Article 83 GDPR

← Article 83 - General conditions for imposing administrative fines →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 83 - General conditions for imposing administrative fines

1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b) the intentional or negligent character of the infringement;

(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;

(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

(e) any relevant previous infringements by the controller or processor;

(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

(g) the categories of personal data affected by the infringement;

(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

(b) the obligations of the certification body pursuant to Articles 42 and 43;

(c) the obligations of the monitoring body pursuant to Article 41(4).

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

(b) the data subjects' rights pursuant to Articles 12 to 22;

(c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;

(d) any obligations pursuant to Member State law adopted underCHAPTER IX;

(e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

8. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.

9. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.

Relevant Recitals

Recital 13: Harmonisation of Protection and Advantages for Small and Medium-Sized Enterprises

In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC.

Recital 148: Penalties

In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.

Recital 149: Criminal Penalties by and for Infringements of National Rules

Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.

Recital 150: Administrative Fines

In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.

Recital 151: Administrative Fines in Denmark and Estonia

The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the supervisory authority initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.

Recital 152: Implementation of a National Penalty System if Necessary

Where this Regulation does not harmonise administrative penalties or where necessary in other cases, for example in cases of serious infringements of this Regulation, Member States should implement a system which provides for effective, proportionate and dissuasive penalties. The nature of such penalties, criminal or administrative, should be determined by Member State law.

Commentary

Article 83 GDPR introduces the administrative fine and designates the supervisory authority (“SA”) for its application. Each decision on the administrative fine must be done on a case-by-case basis. In particular, the SA shall decide whether an administrative fine is to be imposed and what its amount should be. To do so, Article 83 GPDR contains a non-exhaustive list of criteria. In any case, the fine must be effective, dissuasive and proportionate. Moreover, an explicit duty to provide adequate procedural safeguards is introduced. Finally, for jurisdictions that do not provide or otherwise admit administrative fines, a duty to introduce equally effective instruments is foreseen. In order to provide procedural consistency among different SAs in a field that directly affects controllers' rights, the EDPB adopted its Guidelines 04/2022 on the calculation of administrative fines under the GDPR (hereinafter "the EDPB Guidelines").

(1) Administrative fine

Paragraph 1 establishes the obligation of the SA to impose an administrative fine when the controller commits an infringement referred to in the subsequent paragraphs 4, 5, and 6 of Article 83. The fine must be, in each individual case, effective, proportionate and dissuasive.

Infringement

The basic requirement for a fine is an "infringement" of the provisions listed in Article 83(4), (5) and (6) GDPR.^[1] This specifically refers to violations of Articles 8, 11, 25 to 39, 41(4), 42, 43 of the GDPR (paragraph 4), Articles 5, 6, 7, and 9, 12 to 22, 44 to 49, 58(1)(e) and (f), 58(2)(f) and (j) of the GDPR, as well as any breaches of Member State laws adopted under Chapter IX (paragraph 5), and non-compliance with any other orders issued under Article 58(2) of the GDPR (paragraph 6).

Although the GDPR refers to the concept of "infringement" as a starting point for the adoption of a fine and its quantification, the existence of one or more infringement(s) necessarily implies the existence of (at least) a sanctionable "conduct". According to the EDPB, the difference between "conduct" and "infringement" is relevant because a single sanctionable conduct can give rise to multiple infringements.^[2] A "sanctionable conduct" is an action consisting of a single processing operation or “linked processing operations”.^[3] In a simple case, a single sanctionable conduct can obviously cause a single infringement.

Example: XXX

However, one sanctionable conduct can also produce multiple infringements. In such case, two situations may arise. In a first scenario, it may be that the concurring infringements preclude each other (“apparent concurrence” or “false concurrence”) due to the principles of specialty, subsidiarity or consumption. In other words, different GDPR provisions pursue partially overlapping goals. In this case, the SA will have to identify the common rationale behind the provisions and adopt only one fine on the basis of the infringement that is most specific to the facts at issue.

EDPB: The principle of concurrence of offences (also referred to as “apparent concurrence” or “false concurrence”) applies wherever the application of one provision precludes or subsumes the applicability of the other. In other words, concurrence occurs already on the abstract level of statutory provisions. This could either be on grounds of the principle of specialty, subsidiarity or consumption, which often apply where provisions protect the same legal interest. In such cases, it would be unlawful to sanction the offender for the same wrongdoing twice.^[4]

In a second scenario, different infringements may be applicable alongside each other ("unity of action”). In this second case, as principles of specialty, subsidiarity and consumption do not apply, the controller violates with a single conduct provisions that have different purposes. Thus, the SA will have to issue separate fines, which nevertheless could not exceed the amount specified for the gravest infringement, as specified by Article 83(3).^[5]

Example: XXX

In case of multiple sanctionable conducts - i.e. different sets of processing operation without any substantial link with each other - the sanctioning procedure is governed by the principle of "plurality of actions" ("factual concurrence" or "coincidental concurrence"). The only reason why a DPA deals with these conducts in the same proceeding is administrative efficiency. Different fines should be adopted and the overall amount may exceed the amount specified for the gravest infringement, as Article 83(3) does not apply.^[6]

Example: XXX

Effective, dissuasive, and proportionate

When one or more infringements exist, the SA shall ensure that the imposition of administrative fines is effective, proportionate and dissuasive.^[7] This triad of requirements should be seen as the guiding principle not only for the issuing of a fine (Recitals 151 sentence 4 and 152 sentence 1 GDPR) but also for other types of sanctions, according to Article 84(1)(2) GDPR.

