There are two levels of GDPR fines: for severe violations and for lower-level violations.

The lower-level violations could result in an administrative fine of up to €10 million, or 2% of the annual global turnover of the company of the preceding financial year, whichever is higher.

The severe violations could result in an administrative fine of up to €20 million, or 4% of the annual global turnover of the company of the preceding financial year, whichever is higher.

However, not all GDPR violation cases lead to penalties. The GDPR supervisory authority has the power to decide the action that needs to be taken against the violating company. Depending on the severity of the GDPR violation, the GDPR supervisory authority may take the following measures, with or without fine:

• Issue warning;
• Temporarily or permanently ban the activity of the company;
• Request user's personal data deletion;
• Request to restrict the user's personal data transfer to a third party.