General Data Protection Regulation (GDPR) is a regulation in the EU law on personal data protection and privacy for all individuals within the European Economic Area (EEA). All companies and websites operating in the EEA must comply with GDPR.
Article 83 of the GDPR presents conditions for imposing administrative fines. The severity level for violating the GDPR depends on factors like these:
- The nature, gravity, and duration of the GDPR violation;
- Whether the GDPR violation was intentional or happened by negligence;
- The action, taken by the company to mitigate the damage suffered by users;
- Technical and organizational measures implemented to tackle the situation;
- Any relevant previous violations by the company;
- The degree of cooperation with the supervisory authority to remedy the violation and mitigate its possible effects;
- The categories of personal data affected by the violation;
- Whether, and to what extent, the company notified the violation to the authority or if they came to know about it by other means;
- Whether the supervisory authority has taken measures [Article 58(2)] against the company regarding the same violation;
- The company’s adherence to approved codes of conduct or approved certification mechanisms;
- Other factors, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
There are two levels of GDPR fines: for severe violations and for lower level, or less severe violations.
The lower level violation could result in an administrative fine of up to €10 million, or 2% of the annual global turnover of the company of the preceding financial year, whichever is higher.
The severe violation could result in an administrative fine of up to €20 million, or 4% of the annual global turnover of the company of the preceding financial year, whichever is higher.
The lower level violation could result from the following actions:
- Collecting any information from a child, who is under the age of 16 years, without parental consent;
- Storing, collecting, or processing additional information to identify a user further when it is no longer needed for the user identification;
- Failing to follow the basic privacy by cookie protocols;
- Sharing the data of the user with third-party without the user’s consent;
- Not keeping records of personal information taken from the users;
- Failing to inform the supervisory authority of any data violation within 72 hours of becoming aware of it;
- Not performing a data protection impact assessment and putting the users at risk of data misuse;
- Not appointing a responsible person to guide by all the rules of GDPR and keep track that everyone follows it.
The severe violation could result from the following actions:
- Processing personal data provided by the user in an illegitimate, fraudulent, or corrupt way;
- Processing of personal data without informing or obtaining the user’s consent;
- Sharing of any user's sensitive personal data without the consent of the user;
- Not informing the user that he can opt-out of the cookies;
- Refusing the user to provide a copy of the user's personal data;
- Refusing the user to give the privilege to edit, update, delete, transfer, or review the user's personal data;
- Transferring user's personal data throughout of the country without any proper protocol;
- Not complying with any order authorized by a GDPR superior authority.