Last reviewed

Austria 05.06.2018 Sec 30 ADPA governs the mechanism of imposing the GDPR-penalties: The fines shall primarily be imposed directly against the responsible legal entity. Besides, the Austrian Data Protection Authority is still entitled to punish natural persons in charge (especially managing directors or representatives appointed under administrative law; not the Data Protection Officer). However, as long as it is not required due to special circumstances of the individual incident, the responsible legal entity shall be fined, only.

Besides, Sec 62 ADPA provides for an administrative penalty of up to EUR 50.000 for any breach of the ADPA that is not subject to the GDPR fines (thus breaches of Austrian-specific provisions like CCTV-requirements).

Further, Sec 63 ADPA contains a criminal offence and provides for imprisonment or a fine for any unlawful data processing with the intention to gain profit or with the intention to damage another person (personal offences based on responsibility).
Belgium 08.10.2018 BPA introduces different tiers of criminal penalties for violations of the BPA as well as the GDPR itself, with a maximum penalty of EUR 30.000. Taking into account the mandatory multiplication of criminal fines, this equals a de facto maximum fine of EUR 240.000.

The BPA also clarifies that a controller, processor, or its representative in Belgium, as the case may be, is in principle civilly liable for the payment of the fines which have been imposed on his contractor or agent.
Finally, the Act stipulates that the administrative fines of Article 83 GDPR cannot be imposed on public authorities, except when the latter is a public-law legal entity offering goods or services on a market.
Czech Republic 13.09.2018 Section 59 stipulates fines for the administrative offence of unlawful publication of personal data where the prohibition of disclosure is stipulated by law (e.g. Criminal Procedure Code). Fines may amount to CZK 1 million. Maximum fines of CZK 5 million are stipulated if the administrative offence is carried out through print, film, radio, television, publicly accessible computer network or other similarly effective means.

Sections 60 and 61 stipulate various administrative offences in relation to data processing by public authorities and bodies. A fine up to CZK 10 million (i.e. lower than GDPR) may be imposed.

No new criminal penalties will be introduced (unauthorised use of personal data is already recognised by the current Criminal Code).
Denmark 06.09.2018 Administrative fines as prescribed in the GDPR are not permitted under Danish law. Fines will be imposed by the courts as a criminal penalty. However, the Danish Supervisory Authority may impose administrative fines in uncomplicated cases, where the person accused of the violation pleads guilty and agrees to pay the fine.
Finland 13.11.2018 Regarding infringements of the GPDR and the Data Protection Act, which are not subject to GDPR administrative fines, the Act refers to the Criminal Code.

The Criminal Code includes provisions on Data Protection Offences, Message interceptions, Aggravated message interceptions, Computer break-ins, Aggravated computer break-ins, Secrecy offences and Secrecy violations.  

In connection with the new Data Protection Act, the wording of the provision on Data Protection Offence, Chapter 38, Section 9 of the Criminal Code, is updated to address the infringements of the GDPR.
France 11.02.2019 Articles 50-52. The FDPA reiterates the penalties provided for in Article 83 of the GDPR. The penalties do not apply to processing done by the State.

Criminal offences:
• Sanctions listed in articles 226-16 to 226-24 and in articles R. 625-10 to R. 625-13 of the French Criminal Code (e.g. collecting personal data by fraudulent, unfair or unlawful means, processing the national identification number in cases which are not provided for in the FDPA, not notifying a data breach etc.)
• Any action obstructing the CNIL's action
Germany 23.05.2018

Yes - § 42 FDPA: Imprisonment or a fine for (1) unlawful transfer / making accessible of non-publicly accessible personal data of a large number of individuals for commercial purposes; (2) unlawful processing of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person; (3) fraudulent obtaining of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person (personal offences based on responsibility).  

§ 43 FDPA: Fines for failure to handle an information request appropriately or to inform a consumer or to inform them fully and correctly and to do so within the prescribed time limits.

Hungary 01/04/2019 Covered by the amended InfoAct.
Ireland  28.07.2017

Under the Act:

  • the maximum administrative fine for breach of the GDPR by public authorities and public bodies is €1,000,000 (rather than the generally applicable maximum of €20,000,000 or 4% of annual worldwide turnover) (section 141);
  • appeals of administrative fines imposed by the Data Protection Commission are subject to a time limit of 28 days from receipt of notice of the decision (section 142);
  • the Data Protection Commission is required to make a summary application for any administrative fine imposed by it to be confirmed by the Circuit Court (section 143).
Italy 25.10.2018 Sections 167, 167 bis and 167 ter of the IDPA provide sanctions (including criminal sanctions) for whoever, with the view of obtaining a personal gain, a gain for a third party or with the intent to cause harm to another: unlawfully processes, transfers, discloses, disseminates or fraudulently acquires personal data. 
Furthermore, Section 168 of the IDPA provides sanctions (including criminal sanctions) if you communicate or attest false information or if you intentionally try to interrupt or disrupt an ongoing procedure/investigation of the Authority. 

Section 170 IDPA provides sanctions (including criminal sanctions) for people who do not respect the measures adopted by the Authority under the articles 58 (2) (f) GDPR, 2-septies (1) IDPA as well as the general measures referred to in article 21(1), of the legislative decree implementing article 13 of law no. 163 of 25 October 2017

Section 171 IDPA, provides sanctions in the field of employment for employers breaching the guarantees on remote controls and monitoring of employee (Articles 4 and 8 of the Italian Workers' Statute). 

Lastly, it is to be noted that Section 172 IDPA provides that being convicted of any of the above criminal offences shall entail publication of the relevant judgment. 
Netherlands 17.09.2018 n/a
Poland 16.05.2018 The PDPA provides two criminal sanctions for: (i) unpermitted and unauthorized processing, and (ii) in case of jeopardizing or impeding the PUODO's inspection.
Slovakia 13.09.2018 Slovak criminal act no. 300/2005 Coll. sanctions the unauthorized use of personal data. Any person who, without lawful authority, communicates, makes accessible or discloses a) personal data of another obtained in connection with the execution of public administration or with the exercise of constitutional rights of a citizen, or b) personal data of another obtained in connection with the execution of his profession or employment, and thus breaches a generally binding legal regulation, shall be liable to a term of imprisonment.
Spain 05.03.2019 The SDPA only provides administrative fines. It also provides statute of limitations for data protection offenses (1 to 3 years depending on the offense) and the statute of limitations for fines (also between 1 and 3 years).
Sweden 06.09.2018 Paragraph 6:2 of the Data Protection Act, public authorities may be subject to administrative fines. Administrative fines pursuant to article 83 may also be imposed for infringement of article 10 of the GDPR. The regulation with supplementary provisions includes further provisions on the enforcement of administrative fines, paragraphs 9-11
UK 23.05.2018

The Data Protection Act includes the following criminal offences:

(i)To knowingly or recklessly (a) to obtain or disclose personal data without the consent of the controller; (b) to procure the disclosure of personal data to another person without the consent of the controller; or (c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained or (d) to sell data if obtained in circumstances in which an offence has been committed under (a)-(c) (S170);
(ii) To knowingly or recklessly re-identify information that is de-identified personal data without the consent of the responsible controller (S171);
(iii) To alter, deface, block, erase, destroy or conceal information with the intention of preventing its disclosure pursuant to a subject access request (S173);
(iv) Destroying or falsifying documents – or permitting the destruction or falsifying – of documents with the intention of obstructing the commissioner after an information or assessment notice has been given.

Director's Liability: If an offence has been committed by an organisation and it is proved to have been done with the consent or connivance or neglect of a director, manager, secretary or other officer, they can also be guilty of the office (s196).