How will national DPAs impose fines for GDPR violations?


The GDPR introduced an antitrust-type sanction regime with fines which, for severe infringements, may amount up to 20 million euros or 4% of the annual turnover, whichever is greater. The Working Party of Article 29 recently issued its much expected draft Guidelines for the consistent application of such fines.

The intention of these Guidelines is to ensure that similar fines will be imposed by the national DPAs for similar cases, resulting in a uniform application of the GDPR throughout the EU (principle of equivalence).

The Guidelines constitute an elaboration on the assessment criteria set forth by the GDPR itself and should be applied on an ad hoc basis by the national DPAs. The most significant criteria are the following: 

(a) The nature, gravity and duration of the infringement and the categories of personal data concerned

The above should be assessed taking into consideration the number of the individuals affected (e.g. the number of registrants in a database, users of an application or customers etc.), the specified purpose of the processing and the use of the data in a compatible manner with that purpose, as well as the level of damages occurred. Whether the personal data affected are sensitive is of equal importance for assessing the severity of the breach.

(b) Intentional or negligent infringement

Circumstances that are indicative of intention might be the unlawful processing authorised by the top management or in disregard of existing privacy policies known to the employees. On the other hand, failure to read and abide by existing policies, human error, failure to apply technical updates in a timely manner or failure to adopt (rather than simply failure to apply them) are indicators of a negligent behaviour.

(c) Responsibility of the controller/processor regarding technical and organisational measures 

Examples of what is practically assessed here is whether technical, organisational and security measures at all levels of the organisation have been taken, whether privacy policies are known and actually applied, whether best practice regimes are followed or whether organisations have adhered to approved codes of conduct and certification mechanisms.

(d) Action to mitigate the damage suffered by the individuals 

Even when no such measures were taken, organisations that have admitted to their infringement and taken responsibility to correct or limit the impact of their actions might be treated with some flexibility. 


In view of the entry into force of the GDPR and the draft Guidelines, there may be a significant shift of the approach to be adopted by the Hellenic DPA on the level of fines. By way of practical advice to organisations acting either as controllers or processors, the strengthening of their position at the current stage and prior to the occurrence of a GDPR infringement can be effected through a solid GDPR compliance exercise that should include: 

  1. Design and implementation of appropriate data protection policies and procedures;
  2. Review and implementation of appropriate technical and organisational measures that would protect the personal data within their organisation and outside it (when data are processed by service providers); and
  3. Training of employees and increase of their awareness to improve understanding of the GDPR and to ensure actual implementation of the relevant policies and procedures (ongoing task).

Article provided by: 

  • Takis Kakouris (Partner, Zepos & Yannopoulos)
  • Mary Deligianni (Senior Associate, Zepos & Yannopoulos)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.