What is the maximum fine that can be applied for breach of data protection laws?

Technology (second edition)

Indonesia Small Flag Indonesia

The maximum fine that can be applied for breach of data protection laws is contained in Law No. 11 of 2008 regarding Electronic Information and Transactions (April 21, 2008), as amended (“ITE Law, as amended”), namely IDR12 billion (approximately USD820,000 at current exchange rates).

The Netherlands Small Flag The Netherlands

Currently in the Netherlands the maximum fine that can be levied by the Dutch Personal Data Protection Authority is € 820,000 or 10% of the violators turnover. This will, however, change in 2018, when the GDPR goes live. At that point, the maximum fines will increase to €20m / 4% of worldwide turnover.

Brazil Small Flag Brazil

The fines may vary depending on the claimant and the rules that were not complied in each specific case. For example, if a consumer protection agency is responsible for issuing the fine (e.g. for violation of Consumer Code’s rules), the maximum fine would be around USD 4 million (with few exceptions, depending on the agency). Public prosecutors may file class actions and ask for a compensation for collective damages and, in this case, there is no statutory limit for this kind of claim.

According to the Internet Act, companies that fail to comply with Brazilian rules concerning data protection may be subject to a fine of up to 10% of the turnover of the economic group revenues generated in Brazil in the previous fiscal year.

Non-compliance with the rules of the LGPD (when effective) may result in fines of up to two percent of the turnover of the infringing company’s conglomerate in Brazi, in the preceding fiscal year, excluding taxes, but limited to a total of R$ 50,000,000.00 (fifty million reais) per violation.

Luxembourg Small Flag Luxembourg

Under the General Data Protection Regulation (GDPR) (EU) 2016/679, fines can go up to EUR 20 million or, in case of an undertaking, 4% of the worldwide turnover of the preceding year. These fines apply amongst others to infringement of the data protection principles for processing, data subjects' rights and international transfer restrictions.

A limited number of breaches are subject to fines which can go up to EUR 10 million or, in case of an undertaking, 2% of the worldwide turnover of the preceding year. This lower tier of fines apply amongst others when failing to notify a personal data breach or failing to put an adequate contract in place with a processor.

Romania Small Flag Romania

The maximum applicable fine is the one provided by article 83 paragraph 5 of the GDPR (administrative fine up to EUR 20 000 000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher), except for the public authorities and bodies for which the maximum fine is of Ron 200,000 (approximately EUR 43,000).

Spain Small Flag Spain

It is yet to be seen how administrative fines will be imposed under the new Spanish data protection act that is currently being developed. The emergency ordinance, referred to above, defers to the GDPR's fines and therefore, until the new act is published, the fines in Spain will follow the GDPR.

Under the GDPR maximum fines for infringements can be up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever amount is higher. This maximum fine would only be imposed for the breach of certain obligations under the GDPR, such as infringing the data protection principles, not observing the restrictions for international data transfers or failing to satisfy the rights of the data subjects.

On the other hand, persons who have suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered. The total amount that will have to be paid for an infringement that resulted in damages would ultimately depend on those damages, which will be decided by a court. A company may be required to pay a fine as well as compensation tothe data subjects.

India Small Flag India

A body-corporate shall be liable to pay monetary value to the extent of the wrongful loss or wrongful gain caused due to a failure to comply with the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011 (RSPP-SPD Rules). There is no upper limit.

Further, any person who secures access to personal data, whether through a lawful contract or otherwise, and discloses/ transfers the data to a third party without the consent of concerned party, or damages the data, or denies lawful access to the owner of the data, may be imprisoned for a period of three (3) years and a fine of INR 5,00,000/- (Indian Rupees Five Lakhs; USD 7,200/- approximately) may also be imposed.

Turkey Small Flag Turkey

The maximum monetary fine that can be sanctioned for a data breach is 1.000.000 Turkish Liras. Article 18 of the Law on Protection of Personal Data numbered 6698 lists several misdemeanors and the range of the administrative fines tied to them. Please see the table below:



Administrative Fines

 Article 18



(a) Breach of Obligation to Inform

Data controllers are under the obligation to inform data subjects about the data processing activities.

5.000 TL

100.000 TL

(b) Breach of Data Security Obligations

 – Data controllers are under the obligation to take all necessary technical and organizational measures to (i) prevent unlawful processing of personal data, (ii) prevent unlawful access to personal data and (iii) safeguard personal data.

15.000 TL

1.000.000 TL

(c) Failure to Comply with Decisions Given by the Board Under Article 15 of the Law

25.000 TL

1.000.000 TL

(ç) Failure to Register with or Notify the Data Controller Registry

20.000 TL

1.000.000 TL

In addition to the administrative fines, Turkish Criminal Code numbered 5237 lists certain crimes with regards to unlawful acts directly related to personal data between Article 135 and 140. Please see the table below for the list crimes and the range of imprisonment sanctions tied to them:


Imprisonment Sanctions

Real Persons



Unlawful Recording of Personal Data (Art. 135)

1 year

3 years

Unlawful delivery or acquisition of personal data (Art. 136)

2 years

4 years

Failure to destroy personal data even though the legal retention period has expired (Art. 138)

1 year

2 years

Legal Persons

Security Precautions

Sweden Small Flag Sweden

According to article 83 in the GDPR, the maximum fine that can be applied for a breach is EUR 20 million, or 4 % of the company´s annual turnover of the previous financial year, whichever is higher.

