1. The Commissioner shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

• (a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
• (b) the intentional or negligent character of the infringement;
• (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
• (d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
• (e) any relevant previous infringements by the controller or processor;
• (f) the degree of cooperation with the Commissioner , in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
• (g) the categories of personal data affected by the infringement;
• (h) the manner in which the infringement became known to the Commissioner, in particular whether, and if so to what extent, the controller or processor notified the infringement;
• (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
• (j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
• (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to £8,700,000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

• (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
• (b) the obligations of the certification body pursuant to Articles 42 and 43;
• (c) the obligations of the monitoring body pursuant to Article 41(4).

4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to £17,500,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

• (a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
• (b) the data subjects’ rights pursuant to Articles 12 to 22;
• (c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
• (d) any obligations under Part 5 or 6 of Schedule 2 to the 2018 Act or regulations made under section 16(1)(c) of the 2018 Act;
• (e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the Commissioner pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

6. Non-compliance with an order by the Commissioner as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to £17,500,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

7-9. [THESE ARTICLES ARE INTENTIONALLY LEFT BLANK IN THE UK GDPR]

10. In the 2018 Act, section 115(9) makes provision about the exercise of the Commissioner’s functions under this Article.

Relevant recitals

(148), (149), (150), (151), (152)

Important note about UK GDPR recitals

Recitals to the GDPR are saved into UK domestic law and apply to the interpretation of the UK GDPR. However, they have not been amended upon saving. This may mean that some recitals are no longer relevant if the corresponding provisions have not been retained in UK domestic law. (Tell me more.)