller or processor has taken to reduce the harm to data subjects.
d) Degree of responsibility – considering the technical and organisational measures implemented pursuant to Articles 25 (data protection by design and by default) and 32 (security of processing).
e) Previous infringements – any relevant history of non-compliance by the controller or processor.
f) Degree of cooperation with the supervisory authority to remedy the infringement and mitigate its adverse effects.
g) Categories of personal data affected – infringements involving special categories of data (Article 9) or criminal conviction data (Article 10) may attract higher fines.
h) How the infringement became known to the supervisory authority – in particular, whether the controller or processor notified the infringement voluntarily.
i) Compliance with previous measures – whether the controller or processor has previously been subject to corrective measures under Article 58(2) and whether they complied.
j) Adherence to approved codes of conduct (Article 40) or approved certification mechanisms (Article 42).
k) Any other aggravating or mitigating factor, including financial benefits gained, or losses avoided, directly or indirectly from the infringement.
Article 83(3) – Multiple Infringements
If a controller or processor intentionally or negligently infringes several provisions of the GDPR in respect of the same or linked processing operations, the total amount of the fine shall not exceed the amount specified for the gravest infringement. This is an important cap that prevents cumulative fines from becoming disproportionate.
Article 83(4) – Lower Tier Fines (Up to €10 Million / 2%)
Infringements of certain provisions attract fines of up to €10,000,000 or, in the case of an undertaking, up to 2% of total worldwide annual turnover of the preceding financial year, whichever is higher. These provisions include obligations of:
• The controller and processor (Articles 8, 11, 25–39, 42, 43)
• The certification body (Articles 42, 43)
• The monitoring body (Article 41(4))
Key examples include: conditions for children's consent (Article 8), data protection by design and by default (Article 25), joint controllers (Article 26), processors (Articles 28, 29), records of processing activities (Article 30), security of processing (Article 32), data protection impact assessments (Article 35), prior consultation (Article 36), designation of a DPO (Articles 37–39), and certification (Articles 42, 43).
Article 83(5) – Upper Tier Fines (Up to €20 Million / 4%)
More serious infringements attract fines of up to €20,000,000 or, in the case of an undertaking, up to 4% of total worldwide annual turnover of the preceding financial year, whichever is higher. These provisions include:
• Basic principles for processing, including conditions for consent (Articles 5, 6, 7, 9)
• Data subjects' rights (Articles 12–22)
• Transfers of personal data to third countries or international organisations (Articles 44–49)
• Any obligations under Member State law adopted under Chapter IX
• Non-compliance with an order or a limitation on processing or suspension of data flows by the supervisory authority under Article 58(2)
Article 83(6) – Non-Compliance with Supervisory Authority Orders
Non-compliance with an order by a supervisory authority under Article 58(2) can attract the upper-tier fine of up to €20 million or 4% of global annual turnover.
Article 83(7) – Member State Discretion for Public Authorities
Each Member State may lay down rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State. This means some countries may exempt or limit fines for public sector organisations.
Article 83(8) – Procedural Safeguards
The exercise of powers by the supervisory authority shall be subject to appropriate procedural safeguards in accordance with EU and Member State law, including effective judicial remedy and due process.
Article 83(9) – Member States Without Administrative Fining Systems
Where a Member State's legal system does not provide for administrative fines (e.g., Denmark and Estonia initially), the article allows the fine to be initiated by the supervisory authority and imposed by national courts, provided the effect is equivalent.
How Does Article 83 Work in Practice?
In practice, supervisory authorities follow a structured process when imposing fines:
1. Investigation: The supervisory authority investigates a potential infringement, often triggered by a complaint, a data breach notification, or its own initiative.
2. Assessment of Infringement: The authority determines which GDPR provisions have been violated and whether the infringement falls under the lower tier (Article 83(4)) or upper tier (Article 83(5)).
3. Application of Article 83(2) Criteria: The authority systematically evaluates all the factors listed in Article 83(2) to determine the appropriate fine amount. This includes examining the nature, gravity, and duration of the violation; whether it was intentional or negligent; what mitigation steps were taken; the organisation's compliance history; and other relevant factors.
