Article 79(1)

1. Each supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article. The supervisory authorities shall cooperate with each other in accordance with Articles 46 and 57 to guarantee a harmonized level of sanctions within the Union.

Article 79(2)

2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive.

Article 79(2a)

2a. To anyone who does not comply with the obligations laid down in this Regulation, the supervisory authority shall impose at least one of the following sanctions:

• (a) a warning in writing in cases of first and non-intentional non-compliance;
• (b) regular periodic data protection audits;
• (c) a fine up to 100 000 000 EUR or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is greater.

Article 79(2b)

2b. If the controller or the processor is in possession of a valid "European Data Protection Seal" pursuant to Article 39, a fine pursuant to paragraph 2a(c) shall only be imposed in cases of intentional or negligent incompliance.

Article 79(2c)

2c. The administrative sanction shall take into account the following factors:

• (a) the nature, gravity and duration of the incompliance,
• (b) the intentional or negligent character of the infringement,
• (c) the degree of responsibility of the natural or legal person and of previous breaches by this person,
• (d) the repetitive nature of the infringement,
• (e) the degree of co-operation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement,
• (f) the specific categories of personal data affected by the infringement,
• (fa) the level of damage, including non-pecuniary damage, suffered by the data subjects,
• (fb) the action taken by the controller or processor to mitigate the damage suffered by data subjects,
• (fc) any financial benefits intended or gained, or losses avoided, directly or indirectly from the infringement,
• (g) the degree of technical and organisational measures and procedures implemented pursuant to:
  • (i) Article 23 - Data protection by design and by default
  • (ii) Article 30 - Security of processing
  • (iii) Article 33 - Data protection impact assessment
  • (iv) Article 33 a - Data protection compliance review
  • (v) Article 35 - Designation of the data protection officer
• (ga) the refusal to cooperate with or obstruction of inspections, audits and controls carried out by the supervisory authority pursuant to Article 53,
• (gb) other aggravating or mitigating factors applicable to the circumstance of the case.

Article 79(3)

3. (deleted)

Article 79(4)

4. (deleted)

Article 79(5)

5. (deleted)

Article 79(6)

6. (deleted)

Article 79(7)

7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of updating the absolute amounts of the administrative fines referred to in paragraphs 2a, taking into account the criteria and factors referred to in paragraphs 2 and 2c.

[Source: October 2013]

Article 79(1) [Amended: October 2013]

1. Each supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.

Article 79(2) [Amended: October 2013]

2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of cooperation with the supervisory authority in order to remedy the breach.

Article 79(3) [Deleted: October 2013]

3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where:

• (a) a natural person is processing personal data without a commercial interest; or
• (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.

Article 79(4) [Deleted: October 2013]

4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently:

• (a) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to Articles 12(1) and (2);
• (b) charges a fee for the information or for responses to the requests of data subjects in violation of Article 12(4).

Article 79(5) [Deleted: October 2013]

5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently:

• (a) does not provide the information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article 11, Article 12(3) and Article 14;
• (b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 or does not communicate the relevant information to a recipient pursuant to Article 13;
• (c) does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17;
• (d) does not provide a copy of the personal data in electronic format or hinders the data subject to transmit the personal data to another application in violation of Article 18;
• (e) does not or not sufficiently determine the respective responsibilities with cocontrollers pursuant to Article 24;
• (f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3);
• (g) does not comply, in cases where special categories of data are not involved, pursuant to Articles 80, 82 and 83 with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes.

Article 79(6) [Deleted: October 2013]

6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:

• (a) processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7 and 8;
• (b) processes special categories of data in violation of Articles 9 and 81;
• (c) does not comply with an objection or the requirement pursuant to Article 19;
• (d) does not comply with the conditions in relation to measures based on profiling pursuant to Article 20;
• (e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30;
• (f) does not designate a representative pursuant to Article 25;
• (g) processes or instructs the processing of personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26 and 27;
• (h) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject pursuant to Articles 31 and 32;
• (i) does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34;
• (j) does not designate a data protection officer or does not ensure the conditions for fulfilling the tasks pursuant to Articles 35, 36 and 37;
• (k) misuses a data protection seal or mark in the meaning of Article 39;
• (l) carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation pursuant to Articles 40 to 44;
• (m) does not comply with an order or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority pursuant to Article 53(1);
• (n) does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority pursuant to Article 28(3), Article 29, Article 34(6) and Article 53(2);
• (o) does not comply with the rules for safeguarding professional secrecy pursuant to Article 84.

Article 79(7) [Amended: October 2013]

7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of updating the amounts of the administrative fines referred to in paragraphs 4, 5 and 6, taking into account the criteria referred to in paragraph 2.

[Source: January 2012 | Context: Proposal from the European Commission]

Chapter III Judicial remedies, liability and sanctions

Article 24 Sanctions

The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.