Skip to main content

How will national DPAs impose fines for GDPR violations?

Takis Kakouris and Mary Deligianni (Greece), Partners of EuroCloud CPC Network

The GDPR introduced an antitrust-type sanction regime with fines which, for severe infringements, may amount up to 20 million euros or 4% of the annual turnover, whichever is greater. The Working Party of Article 29 recently issued its much expected draft Guidelines for the consistent application of such fines.

The intention of these Guidelines is to ensure that similar fines will be imposed by the national DPAs for similar cases, resulting in a uniform application of the GDPR throughout the EU (principle of equivalence).

The Guidelines constitute an elaboration on the assessment criteria set forth by the GDPR itself and should be applied on an ad hoc basis by the national DPAs. The most significant criteria are the following:&nb

(a) The nature, gravity and duration of the infringement and the categories of personal data concerned

The above should be assessed taking into consideration the number of the individuals affected (e.g. the number of registrants in a database, users of an application or customers etc.), the specified purpose of the processing and the use of the data in a compatible manner with that purpose, as well as the level of damages occurred. Whether the personal data affected are sensitive is of equal importance for assessing the severity of the breach.

(b) Intentional or negligent infringement

Circumstances that are indicative of intention might be the unlawful processing authorised by the top management or in disregard of existing privacy policies known to the employees. On the other hand, failure to read and abide by existing policies, human error, failure to apply technical updates in a timely manner or failure to adopt (rather than simply failure to apply them) are indicators of a negligent behaviour.

(c) Responsibility of the controller/processor regarding technical and organisational measures 

Examples of what is practically assessed here is whether technical, organisational and security measures at all levels of the organisation have been taken, whether privacy policies are known and actually applied, whether best practice regimes are followed or whether organisations have adhered to approved codes of conduct and certification mechanisms.

(d) Action to mitigate the damage suffered by the individuals 

Even when no such measures were taken, organisations that have admitted to their infringement and taken responsibility to correct or limit the impact of their actions might be treated with some flexibility. 


In view of the entry into force of the GDPR and the draft Guidelines, there may be a significant shift of the approach to be adopted by the Hellenic DPA on the level of fines. By way of practical advice to organisations acting either as controllers or processors, the strengthening of their position at the current stage and prior to the occurrence of a GDPR infringement can be effected through a solid GDPR compliance exercise that should include: 

  1. Design and implementation of appropriate data protection policies and procedures;
  2. Review and implementation of appropriate technical and organisational measures that would protect the personal data within their organisation and outside it (when data are processed by service providers); and
  3. Training of employees and increase of their awareness to improve understanding of the GDPR and to ensure actual implementation of the relevant policies and procedures (ongoing task).

Article provided by: 

  • Takis Kakouris (Partner, Zepos & Yannopoulos)
  • Mary Deligianni (Senior Associate, Zepos & Yannopoulos)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.