How GDPR Enforcement Really Works
A regulator can fine a company up to 20 million euros. An individual can sue for the distress a breach caused. A consumer group can bring a single claim on behalf of thousands. GDPR enforcement runs on all three tracks at once, and the CIPP/E exam tests whether you can tell them apart. The Body of Knowledge, the official blueprint of every topic the exam can draw on, treats the consequences of a breach as their own subject: the fines, the lawsuits and the collective claims. Candidates who revise only the fine cap miss most of the picture.
The two fine tiers
The headline tool of GDPR enforcement is the administrative fine, and Article 83 sets two ceilings. The lower tier reaches 10 million euros, or 2% of total worldwide annual turnover, whichever is higher. It covers the more procedural duties: records of processing, security obligations, breach notification and the work of certification and monitoring bodies.
The higher tier reaches 20 million euros, or 4% of worldwide turnover, whichever is higher. It covers the serious breaches: the basic principles, the lawful bases, the conditions for consent, data subject rights and unlawful international transfers. Ignoring a supervisory authority's order sits in this tier too.
Two details earn marks. The cap is the greater of the fixed sum and the percentage, not a choice in the company's favour, and the percentage runs on group worldwide turnover for an undertaking, not the turnover of one subsidiary. So for a large group the percentage, not the fixed figure, is the real ceiling.
What moves a fine within the tier
A tier is a maximum, not a tariff. Article 83(2) gives the supervisory authority the factors that set the actual figure, and the exam likes them. The nature, gravity and duration of the breach come first, then whether it was intentional or merely negligent. Steps taken to mitigate damage count in the company's favour, as does the security and design work already in place.
Cooperation pulls the figure down; a previous infringement pushes it up. Self-reporting to the regulator, rather than being found out, is treated as a mitigating factor. The EDPB's guidelines on calculating fines set out how authorities should keep this part of enforcement consistent across the EU. The lesson for a scenario is simple: the same breach can attract very different fines depending on conduct before and after it.
When GDPR enforcement turns private
Enforcement is not only a matter for regulators. Article 82 gives any person who suffers damage from an infringement a right to compensation from the controller or processor. This is a private claim, separate from any fine, and a company can face both for the same breach: a regulator's penalty and a claimant's damages.
A controller escapes liability only by proving it was in no way responsible for the event that caused the damage. That is a high bar, and the burden sits with the controller, not the claimant.
Material and non-material damage
The right covers both kinds of harm. Material damage is financial: fraud loss, a missed opportunity, money out of pocket. Non-material damage is the harder one to grasp; it covers distress, anxiety and loss of control over personal data, with no financial loss at all.
The Court of Justice has narrowed this. In Österreichische Post it held that a mere infringement does not by itself create a right to compensation; the claimant must show actual damage. There is, though, no minimum threshold of seriousness, so even modest distress can qualify once it is proven. Candidates often assume a breach automatically pays out. It does not.
Collective redress
The third enforcement track is the class action, and it scales the risk. Article 80 lets a data subject mandate a not-for-profit body to lodge complaints and exercise rights on their behalf, and Member States may allow such bodies to claim compensation. The Representative Actions Directive goes further, building an EU-wide route for qualified entities to bring collective redress for consumers.
The exam point is exposure. One weak privacy notice, multiplied across a customer base, becomes a single large claim rather than many small ones. The conduct that draws a fine often opens the door to collective compensation as well.
Why GDPR enforcement trips candidates
The recurring error is treating the three enforcement tracks as one. A fine, a compensation claim and a class action are separate consequences with separate tests, and a scenario will hand you facts that point to one or more of them. Read which enforcement track the stem is actually testing before you reach for the fine cap.
Two facts are worth memorising cold: the 10-or-2 and 20-or-4 split, and the "whichever is higher" rule that makes turnover the live number for a large group. Get those right and the procedural breaches sort themselves into the right tier. Our breakdown of breach notification shows how a single incident can trigger more than one of these tracks at once.
Treat enforcement as three doors, not one. I have put together a free CIPP/E enforcement reference card on exactly this; you can find it in the 22Academy study shop at 22academy.com/study.