Administrative fines and penalties
What are the administrative fines which a not-for-profit organisation shall pay in case of infringement of the GDPR?
Administrative fines may be up to € 10 000 000 for violations of most of the obligations of the GDPR or up to € 20 000 000 if the violation concerns the principle of the legal basis for data processing, including rules for consent, rights of data subjects, transfers of personal data to third countries or international organisations and for any other rule issued by the Member States as regards data protection. The criteria of the percentage of 2% or 4% of the total worldwide annual turnover shall not be applicable, unless the charity carries out also business or economic activity. The criteria shall be applied only in the event of controllers and processors which have an economic activity. If the not-for-profit organisation carries out also business or economic activities, such criteria shall be valid: the charity shall be considered as a company with economic activity. In other cases, supervisory authorities shall determine the amount to be paid applying other criteria of assessment.