Effectiveness and dissuasiveness

The elements of effectiveness and dissuasiveness cannot be clearly distinguished from each other.^[8] The term “dissuasive” means that the fine shall have a preventive function, specifically towards the sanctioned party. However, according to the GDPR's overriding objective of effectiveness, the fine is also intended to pursue general prevention objectives.^[9] To be dissuasive, the fine must be so severe that the person responsible will refrain from further infringements, especially infringements of the same nature. Furthermore, the fine alone must ensure effective sanctioning of data protection violations with sufficient dissuasive effect. In particular, this prohibits the SAs from making the assessment of the amount of the fine dependent on or coordinated with any claims for damages under Article 82 GDPR. Otherwise, the effectiveness of the fine would no longer be ensured.^[10] The terms “dissuasive” and “effective” also introduce a lower limit for the fine. It must not be merely symbolic in nature.^[11]

Proportionality

The principle of proportionality, enshrined in EU primary law in Article 5(4) TEU and Article 52(1)(2) CFR, is also reflected in Article 83(1) GDPR.^[12] In general, a measure is proportionate if it pursues a legitimate aim, it is suitable and necessary to achieve this aim and the measure is also appropriate. The administrative fine implies an economic loss for the sanctioned company. Therefore, the economic capacity of companies must be taken into account and used as a basis for orientation.^[13] The EDPB stresses that at least three main elements should be considered in this regard. First, economic viability of the company plays a role in performing a proportionality test. Thus, the undertaking subject to the fine should provide detailed financial data. The simple fact that the undertaking is (or will be after the fine) in a poor financial situation does not necessarily mean that the fine is disproportionate. Second, an actual proof of value loss is required. In other words, to reduce the fine in light of proportionality, the value loss of the undertaking assets shall be proved, including the causal link between fine and loss. Finally, the specific social and economic context is also relevant. This third element concerns broader circumstances external to the undertaking, such as the fact that economy is going through a cyclical crisis.^[14]

(2) Discretion on whether to impose a fine and its amount

Under Article 83(2) GDPR, administrative fines shall, “depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2)”. The provision further stipulates that “when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given” to certain criteria included in a list.^[15]

In addition to, or instead of, corrective measures

Article 83(2) GDPR regulates the relationship between the administrative fine and other measures under Article 58(2) GDPR. Fines should be imposed either “in addition to” or “instead of” these measures. It is clear from this wording that a fine can either substitute or reinforce a corrective measures provided for in the GDPR. Article 83(2) sentence 2 GDPR grants the competent SA a so-called intended discretionary decision (“whether” to impose a fine) as well as a discretionary choice regarding its amount. The provision lists a non-exhaustive set of criteria to carry out the task (see below).

When deciding whether to impose an administrative fine and its amount

The SA must first decide whether to impose a fine at all. This follows from the wording of Article 83(2) GDPR, which is unambiguous in this respect (“when deciding whether to impose a fine”).^[16] The discretionary power granted in this respect is limited. In making its considerations and reaching its conclusions, the SA must take into account certain criteria listed in Article 83(2)(a)-(k) GDPR^[17]. Such criteria will also assist in quantifying the amount of the fine (see below).^[18]

Due regard shall be given to the following criteria

The criteria outlined in Article 83(2)(a-k) and explained below guide the SA in the decision on "whether" to impose a fine and determining its "amount". In general terms, these criteria can be classified into two broad categories: objective criteria related to the severity of the infringement and subjective criteria for assessing the conduct of the offender.^[19] The catalogue of assessment criteria is not exhaustive. As a matter of fact, Article 83(2)(k) GDPR contains an explicit catch-all provision.^[20] By introducing letter (k), the legislator has made it clear that the assessment criteria are not exhaustively listed. The significance of criteria that are not explicitly mentioned is rather to be measured according to general legal methodology, in particular by a systematical comparison with the listed criteria.^[21] The individual criteria are listed and commented in the following:

(a) the nature, gravity and duration of the infringement;

The elements of this criterion are self-explanatory. The term “damage” is likely to be synonymous with the term used in Article 82 GDPR. It also follows explicitly that the civil liability for damages or its successful enforcement should not lead to a reduction of the fine (rather the opposite).

