Under the GDPR’s article 83, fines are divided into two separate categories. The first, which merits a maximum 2% of global revenue, is associated with security violations. The second category merits a more severe fine at 4% of global revenue relate to limiting processing for personal data, gaining consent, and processing data lawfully:
- Article 15: Right of consumers, or data subjects in GDPR-ese, to access their personal data
- Article 16: Right of subjects to correct their personal data
- Article 17: Right of subjects to ask companies or controllers to erase their data (aka “Right to be Forgotten”)
Recent fines include:
- Google (€50,000,000)
- Active Assurance ($200,000)
- Sergic ($450,000)
- Rousseau ($50,000)
- Marriott (GBP 99,000,000)
- British Airways ( intended GBP 183,390,000)
Data Security and Privacy Lessons From Recent GDPR Fines by Andy Green on the Varonis Blog