4. Proportionality Check: The authority ensures the fine is effective, proportionate, and dissuasive in line with Article 83(1).
5. Decision and Publication: The fine is imposed, and in many jurisdictions, the decision is published, which adds a reputational dimension to the penalty.
6. Appeal: The controller or processor may challenge the fine through judicial proceedings, as guaranteed by Article 83(8) and Article 78 (right to an effective judicial remedy against a supervisory authority).
The EDPB Guidelines on Fines
The European Data Protection Board (EDPB) has issued guidelines on the calculation of administrative fines under the GDPR (Guidelines 04/2022). These guidelines provide a five-step methodology:
Step 1: Identify the processing operations and evaluate the application of Article 83(3) (multiple infringements).
Step 2: Find the starting point for the calculation by assessing the nature, gravity, and duration of the infringement.
Step 3: Consider aggravating and mitigating circumstances from the Article 83(2) factors.
Step 4: Identify the applicable legal maximums (lower or upper tier) and ensure the fine does not exceed them.
Step 5: Assess whether the final calculated amount meets the requirements of being effective, proportionate, and dissuasive, and adjust if necessary.
Notable Examples of Article 83 Fines
Understanding real-world examples helps contextualise Article 83:
• Amazon (Luxembourg, 2021): €746 million for violations related to targeted advertising without proper consent – the largest GDPR fine to date.
• Meta/Facebook (Ireland, 2023): €1.2 billion for unlawful transfers of personal data to the United States in violation of Articles 44–49.
• Google (France, 2019): €50 million for lack of transparency and inadequate consent mechanisms for personalised advertising.
• British Airways (UK, 2020): £20 million for inadequate security measures leading to a data breach affecting approximately 400,000 customers.
• H&M (Germany, 2020): €35.3 million for excessive surveillance of employees.
These examples demonstrate that supervisory authorities are willing to impose substantial fines and that the full range of Article 83(2) criteria are applied.
Key Distinctions to Remember
• Lower Tier vs. Upper Tier: The lower tier (€10 million/2%) applies to more operational and procedural obligations (e.g., DPO appointment, records of processing, DPIAs, security measures). The upper tier (€20 million/4%) applies to fundamental principles, data subject rights, and international transfers.
• "Whichever is higher": The fine is the greater of the fixed amount (€10 million or €20 million) or the percentage of turnover. For large multinationals, the percentage of turnover will typically be the higher figure.
• Undertaking: The concept of "undertaking" under EU competition law may apply, meaning the turnover of an entire corporate group—not just the individual entity—could be relevant when calculating the percentage-based fine.
• Fines vs. Other Corrective Measures: Article 83 operates alongside the full range of corrective powers in Article 58(2), which include warnings, reprimands, orders to comply, processing bans, and orders to communicate data breaches to data subjects. A supervisory authority may impose a fine in addition to, or instead of, other corrective measures.
• Article 84 – Criminal Penalties: Article 84 allows Member States to lay down rules on other penalties (including criminal penalties) for infringements of the GDPR, particularly those not subject to administrative fines under Article 83. This means that in some Member States, data protection violations can lead to criminal prosecution in addition to administrative fines.
Relationship with Other GDPR Provisions
Article 83 does not operate in isolation. Key related provisions include:
• Article 58(2): Corrective powers of supervisory authorities (which may be used alongside or instead of fines).
• Article 77: Right of data subjects to lodge a complaint with a supervisory authority.
• Article 78: Right to an effective judicial remedy against a supervisory authority.
• Article 79: Right to an effective judicial remedy against a controller or processor.
• Article 82: Right to compensation – data subjects can claim compensation for material or non-material damage resulting from a GDPR infringement. This is separate from Article 83 fines.
• Article 84: Penalties for infringements not covered by Article 83.