(b) the intentional or negligent character of the infringement;

This criterion concerns the subjective compenent of the assessment. Like in criminal law, the more the infringement was intentional, the higher the sanction.

(c) any action taken to mitigate the damage;

With the help of this provision, the extent to which the controller or processor has acted responsibly after the occurrence of a violation, in particular whether and which remedial measures they have taken, can be assessed in a mitigating and aggravating manner.^[22] As a rule, voluntary compensation for damage can only be taken into account in a way that mitigates the penalty. Such compensation can (indirectly) constitute an admission of guilt, so that a violation of the nemo tenetur principle can be present if the lack of compensation is taken into account.

(d) the degree of responsibility taking into account Articles 25 and 32;

This criterion is intended to penalise technical negligence in data protection or the lack of special preventive measures. For the technical and organisational measures, reference is made to the commentary on Article 25 and Article 32 GDPR. This criterion can be considered a further specification of lett. (b).

(e) previous infringements;

On the one hand, this criterion is intended in particular to ensure that repeat offenders receive higher penalties in order to ensure the dissuasive effect of the fine. The wording, on the other hand, does not allow for a reduction of the penalty for first-time offenders. However, SAs may take this into account in the context of letter Article 83(2)(k) GDPR.

(f) the degree of cooperation with the supervisory authority;

This criterion has similarities with letter (c), as it also depends on positive (insightful) post-offense behaviour. However, it must be taken into account that an official measure was required to persuade the person responsible to a positive post-offense behaviour. In addition, the nemo tenetur principle must be taken into account here.

(g) the categories of personal data affected;

This criterion first takes into account the importance of the special categories of personal data within the meaning of Article 9 GDPR. The special protection of Article 10 GDPR should also be taken into account when assessing fines. However, this criterion should also allow for higher fines in case of types of data that do not fall under Articles 9, 10. Thus, other data, especially of financial nature, may be objectively or subjectively sensitive and justify an increased penalty.

(h) the manner in which the infringement became known to the supervisory authority;

Here, too, a basic principle of criminal law is reflected, according to which a voluntary notification of an infringement should in principle lead to a mitigation of the penalty. Inversely, the nemo tenetur principle must also be sufficiently taken into account here.

(i) where measures referred to in Article 58(2) have previously been ordered and complied with;

As a rule, the application of this criterion is likely to result in an increase in penalties. If the controller or processor has already been subject to measures under Article 58(2) GDPR, the controller or processor is forewarned and should already be induced to adapt its behaviour. However, this criterion is only applicable to a limited extent if a fine is imposed under Article 83(5) Var. 1 or (6) GDPR, as otherwise there could be a violation of ne bis in idem.

(j) adherence to approved codes of conduct or approved certification mechanisms; and

First, it follows from this criterion that a fine may also be imposed even if the conduct leading to the infringement complied with approved codes of conduct. The more specific the approved code of conduct and the closer the infringement to be punished is to this code of conduct, the less this criterion may be taken into account. Otherwise, there would be a violation of the prohibition of contradictory conduct by the SA. The approval of codes of conduct establishes a certain trust worthy of protection on the part of the controller or processor.

(k) any other aggravating or mitigating factor.

The last criterion listed contains a catch-all provision. Please refer to the above comments on the non-exhaustive nature of the criteria. According to Recital 150 sentence 4 GDPR, the “general level of income in the Member State” and the “economic situation of the person” should also be pondered when assessing fines on persons who are not undertakings. There is no doubt that these criteria can also be taken into account under letter Article 83(2)(k) GDPR. Moreover, these criteria must be considered anyway in the context of the proportionality principle, which must always be carried out pursuant to Article 83(1) GDPR.^[23]

(3) Multiple infringements caused by the same or linked processing operations ("unity of action")

This part of Article 83 concerns the principle of "unity of action" (see above). With Article 83(3) GDPR, the legislator has decided in favour of the principle of absorption and against the principle of accumulation for processing operations that are identical or linked. For example, “if there is an infringement of Articles 8 and 12, the graver assessment under Article 83(5) will be triggered by Article 12. Thus, Article 83 does not support the principle of accumulation of penalties but rather adheres to the principle of absorption, under which a SA has to decide which infringement is the most serious one and calculate the fine for it, and then determine the fine based on the number of infringements”.^[24] The term “linked” is to be understood narrowly. Any other interpretation would open up potential for abuse by artificially linking processing operations. Otherwise, the protective purpose of the provision to ensure consistent enforcement of the GDPR through dissuasion would be weakened. Nemitz correctly points out that such a fine must then in any case be higher pursuant to Article 83(2)(a) GDPR because of the multiple infringements in contrast to where only a single infringement had been committed in an individual case.^[25]

