Consequences: Fines, Liability & Compensation

Domain four ends with consequences, what happens when an organisation breaks the GDPR. There are three channels the exam cares about: administrative fines imposed by supervisory authorities under Article 83; compensation paid to individuals for damage under Article 82; and the procedural routes individuals use to enforce their rights, including representative or class-style actions under Article 80. The fines are what make headlines, but compensation and collective redress matter too.

Let's take each, starting with the famous two-tier fine structure, because the exam routinely asks which tier a given violation falls into.

Article 83 sets two tiers of administrative fines, and you must know both numbers. The lower tier, in Article 83(4), is up to ten million euros, or for an undertaking up to two percent of total worldwide annual turnover of the preceding financial year, whichever is higher. The higher tier, in Article 83(5), is up to twenty million euros, or up to four percent of global annual turnover, whichever is higher.

The phrase whichever is higher is critical, for a large company the percentage usually dwarfs the fixed cap. And fines must be effective, proportionate, and dissuasive in each case. So memorise: ten million or two percent for the lower tier, twenty million or four percent for the higher tier.

Knowing the tiers is only half the battle; the exam asks which tier a violation falls into. The lower tier, Article 83(4), generally covers breaches of the controller's and processor's obligations, the administrative and security-type duties, such as failing to keep Article 30 records, failing to implement Article 32 security, not appointing a required DPO, or not meeting breach-notification duties. The higher tier, Article 83(5), covers the most serious breaches: violating the basic principles in Article 5, ignoring the lawful-basis and consent conditions, infringing data subjects' rights, or breaking the international-transfer rules in Chapter five.

A simple heuristic: breaches of core principles, rights, consent, and transfers are higher tier; breaches of procedural and security obligations are lower tier. Test that heuristic on practice questions until it is automatic.

Fines are not automatic; Article 83(2) lists the factors a supervisory authority weighs when deciding whether to fine and how much. They include the nature, gravity, and duration of the infringement and the number of data subjects affected; whether it was intentional or negligent; any action taken to mitigate the damage; the degree of responsibility, taking account of technical and organisational measures implemented; any relevant previous infringements; the degree of cooperation with the authority; the categories of personal data affected; and how the authority became aware of the breach, for example whether the controller self-reported. So cooperation and prompt mitigation can reduce a fine, while intentional, prolonged breaches affecting many people push it up.

The exam may give you aggravating or mitigating facts and ask their effect.

Beyond fines, individuals have their own remedies. Article 82 gives any person who has suffered material or non-material damage, that includes distress, not just financial loss, the right to compensation from the controller or processor. A controller is liable for damage caused by its processing; a processor is liable where it breached processor-specific obligations or acted outside the controller's lawful instructions.

Where both are responsible, liability can be joint and several, so a claimant can recover the full amount from one and leave them to sort out the split. Procedurally, Article 77 lets a person lodge a complaint with a supervisory authority, and Article 79 lets them seek a judicial remedy in court. And Article 80 allows not-for-profit bodies to represent data subjects, and member states may permit them to bring claims, which is the GDPR's route to collective or class-style actions.

So enforcement is not only top-down fines; it is also bottom-up claims.

So the consequences. Article 83 has two fine tiers: up to ten million or two percent for procedural and security breaches, and up to twenty million or four percent for breaches of principles, rights, consent, and transfers, whichever is higher in each case. Article 83(2) lists the factors that calibrate the fine, with cooperation and mitigation helping, intent and scale hurting.

And individuals have their own remedies: compensation under Article 82 for material and non-material damage, complaints to a DPA under Article 77, court remedies under Article 79, and representative actions under Article 80. That completes Domain four. Go take the Domain four practice test before we move into compliance in practice.