We are currently consulting on this draft guidance.
- The amount of the fine that the Commissioner can impose for an infringement of UK GDPR or DPA 2018 is subject to a statutory maximum.18
- Article 83 UK GDPR and section 157 DPA 2018 provide for two levels of maximum fine, depending on the statutory provision that has been infringed. These are referred to as the ‘standard maximum amount’ and the ‘higher maximum amount’. The tables in Annex 2 set out which level of maximum fine applies to the relevant provisions of the UK GDPR and DPA 2018, as set out in Article 83(4) and (5) UK GDPR and section 157(2), (3) and (4) DPA 2018.
- The maximum fine amounts for each level differ based on whether the controller or processor is an ‘undertaking’19, as follows:
- The standard maximum amount is £8.7 million or, in the case of an undertaking, is the higher of either £8.7 million or 2% of the undertaking’s total worldwide annual turnover in the preceding financial year.20
- The higher maximum amount is £17.5 million or, in the case of an undertaking, is the higher of either £17.5 million or 4% of the undertaking’s total worldwide annual turnover in the preceding financial year.21
- This means that the applicable statutory maximum amount is only calculated by reference to a percentage of turnover where an undertaking’s total worldwide annual turnover exceeds:
- £435 million in relation to the standard maximum amount (the 2% percentage figure applies); or
- £437.5 million in relation to the higher maximum amount (the 4% percentage figure applies).22
19 See The concept of an ‘undertaking’ for the purpose of imposing fines for an explanation of the term ‘undertaking’ in this context.