(4) Less severe violations

Article 83(4) GDPR specifies a set of infringements which are subject to a less severe fine. It applies to the following offenses: (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43 GDPR; (b) the obligations of the certification body pursuant to Articles 42 and 43 GDPR; (c) the obligations of the monitoring body pursuant to Article 41(4) GDPR.^[26] These infringements shall be subject to administrative fines up to €10 million or, in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. The sum of the annual turnover of all individual persons who are to be understood as an “undertaking” according to the above definition is to be taken as a basis. Despite some clarifications in the EDPB Guidelines, the GDPR and other EU law do not specify a concrete calculation method. In this respect, the SA should have the prerogative to assess the calculation method, whereby it is obliged to apply it uniformly due to the principle of equal treatment. The SAs should be guided by the existing, largely (internationally) standardised rules for the determination of turnover under tax or accounting law. After all, the multitude of undertakings will calculate these figures anyway so that they can evaluate the amount of potential fines by themselves. Under Article 83(4), there is no lower limit for the fine. There is no provision for deprivation of profits in the case of infringements of the GDPR. However, according to Article 83(2)(k) GDPR, financial benefits gained from the infringement can be considered when deciding on the amount of the administrative fine (see above). Only insofar as Member States enact national regulations on sanctions (cf. Article 84 GDPR), a deprivation of profits is possible according to Recital 149 sentence 1 GDPR. Contrary to the wording, this can take place not only on the basis of criminal law, but also on the basis of administrative law.^[27]

(5) More severe violations

Article 83(5) GDPR then contains the more serious infringements, which are punishable by a higher fine. The upper limit of the fine is €20 million or, in the case of an undertaking, 4% of the total worldwide annual turnover, whichever is higher. Article 83(5) GDPR covers the following offenses: (a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9 GDPR; (b) the data subjects’ rights pursuant to Articles 12 to 22 GDPR; (c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49 GDPR; (d) any obligations pursuant to Member State law adopted under Chapter IX; (e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the SA pursuant to Article 58(2) GDPR or failure to provide access in violation of Article 58(1) GDPR.

(6) Non-compliance with orders pursuant to Article 58(2) GDPR

Article 83(6) GDPR is a superfluous provision and has no independent scope of application. The entire regulatory content of this provision is already covered by Article 83(5)(e) GDPR, which also provides for the same legal consequences.^[28]

(7) National rules on fines on public authorities

Article 83(7) GDPR contains an opening clause. Member States may provide by law whether and to what extent fines may also be imposed on public authorities and bodies established in the Member State concerned. From this provision and Recital 150 sentence 6 GDPR, it follows first that the GDPR itself does not directly provide for fines against public authorities and bodies. This clarification is necessary because Article 83 GDPR does not contain a clear description of the addressees of the fines. It predominantly focuses on "controllers and processors", which does not exclude public authorities and bodies (cf. Article 4(7) and (8) GDPR). The fact that public authorities and bodies cannot constitute an “undertaking” within the meaning of Article 83(4), (5) and (6) GDPR does not lead to a general exclusion as norm addressee. Thereby, only the relative ground for calculating a fine based on the annual turnover is excluded. The addition of “without prejudice to the corrective powers of SAs as referred to in Article 58(2)” GDPR underlines that the SAs can use those powers also against public authorities and bodies.

The usefulness of a fine against public authorities has been debated. After all, a fine against public authorities and bodies may only lead to a shift of financial resources within the public budget.^[29] Nevertheless, the threat of withdrawal of financial resources may also serve as an incentive. Informal statements by data protection officers seem to show that the lack of fines leads to data protection law not being taken seriously by public authorities and bodies, as the responsible employees do not expect any consequences for violations of the law.^[30] However, the problem with fines against public authorities and bodies appears to be that public authorities and bodies, which are fundamentally established in the interest of citizens, lose the resources necessary to fulfill their tasks. It has been rightly pointed out that fines may be necessary at least in the public health sector due to the processing of particularly sensitive personal data and in the public registration system due to the processing of particularly lucrative personal data for control purposes.^[31]

The opening clause does not only grant the decision on "whether" to impose fines on public authorities and bodies. Rather, the member states are entitled to a completely unguided decision on the amount of fines. Certainly, it should be noted that a link to the fine framework of Article 83(4), (5) and (6) GDPR is unlikely to make much sense.

(8) Appropriate procedural safeguards

The nature of the administrative fine is not clear. It evidently has an administrative nature because Article 83 GDPR as well as Recital 150 explicitly refer to “administrative fines” on various occasions.^[32] Furthermore, it is adopted by an SA,^[33] which is technically an administrative body.^[34] However, the fine also has elements of criminal law. Admittedly, it cannot be classified as criminal in the narrower sense, as the EU lacks the legislative competence to enact regulations in criminal law.^[35] At the same time, a classification as criminal in the broader sense is appropriate.

