Skip to content
Back to blog

What Factors Influence GDPR Financial Penalties?

2 minute read

GDPR
What Factors Influence GDPR Financial Penalties?
Last updated: March 19, 2025

A number of factors affect the size of any GDPR financial penalty. To help you understand them, we have assessed each area in context.

Penalties for breaching the GDPR can reach up to €20 million or 4% of annual global turnover, whichever is highest. We examine each in relation to the now-infamous Facebook data breach.

1. Gravity, nature & duration of breach

The gravity, nature and duration of the infringement, the number of people affected and the level of damage they experience - it's hard to justify Facebook's actions here:

  • Facebook was warned about the breach in 2015 but did not warn users or carry out an audit to confirm that personal data had been deleted
  • 50 million Facebook users were affected
  • Damage - embarrassment, loss of trust, voter manipulation even?

2. Personal data categories affected

Categories of personal data affected - if the allegations are proven, special category (sensitive) data - i.e. voting preferences - might also have been misused.

3. Negligent or intentional infringement

Whether the infringement is negligent or intentional - hard to say, but Facebook certainly failed to have proper control over third parties or chose to ignore what they were doing.

4. Actions taken to mitigate the damage

The action taken by the controller to mitigate the damage - Facebook was slow to react back in 2015 and simply allowed firms to self-certify that personal data had been erased without auditing them properly.

5. Degree of responsibility of data controller/processor

The degree of responsibility of the controller or processor - Mark Zuckerberg has faced a barrage of criticism over his silence, with the academic claiming he has been made a scapegoat.

6. Previous data breach infringements

Any relevant previous infringements - well, that's tricky as Facebook already has form for its cavalier attitude to user data - as evidenced by its WhatsApp data sharing and €1.2 million fine by the Spanish data authorities.

7. Cooperation with supervisory authorities

The degree of cooperation with the supervisory authority - admittedly, Facebook "ceded to the ICO to allow its investigation" but only after it had already visited Cambridge Analytica's premises when the scandal broke.

8. Aggravating or mitigating factors

Aggravating or mitigating factors (e.g. financial benefits gained from the infringement) - anyone care to look at Facebook's ad revenues for the period? Did it also benefit from Kogan's sale of data to Cambridge Analytica?

Conclusion

Interestingly, Mark Zuckerberg has since claimed that his 'idealistic vision of data portability' may have stopped him focusing earlier on privacy matters. In an era where portability is fast gaining traction, perhaps the Facebook scandal was only the beginning? Exactly what are we prepared to trade and with whom?

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.

Related articles

20-biggest-gdpr-fines-2018---2024-|-breaches-of-gdpr-|-skillcast
Information Security GDPR

20 Biggest GDPR Fines 2018 - 2024 | Breaches of GDPR |...

18 minute read

The past few years have seen some massive GDPR fines handed out to firms. Here's a breakdown of the top penalties from 2018 to 2024.

Read more
biggest-gdpr-fines-of-2024-|-skillcast
Information Security GDPR

Biggest GDPR Fines of 2024 | Skillcast

16 minute read

Last year, some hefty fines were issued often to repeat offenders. We review the largest penalties dished out in 2024 and the breaches behind them.

Read more
10-tips-for-marketing-gdpr-compliance-|-skillcast
Information Security GDPR

10 Tips for Marketing GDPR Compliance | Skillcast

4 minute read

GDPR applies to all marketing that uses personal data. We have some tips on how to stay compliant, avoid the hefty fines and prevent PR disasters.

Read more