GDPR : Article 84 - Penalties

by Sneha Naskar

In an era where data is often referred to as the "new oil," protecting individuals' privacy and data has become paramount. The General Data Protection Regulation (GDPR) is a comprehensive data protection framework that was introduced to ensure the privacy and security of personal data across the European Union. Article 84 of the GDPR addresses penalties for violations, emphasizing the seriousness of adhering to data protection rules. In this blog post, we will delve into the intricacies of Article 84 and explore the penalties it imposes on organizations that fail to comply with GDPR regulations.

Article 83: Administrative Fines

The Purpose of GDPR

Before delving into Article 84, it's crucial to understand the overarching purpose of the GDPR. The GDPR, which came into effect on May 25, 2018, seeks to harmonize data protection laws across EU member states and provide individuals with greater control over their personal data. It places obligations on organizations that collect and process personal data, aiming to protect the fundamental rights and freedoms of individuals in an increasingly data-driven world.

Article 83: Administrative Fines

Article 84 of the GDPR is closely linked to Article 83, which outlines the various violations and corresponding administrative fines that can be imposed on organizations. These fines can be substantial and are designed to act as a deterrent against data protection breaches. Article 83 sets out two categories of fines: lower-level fines and higher-level fines.

Lower-Level Fines

Lower-level fines, as defined in Article 83(4) of the GDPR, can be imposed for less severe violations. These fines can go up to €10 million or 2% of the organization's global annual turnover, whichever is higher. Lower-level fines can be applied in cases such as not maintaining proper records, failing to notify a data breach to the supervisory authority, or not conducting a Data Protection Impact Assessment (DPIA) when required.

Higher-Level Fines

For more serious violations, Article 83(5) specifies higher-level fines. These can reach up to €20 million or 4% of the organization's global annual turnover, again, whichever is higher. Higher-level fines are reserved for breaches of the core principles of data processing, such as consent, transparency, data subject rights, and data security. Failure to obtain adequate consent or a severe data breach, for instance, can lead to substantial penalties.

Factors Considered in Imposing Fines

The GDPR allows supervisory authorities to take several factors into account when determining the appropriate fine for a data protection violation. These factors include:

  • The nature, gravity, and duration of the violation: More severe violations are likely to result in higher fines.
  • The intentional or negligent character of the violation: Deliberate breaches may be subject to more substantial penalties.
  • Mitigation and corrective actions taken by the organization: Swift and effective responses to breaches may reduce fines.
  • Previous violations by the organization: A history of non-compliance can lead to higher fines.
  • Cooperation with supervisory authorities: Being transparent and cooperative can positively influence the penalty.
  • Categories of personal data affected: Violations involving sensitive data typically result in more severe penalties.
GDPR Implementation Toolkit

The Role of Data Protection Officers (DPOs)

To ensure compliance with the GDPR and avoid penalties, organizations are encouraged to appoint Data Protection Officers (DPOs). DPOs are responsible for overseeing data protection efforts within an organization, advising on compliance, and acting as a point of contact between the organization, data subjects, and supervisory authorities. A well-qualified DPO can help organizations navigate the complexities of GDPR and minimize the risk of violations.

The Right to be Forgotten

One of the essential rights enshrined in the GDPR is the right to be forgotten (Article 17). This right allows individuals to request the erasure of their personal data when certain conditions are met. Failure to comply with such requests can result in substantial fines. Organizations must have robust procedures in place to handle requests for data erasure promptly and effectively.

Data Breach Notifications

Article 33 of the GDPR mandates organizations to report data breaches to supervisory authorities without undue delay, and where feasible, not later than 72 hours after becoming aware of the breach. Failing to notify a data breach can result in fines, and the severity of the fine depends on the nature and impact of the breach.

International Data Transfers

GDPR also impacts organizations outside the EU that process EU citizens' data. Article 44 states that organizations must ensure an adequate level of data protection when transferring data outside the EU. Failure to do so can lead to fines. The GDPR's impact extends globally, emphasizing the importance of data protection compliance on a global scale.


Article 84 of the GDPR serves as a reminder of the seriousness with which data protection is regarded in today's digital age. The potential penalties are substantial, reflecting the need for organizations to take data protection seriously. Compliance with the GDPR is not merely a legal requirement; it is a commitment to safeguarding individuals' privacy and data rights. Organizations that prioritize data protection and invest in robust data management systems and practices not only mitigate the risk of fines but also build trust with their customers. In a world where data breaches are increasingly common, GDPR compliance is not an option but a necessity.


GDPR Implementation Toolkit