By applying the criteria set out by the ECHR, scholars conclude that fines are "criminal within the wider, autonomous meaning of Article 6 ECHR", but not in the "criminal" sense of EU law.^[36] This means that the imposition of fines must in any case respect the core principles of criminal law, e.g. the principles nemo tenetur se ipsum accusare, ne bis in idem and nulla poena sine lege (in particular nulla poena sine lege certa). However, the application of these criminal law principles to a (formally) administrative sanction cannot necessarily have the same scope they have in the criminal sector.^[37]

For these reasons, Article 83(8) requires that appropriate procedural safeguards under Union and Member State law must exist in the sanctioning proceedings. These include in particular effective judicial remedies and due process.^[38] Due process refers to the administrative procedure itself. In this respect, the parties involved should always have the right to express their views, for example through a hearing or a system providing for the submission of defensive pleadings. In addition, the measure should always offer a motivation that explains in detail how the decision on the fine was reached.^[39] In addition, Article 83(8) establishes that the addressee of the fine has a right to challenge the measure before a court. This is particularly important if one considers that administrative fines have an almost-criminal nature, as already stressed above.

The provision is appropriately described by Moos, Schefzig as a “mandatory opening clause”.^[40] Article 83(8) GDPR is likely to establish a comprehensive legislative obligation for all Member States, provided that the aforementioned criteria are not yet fulfilled in the respective Member State law. However, no new rules need to be created if the administrative procedure behind the imposition of fines fits into the Member State's administrative law doctrine. In this respect, Article 83(8) GDPR should establish a corresponding obligation of the Member States to check whether this is the case.

(9) Member states where the law does not provide for administrative fines

Article 83(9) GDPR addresses the fact that in some Member States administrative fines are not allowed by law. According to Article 83(9) GDPR, in these cases a modified application of Article 83 GDPR must be made in such a way that a fine is initiated by the SA and imposed by the competent courts. Beyond this, these Member States are generally obliged to apply Article 83 GDPR in full (adapted to the absence of administrative fines). It must be ensured that these remedies are effective and have the same effect as the fines imposed by the SAs. Article 83(9) GDPR emphasises the importance of paragraph (1) once again: The Member States concerned are explicitly obliged to apply the principles of effectiveness, dissuasiveness and proportionality.

According to Recital 151 GDPR, these are in any case Denmark and Estonia. In light of a decision of the Slovenian Supreme Court of 16 March 2021, Slovenia seems not to allow for administrative fines either.

Finally, Article 83(9) GDPR contains an information (25 May 2018) and update obligation vis-à-vis the Commission about national legislation adopted in fulfilment of the obligation under Article 83(9) GDPR. The purpose of this provision is that the Commission can also verify and track the effective enforcement of the GDPR in Member States without administrative fines.

