Question:

In what cases are fines imposed under the GDPR?

Answer:

Fines under the GDPR are imposed by supervisory authorities for violations of the General Data Protection Regulation. This means that only if a controller disregards the provisions of the GDPR can a fine be imposed on them.

Examples can be:

1. Lack of Lawful Basis for Processing Personal Data (Art. 5(1)(a) GDPR)
Real-world example: A Meta (Facebook, Instagram) was fined €390 million for attempting to rely on contractual necessity as a legal basis for processing user data for personalized advertising, when regulators deemed it should have been based on consent.
2. Failure to Obtain Valid Consent (Art. 6(1)(a) and Art. 7 GDPR)
A website uses pre-ticked boxes for cookies, or buries consent options deep within its privacy policy, making it difficult for users to genuinely opt-in. As an example: Amazon Europe was fined €746 million for failing to obtain proper “freely given” consent for the use of advertising cookies.
3. Insufficient Technical and Organizational Measures to Ensure Security (Art. 32 GDPR)
A company experiences a data breach due to weak security protocols, unpatched software, or lack of encryption for sensitive data. British Airways was fined £20 million after a cyberattack exposed customer data due to the company’s negligence in maintaining its security practices.

1. Lack of Lawful Basis for Processing Personal Data (Art. 5(1)(a) GDPR)

2. Failure to Obtain Valid Consent (Art. 6(1)(a) and Art. 7 GDPR)

3. Insufficient Technical and Organizational Measures to Ensure Security (Art. 32 GDPR)