GDPR introduces two tiers of fines:
(i) Non-severe infringements: For controllers and processors, these constitute violations of Articles 8 (Conditions applicable to a child's consent in relation to information society services), 11 (Processing which does not require identification) , 25-39 (Data protection by design and default, joint controllers, representatives of controllers and processors not established in the Union, Processor, Processing under the authority of the controller or processor, records of processing activities, cooperations with the supervisory authority, security of processing, notification of a data breach to the supervisory authority, communication of a personal data breach to the data subject, data protection impact assessment, prior consultation, Data Protection Officer) and 43 (Certification bodies) These violations can incur fines up to 2% of the total worldwide annual turnover of the past financial year or 10,000,000 EUR, whichever is highest.
(i) Severe infringements: Violations of the basic principles for processing, including conditions for consent (Articles 5, 6, 7 and 9), the data subjects' rights (Articles 12 to 22), the transfers of personal data to a recipient in a third country or an international organization (Articles 44-49), non-compliance with Member State Law adopted under Chapter IX, non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the Supervisory Authority (Art. 58 (2)) or failure to provide access (Art. 58 (1)).
These violations can incur fines up to 4% of the total worldwide annual turnover of the past financial year or 20,000,000 EUR, whichever is highest.