Decisions

→ You can find all related decisions in Category:Article 83 GDPR

References

↑ The wording “infringements of this Regulation” in Article 83(1) GDPR is slightly imprecise. In fact, Article 83(5)(d) GDPR also provides for fines for breaches of Member State law adopted under Chapter IX.
↑ The EDPB's interpretation borrows principles from criminal law. Individual (material) facts shall be subsumed under a single (material) conduct due to their intrinsic coherence in terms of will and purposes. That said, even if the sanctionable conduct is only one, it may alternatively give rise to one or multiple infringements. This second stage is the moment when a material conduct is eventually matched with one or multiple legal categories. To continue the parallel with criminal law, this is the phase in which a fact that meets all the elements of the legal type becomes a "crime" (or a set of crimes), at least from the objective perspective. The following sub-paragraphs will explain in details the several options that may arise.
↑ The term “linked” refers to the principle that a unitary conduct might consist of several parts that are carried out by a unitary will and are contextually (in particular, regarding identity in terms of data subject, purpose and nature), spatially and temporally related in such a close way that, from an objective standpoint, they would be considered as one coherent conduct. A sufficient link should not be assumed easily, in order for the supervisory authority to avoid infringement of the principles of deterrence and effective enforcement of European law. See, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, par. 28.
↑ Guidelines 04/2022 on the calculation of administrative fines under the GDPR, par. 30.
↑ Guidelines 04/2022 on the calculation of administrative fines under the GDPR, par. 38.
↑ Guidelines 04/2022 on the calculation of administrative fines under the GDPR, par. 46.
↑ "This traditional trio of requirements is 'an undefined legal concept' used in various situations of sanctioning under EU law, including case law and secondary legislation". See, Tambou, in Spiecker gen. Döhmann, Papakonstantinou, Hornung, De Hert, General Data Protection Regulation, Article 83, margin number 13 (Nomos Verlagsgesellschaft 2023, 1st edition).
↑ Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 7 (C.H. Beck 2018, 2nd edition).
↑ Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 7 (C.H. Beck 2021, 3rd edition) (accessed 10 August 2021); Boehm, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 19 (C.H. Beck 2019, 1st edition).
↑ Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 7 (C.H. Beck 2018, 2nd edition); also Moos/Schefzig, in Taeger, Gabel, Datenschutzrecht, Article 83 DSGVO BDSG, margin number 24 (C.H. Beck 2019, 3rd edition).
↑ Boehm, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 20 (C.H. Beck 2019, 1st edition).
↑ Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 6 (C.H. Beck 2021, 3rd edition).
↑ Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 22 (C.H. Beck 2020, 36th edition).
↑ Guidelines 04/2022 on the calculation of administrative fines under the GDPR, par. 137 and following.
↑ Sentence 1 is only designed to decide on the relation between corrective measures under Article 58(2) GDPR and the administrative fine under Article 83 GDPR. In other words, whether they can occur simultaneously or not. Sentence 2, on the other hand, is the only provision in Article 83 GDPR that regulates the (different) issue of whether an administrative fine should be imposed or not. See discussion below.
↑ A view according to which the SA has an absolute obligation to impose a fine must therefore be rejected. The opposing view refers to the wording of Article 83(2)sentence 1 GDPR as well as Article 83(4) and (5) GDPR according to which the SA “shall [...] impose” a fine. This is not convincing. The primary regulatory objective of Article 83(2)(1) GDPR (and of Recital 148 sentence 1 GDPR) is to regulate the relationship of fines to other measures. There is no evidence that the provision is intended to introduce a simultaneous “incidental” obligation to impose fines. Rather, the decision on “whether” and “how” to impose a fine is explicitly regulated in the second sentence. Certainly, this is not completely convincing systematically, since the legislator could have made independent paragraphs out of sentences 1 and 2 in order to support the interpretation adopted here. However, the wording of paragraphs 4 and 5 cannot justify a different interpretation, as they only aim to introduce the catalogue of infringements to be sanctioned and the respective fine frameworks, and explicitly refer to Article 83(2) GDPR for the decision on “whether” and “how”. Having said this, it is also irrelevant that the wording “may impose fines” initially provided for in the Council draft on Article 83(2)(1) as well as (4) and (5) GDPR was replaced by “shall impose fines”. For more information on this debate, see Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin numbers 30 to 32f (C.H. Beck 2020, 3rd edition); Boehm, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 15 (C.H. Beck 2019, 1st edition); Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 14 (C.H. Beck 2018, 2nd edition).
↑ Recital 148 sentence 2 GDPR, mentions two examples in which the imposition of a fine is to be waived ("minor infringement"; "disproportionate burden to a natural person").
↑ The EDPB recommends in its Guidelines a 5-step procedure for the determination of the administrative fine. Identification of processing operations. This first stage involves the identification of sanctionable conduct(s) and infringment(s). For a detailed analysis we refer to paragraph (1). Determination of the starting point of calculation. Three main elements shall be taken into account: a) the categorisation of each infringement under either Article 83(4) or Article 83(5)/(6); b) assessment of the seriousness of the infringement pursuant to Article 83(2)(a), (b) and (g). The EDPB stressed that there is no mathematical formula, but three possible outputs are possible, namely low, medium or high level of seriousness; c) determination of the turnover of the undertaking. Application of potential aggravating or mitigating factors in light of the criteria provided by Article 83(2), with the exception of letters (a), (b) and (g), which have to be used the previous stage. Identification of the legal maximum. As a matter of fact, the EDPB mentions here again Article 83(4)-(6), which also provides criteria for the determination of the starting point. Assessment of effectiveness, dissuasiveness and proportionality of the measure, with the possibility to increase or decrease the fine accordingly. Concerning this point, we refer to the section "Further requirements of the fine" in paragraph (1).
↑ Tambou, in Spiecker gen. Döhmann, Papakonstantinou, Hornung, De Hert, General Data Protection Regulation, Article 83, margin number 21 (Nomos Verlagsgesellschaft 2023, 1st edition).
↑ Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 52 (C.H. Beck 2020, 3rd edition).
↑ Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 52 (C.H. Beck 2020, 3rd edition).
↑ WP29, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (WP253), 3 October 2017, p. 13.
↑ Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 13 (C.H. Beck 2021, 3rd edition).
↑ Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1189 (Oxford University Press 2020); also Jahnel, Datenschutz-Grundverordnung, Article 83, margin number 12 (Jan Sramek Verlag 2021).
↑ Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin numbers 31-32 (C.H. Beck 2018, 2nd edition).
↑ For the scope of the obligations (subject to fines) listed by the aforementioned provisions, please refer to the commentaries on the respective provisions.
↑ Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 9 (C.H. Beck 2020, 3rd edition).
↑ Boehm, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 51 (Beck 2019, 1st edition).
↑ Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 79.1 (C.H. Beck 2020, 36th edition).
↑ Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 26 (C.H. Beck 2020, 3rd edition).
↑ Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 47 (C.H. Beck 2018, 2nd edition).
↑ Article 79 GDPR also speaks of “administrative or non-judicial remedies”. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1184 (Oxford University Press 2020).
↑ The competent body for issuing administrative fines is always the SA. This can be derived from Article 83(1) GDPR (“Each SA shall ensure [...]”). Such power is also confirmed by Article 58(2)(i) GDPR: “Each SA” shall be empowered to impose a fine. Another confirmation in this sense is brought by Recital 150 sentence 1 GDPR. It states that “each SA should have the power to impose administrative fines” in order “to strengthen and harmonise” the application of the GDPR. In order to make this possible at all, each SA must have the power to impose fines. Member States that do not provide for administrative fines are therefore obliged to implement a modified, comparably effective application of Article 83 GDPR. The competence of the SA is determined in accordance with Articles 55 et seq. GDPR.
↑ Article 55(3) GDPR clarifies that SAs are not considered by the GDPR to belong to the judiciary.
↑ Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 41 (C.H. Beck 2020, 36th edition).
↑ Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1184 (Oxford University Press 2020).
↑ Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 44 (C.H. Beck 2020, 3rd edition).
↑ Article 83(8) GDPR corresponds in this respect to Recital 148 sentence 4 GDPR.
↑ Nemitz, in Ehmann,Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 12 (C.H. Beck 2018, 2nd edition).
↑ Moos, Schefzig, in Taeger, Gabel, Datenschutzrecht, Article 83 DSGVO BDSG, margin number 119 (C.H. Beck 2019, 3rd edition).