Switzerland Small Flag Switzerland

Private persons are liable to a fine of up to CHF 10,000 for wilfully failing to provide information as regards safeguards in the case of cross-border data transfers or to notify data collections (or in so doing wilfully providing false information) or for wilfully providing the FDPIC with false information in the course of an investigation or for refusing to cooperate. On complaint, the wilful provision of false or incomplete information to data subjects who exercise their right of information or when collecting sensitive personal information of personality profiles, including the wilful failure to inform data subjects as required pursuant to the DPA, is sanctioned by a fine of up to CHF 10,000.

The preliminary draft of the revised DPA (see Question 7) imposes fines of up to CHF 250,000 for the breach of the obligations set forth above and further obligations set forth in the DPA. Further, wilful breach of professional secrecy shall be punishable by imprisonment of up to three years or monetary penalty. This new sanction will not be limited to the usual bearers of professional secrets but extend to any profession for which protection of confidentiality is essential.

China Small Flag China

According to Article 42 of the Cyber Security Law, network operators shall not divulge, tamper with or damage the personal information they have collected, and shall not provide the personal information to others without the consent of the information subjects. Any network operators violating the Article 42 of the Cyber Security Law shall be fined no less than one time but no more than ten times of the illegal gains; where there is no illegal gain, the fine may be up to RMB 1,000,000.

Mexico Small Flag Mexico

Breach of data protection laws can result in significant fines that range from approximately US$435 to US$1.39 million. In the case of systematic violations to privacy laws, an additional fine for up to the aforementioned cap can be imposed on the infringer. Also, if sensitive personal data is used in violation of the privacy laws, applicable fines can increase to up to twice the aforementioned amounts.

It is also worth noting that improper use of personal data or breaching personal data databases is considered a criminal offense that may result in imprisonment for up to 3 or 5 years, or twice as many if the offense involves unlawful treatment of sensitive personal data.

Malaysia Small Flag Malaysia

The maximum fine that may be imposed under the PDPA is RM500,000.

France Small Flag France

Under the GDPR, the maximum amount that may be imposed by the CNIL amounts to 20 million euros or 4% of the data controller’s global turnover, whichever is greater. However, this only concerns certain types of breaches, such as non-compliance with the rights conferred on data subjects. The GDPR provides for graduated sanctions regarding other types of breaches.

Germany Small Flag Germany

In accordance with Art. 83 (4) GDPR the maximum fines for infringements of the provisions set out therein is 10,000,000 EUR or in the case of an undertaking up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. For infringements of provisions set out in Art. 83 (5) GDPR a maximum fine of even 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, is foreseen.

For the telecommunications sector, the maximum fine ranges from 10,000 Euro to 500,000 Euro pursuant to section 149 (2) TKG.

Singapore Small Flag Singapore

The PDPC may impose financial penalties of up to S$1 million on an organisation that is in breach of the PDPA provisions.

Australia Small Flag Australia

Currently the maximum penalty that can be imposed by the Federal Court or Federal Circuit Court for serious or repeated interferences with privacy is $2.1 million. However, such a penalty can only be imposed where the Privacy Commissioner makes an application to the court. This is not a common occurrence, with the Privacy Commissioner more likely to follow a conciliatory approach and issue determinations and directions. Some of the typical remedies directed by the Privacy Commissioner include payment of compensation to individuals, issuing an apology to affected individuals, and undertaking a review of information handling procedures.

United States Small Flag United States

Typically, violations of data protection laws permit recovery of actual or statutory damages and attorneys' fees. Privacy violations under the FTC Act have a maximum fine of $16,000 per violation. Civil violations of HIPAA have a maximum fine of $1.5M. The maximum civil fine for GLBA violations is $1M.

Japan Small Flag Japan

Under the APPI, there is no administrative fine that can be applied for breach of the APPI, but criminal penalties may be imposed on business operators handling personal information under certain circumstances. The maximum criminal penalties are penal servitude of up to one year or a criminal fine of up to ¥500,000, which may be imposed if any current or former officer, employee or representative of a business operator handling personal information provides such information to a third party or steals such information from a personal information database established in connection with the business of such business operator with the purpose of providing unlawful benefits to himself or herself or third parties.

Poland Small Flag Poland

Under the GDPR, the maximum fine for breach of data protection laws differs depending on the type of infringement. The GDPR splits the fines into two groups:

  1. administrative fines up to 20 000 000 EUR or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, may be applied in cases of infringement of e.g. basic principles for processing, including conditions for consent, the data subjects’ rights under Art. 12 to 22 GDPR, or transfer of personal data to a recipient in a third country or an international organisation under Art. 44 to 49 GDPR;
  2. administrative fines up to 10 000 000 EUR or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, may be applied in cases of infringement of e.g. the obligations of the controller and the processor pursuant to Art. 8, 11, 25 to 39, 42, and 43 GDPR

The amount of the fine imposed by supervisory authorities depends on the many factors listed in Art. 83(2) GDPR, such as the nature, gravity, and duration of the infringement, intentional or negligent character of the infringement, actions taken by the controller or processor to mitigate the damage suffered by data subjects, etc.

The Data Protection Act limits the maximum amount of the fine that can be imposed on public finance sector entities, research institutes, and the National Bank of Poland to 10 000 PLN.

Updated: February 7, 2019