Exam Tips: Answering Questions on Fines and Penalties (Article 83)
The CIPP/E exam frequently tests Article 83. Here are targeted strategies for success:
1. Memorise the Two Tiers
You must know the distinction between lower-tier and upper-tier fines. A helpful mnemonic: "Principles, Rights, and Transfers are top tier." If a question involves violations of core processing principles (Articles 5, 6, 7, 9), data subject rights (Articles 12–22), or international transfers (Articles 44–49), the answer is the upper tier (€20 million/4%). If it involves operational obligations like record-keeping, DPIAs, DPO requirements, or security measures, it is the lower tier (€10 million/2%).
2. Remember "Effective, Proportionate, and Dissuasive"
This three-part test from Article 83(1) is a favourite exam topic. If a question asks about the overarching principle governing fines, this is the answer.
3. Know the Article 83(2) Criteria
You do not need to recite all 11 factors verbatim, but you should recognise them. Focus on the most frequently tested ones: intentional vs. negligent character, nature/gravity/duration, mitigation steps taken, degree of cooperation, previous infringements, and categories of data affected.
4. Understand the "Whichever Is Higher" Rule
Exam questions may test whether you understand that the fine is the higher of the fixed amount or the percentage of turnover. For a multinational with €10 billion in annual turnover, 4% (€400 million) far exceeds the €20 million cap, so the percentage applies.
5. Watch for Public Authority Exceptions
Article 83(7) allows Member States to determine whether public authorities can be fined. Some exam questions may present a scenario involving a government body and ask whether a fine can be imposed—the answer depends on the Member State's implementation.
6. Distinguish Fines from Compensation
Article 83 fines are paid to the supervisory authority (or the state), not to the data subject. Data subjects seeking financial redress must use Article 82 (right to compensation). This distinction is commonly tested.
7. Multiple Infringements Rule
Under Article 83(3), if the same processing operation violates multiple GDPR provisions, the total fine cannot exceed the amount for the gravest infringement. This prevents "stacking" of fines. Be prepared for scenario questions where an organisation has committed several violations simultaneously.
8. Read Questions Carefully for Specific Article Numbers
Exam questions may reference specific GDPR articles to test whether you know which tier they fall under. For example, a question about a violation of Article 25 (data protection by design) would fall under the lower tier, while a violation of Article 17 (right to erasure) would fall under the upper tier.
9. Non-Compliance with Supervisory Authority Orders
Remember that failing to comply with an order from a supervisory authority under Article 58(2) triggers the upper-tier fine, regardless of the nature of the original infringement. This is a commonly tested point.
10. Article 84 – Don't Confuse with Article 83
Article 84 deals with other penalties (including criminal penalties) imposed by Member States. It is separate from the administrative fines regime under Article 83. If a question asks about criminal sanctions for GDPR violations, the answer relates to Article 84 and national law, not Article 83.
11. Practice Scenario-Based Questions
The CIPP/E exam often presents scenarios and asks you to identify the correct fine tier or the relevant mitigating/aggravating factors. Practice applying the Article 83(2) criteria to hypothetical situations. Ask yourself: Was the infringement intentional or negligent? How many data subjects were affected? What steps did the organisation take after the infringement?
12. The Concept of "Undertaking"
Be aware that the percentage-based fine is calculated on the turnover of the entire undertaking (corporate group), not just the individual legal entity. This can significantly increase the potential fine for subsidiaries of large multinational corporations.
13. Time Management
Article 83 questions are usually straightforward if you know the tiers and criteria. Don't spend too long deliberating—if you know the provision that was violated, you can quickly determine which tier applies and move on.
Summary
Article 83 is the enforcement backbone of the GDPR. It establishes a two-tier system of administrative fines designed to be effective, proportionate, and dissuasive. The lower tier (€10 million/2% of global turnover) covers operational and procedural obligations, while the upper tier (€20 million/4% of global turnover) covers fundamental principles, data subject rights, international transfers, and non-compliance with supervisory authority orders. Supervisory authorities must consider a comprehensive set of criteria when determining fines, including the nature, gravity, and duration of the infringement, the intentional or negligent character of the violation, and any mitigating actions taken. For the CIPP/E exam, mastering the distinction between the two tiers, understanding the Article 83(2) criteria, and being able to apply them to scenarios will put you in a strong position to answer questions on this topic confidently and accurately.