[1] The wording “infringements of this Regulation” in Article 83(1) GDPR is slightly imprecise. In fact, Article 83(5)(d) GDPR also provides for fines for breaches of Member State law adopted under Chapter IX.

[2] The EDPB's interpretation borrows principles from criminal law. Individual (material) facts shall be subsumed under a single (material) conduct due to their intrinsic coherence in terms of will and purposes. That said, even if the sanctionable conduct is only one, it may alternatively give rise to one or multiple infringements. This second stage is the moment when a material conduct is eventually matched with one or multiple legal categories. To continue the parallel with criminal law, this is the phase in which a fact that meets all the elements of the legal type becomes a "crime" (or a set of crimes), at least from the objective perspective. The following sub-paragraphs will explain in details the several options that may arise.

[3] The term “linked” refers to the principle that a unitary conduct might consist of several parts that are carried out by a unitary will and are contextually (in particular, regarding identity in terms of data subject, purpose and nature), spatially and temporally related in such a close way that, from an objective standpoint, they would be considered as one coherent conduct. A sufficient link should not be assumed easily, in order for the supervisory authority to avoid infringement of the principles of deterrence and effective enforcement of European law. See, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, par. 28.

[4] Guidelines 04/2022 on the calculation of administrative fines under the GDPR, par. 30.

[5] Guidelines 04/2022 on the calculation of administrative fines under the GDPR, par. 38.

[6] Guidelines 04/2022 on the calculation of administrative fines under the GDPR, par. 46.

[7] "This traditional trio of requirements is 'an undefined legal concept' used in various situations of sanctioning under EU law, including case law and secondary legislation". See, Tambou, in Spiecker gen. Döhmann, Papakonstantinou, Hornung, De Hert, General Data Protection Regulation, Article 83, margin number 13 (Nomos Verlagsgesellschaft 2023, 1st edition).

[8] Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 7 (C.H. Beck 2018, 2nd edition).

[9] Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 7 (C.H. Beck 2021, 3rd edition) (accessed 10 August 2021); Boehm, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 19 (C.H. Beck 2019, 1st edition).

[10] Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 7 (C.H. Beck 2018, 2nd edition); also Moos/Schefzig, in Taeger, Gabel, Datenschutzrecht, Article 83 DSGVO BDSG, margin number 24 (C.H. Beck 2019, 3rd edition).

[11] Boehm, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 20 (C.H. Beck 2019, 1st edition).

[12] Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 6 (C.H. Beck 2021, 3rd edition).

[13] Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 22 (C.H. Beck 2020, 36th edition).

[14] Guidelines 04/2022 on the calculation of administrative fines under the GDPR, par. 137 and following.

[15] Sentence 1 is only designed to decide on the relation between corrective measures under Article 58(2) GDPR and the administrative fine under Article 83 GDPR. In other words, whether they can occur simultaneously or not. Sentence 2, on the other hand, is the only provision in Article 83 GDPR that regulates the (different) issue of whether an administrative fine should be imposed or not. See discussion below.

