The General Data Protection Regulation (GDPR) has established a unified European framework for the protection of personal data, based on clearly defined data subject rights and obligations imposed on controllers and processors. One of the key elements ensuring its effectiveness is the mechanism of administrative liability, contained primarily in Article 83 GDPR. Particularly significant is the fact that the Regulation introduced exceptionally high monetary fines, including the possibility of imposing penalties of up to EUR 20 million or up to 4% of an undertaking’s total worldwide annual turnover, thus positioning data protection enforcement on a regulatory level comparable to competition law or financial supervision.

Responsibility of the Controller and the Accountability Principle

Although the GDPR establishes obligations for various actors, the controller occupies a central role. Article 5(2) introduces the principle of accountability, under which the controller is required to ensure that all processing operations comply with the Regulation and must be able to demonstrate such compliance. Article 24 further emphasises the obligation to implement appropriate technical and organisational measures, taking into account the nature, scope, context and purposes of processing, as well as the varying degrees of risk to the rights and freedoms of individuals.

In practical terms, the controller’s responsibilities include correctly determining legal bases under Article 6, obtaining valid consent under Article 7, implementing privacy by design and by default under Article 25, maintaining records of processing activities under Article 30, ensuring appropriate security measures under Article 32, and properly and promptly responding to personal data breaches in accordance with Articles 33 and 34. Failure to fulfil these obligations may lead to administrative liability.

The GDPR Sanctions System

Article 83 GDPR establishes a two-tier system of administrative fines. When assessing the amount of the fine, supervisory authorities consider several criteria, including the nature, gravity and duration of the infringement, the number of affected data subjects, whether the infringement was intentional or negligent, the degree of responsibility of the controller, previous infringements, the controller’s level of cooperation with the supervisory authority, as well as the categories of personal data involved. This ensures an individualised approach while maintaining maximum thresholds for different categories of violations.

Infringements Subject to Fines up to EUR 10 Million or 2% of Total Worldwide Annual Turnover

The lower tier of fines, under Article 83(4), applies to infringements that primarily concern organisational and technical obligations of controllers and processors. This category includes violations of Article 8 regarding the processing of children's data, Article 11 concerning situations where identification is not required, and a wide range of provisions from Articles 25 to 39, which address privacy by design, security policies, records of processing, breach notifications, data protection impact assessments and the appointment of data protection officers.

Typical infringements in this category include the failure to conduct a DPIA where required, failure to notify a personal data breach to the supervisory authority within the 72-hour deadline, insufficient technical security measures, or the failure to appoint a data protection officer where Article 37 makes this obligatory. Violations of Articles 42 and 43, relating to certification bodies and certification mechanisms, also fall within this tier.

Although this category represents the “lower” level of fines, the amounts remain significant and may still result in severe financial and reputational consequences, especially for large enterprises.

Infringements Subject to Fines up to EUR 20 Million or 4% of Total Worldwide Annual Turnover

The higher tier of fines, provided under Article 83(5), applies to infringements that strike at the core of the data protection framework: fundamental principles of processing, data subject rights and international transfers of personal data.

Infringements of the fundamental principles under Article 5 – such as unlawful processing, lack of transparency, breaches of accuracy or data minimisation, or processing without a valid legal basis under Article 6 – constitute some of the most serious violations. The same applies to improper processing of special categories of data under Article 9 or invalid consent mechanisms under Article 7.

Violations of data subject rights under Articles 12–22, including the denial of the right of access, the right to erasure or the right to data portability, likewise fall within this tier. Such infringements have particularly serious consequences because they directly undermine the individual’s ability to exercise control over their personal data.

A further critical category concerns unlawful international transfers under Articles 44–49. Improperly secured or unauthorised transfers of personal data to third countries pose high risks and are therefore sanctioned with the highest fines.

This tier also includes non-compliance with obligations under Member State law adopted pursuant to Chapter IX GDPR, for example in areas such as employment data, health data or processing in the public sector.

Failure to Comply with Supervisory Authority Orders

Article 83(6) expressly provides that failure to comply with an order of the supervisory authority issued under Article 58(2) will automatically be sanctioned at the highest level of fines, up to EUR 20 million or 4% of total worldwide annual turnover. This is considered one of the gravest violations because it represents a direct breach of regulatory authority. Examples include continuing processing despite an explicit prohibition, refusing to grant the supervisory authority access to information, or failing to implement an order to erase personal data.

Conclusion

Administrative liability under the GDPR is one of the crucial mechanisms ensuring the effective functioning of the personal data protection framework. The magnitude of the fines and the strict criteria applied by supervisory authorities encourage organisations to establish robust privacy management systems, conduct ongoing risk assessments and maintain transparent conduct towards data subjects and regulators. For controllers, this means an obligation not merely of formal compliance, but of genuine and demonstrable adherence to the GDPR, supported by documentation, internal governance practices and a proactive approach to data protection.

Ultimately, the system of administrative liability is not designed solely as a punitive tool, but as a mechanism that preserves trust in the protection of personal data within a modern digital society.

Author: Dinko Šperanda, Attorney at Law