[16] A view according to which the SA has an absolute obligation to impose a fine must therefore be rejected. The opposing view refers to the wording of Article 83(2)sentence 1 GDPR as well as Article 83(4) and (5) GDPR according to which the SA “shall [...] impose” a fine. This is not convincing. The primary regulatory objective of Article 83(2)(1) GDPR (and of Recital 148 sentence 1 GDPR) is to regulate the relationship of fines to other measures. There is no evidence that the provision is intended to introduce a simultaneous “incidental” obligation to impose fines. Rather, the decision on “whether” and “how” to impose a fine is explicitly regulated in the second sentence. Certainly, this is not completely convincing systematically, since the legislator could have made independent paragraphs out of sentences 1 and 2 in order to support the interpretation adopted here. However, the wording of paragraphs 4 and 5 cannot justify a different interpretation, as they only aim to introduce the catalogue of infringements to be sanctioned and the respective fine frameworks, and explicitly refer to Article 83(2) GDPR for the decision on “whether” and “how”. Having said this, it is also irrelevant that the wording “may impose fines” initially provided for in the Council draft on Article 83(2)(1) as well as (4) and (5) GDPR was replaced by “shall impose fines”. For more information on this debate, see Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin numbers 30 to 32f (C.H. Beck 2020, 3rd edition); Boehm, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 15 (C.H. Beck 2019, 1st edition); Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 14 (C.H. Beck 2018, 2nd edition).

[17] Recital 148 sentence 2 GDPR, mentions two examples in which the imposition of a fine is to be waived ("minor infringement"; "disproportionate burden to a natural person").

[18] The EDPB recommends in its Guidelines a 5-step procedure for the determination of the administrative fine. Identification of processing operations. This first stage involves the identification of sanctionable conduct(s) and infringment(s). For a detailed analysis we refer to paragraph (1). Determination of the starting point of calculation. Three main elements shall be taken into account: a) the categorisation of each infringement under either Article 83(4) or Article 83(5)/(6); b) assessment of the seriousness of the infringement pursuant to Article 83(2)(a), (b) and (g). The EDPB stressed that there is no mathematical formula, but three possible outputs are possible, namely low, medium or high level of seriousness; c) determination of the turnover of the undertaking. Application of potential aggravating or mitigating factors in light of the criteria provided by Article 83(2), with the exception of letters (a), (b) and (g), which have to be used the previous stage. Identification of the legal maximum. As a matter of fact, the EDPB mentions here again Article 83(4)-(6), which also provides criteria for the determination of the starting point. Assessment of effectiveness, dissuasiveness and proportionality of the measure, with the possibility to increase or decrease the fine accordingly. Concerning this point, we refer to the section "Further requirements of the fine" in paragraph (1).

[19] Tambou, in Spiecker gen. Döhmann, Papakonstantinou, Hornung, De Hert, General Data Protection Regulation, Article 83, margin number 21 (Nomos Verlagsgesellschaft 2023, 1st edition).

[20] Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 52 (C.H. Beck 2020, 3rd edition).

[21] Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 52 (C.H. Beck 2020, 3rd edition).

[22] WP29, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (WP253), 3 October 2017, p. 13.

[23] Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 13 (C.H. Beck 2021, 3rd edition).

[24] Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1189 (Oxford University Press 2020); also Jahnel, Datenschutz-Grundverordnung, Article 83, margin number 12 (Jan Sramek Verlag 2021).

[25] Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin numbers 31-32 (C.H. Beck 2018, 2nd edition).

[26] For the scope of the obligations (subject to fines) listed by the aforementioned provisions, please refer to the commentaries on the respective provisions.

[27] Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 9 (C.H. Beck 2020, 3rd edition).

[28] Boehm, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 51 (Beck 2019, 1st edition).

[29] Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 79.1 (C.H. Beck 2020, 36th edition).

[30] Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 26 (C.H. Beck 2020, 3rd edition).

[31] Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 47 (C.H. Beck 2018, 2nd edition).

[32] Article 79 GDPR also speaks of “administrative or non-judicial remedies”. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1184 (Oxford University Press 2020).

[33] The competent body for issuing administrative fines is always the SA. This can be derived from Article 83(1) GDPR (“Each SA shall ensure [...]”). Such power is also confirmed by Article 58(2)(i) GDPR: “Each SA” shall be empowered to impose a fine. Another confirmation in this sense is brought by Recital 150 sentence 1 GDPR. It states that “each SA should have the power to impose administrative fines” in order “to strengthen and harmonise” the application of the GDPR. In order to make this possible at all, each SA must have the power to impose fines. Member States that do not provide for administrative fines are therefore obliged to implement a modified, comparably effective application of Article 83 GDPR. The competence of the SA is determined in accordance with Articles 55 et seq. GDPR.

[34] Article 55(3) GDPR clarifies that SAs are not considered by the GDPR to belong to the judiciary.

[35] Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 41 (C.H. Beck 2020, 36th edition).

[36] Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1184 (Oxford University Press 2020).

[37] Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 44 (C.H. Beck 2020, 3rd edition).

[38] Article 83(8) GDPR corresponds in this respect to Recital 148 sentence 4 GDPR.

[39] Nemitz, in Ehmann,Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 12 (C.H. Beck 2018, 2nd edition).

[40] Moos, Schefzig, in Taeger, Gabel, Datenschutzrecht, Article 83 DSGVO BDSG, margin number 119 (C.H. Beck 2019, 3rd edition).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

[37]

[38]

[39]

[40]