AEPD Fines: How GDPR Infringements Are Graded

·

When a company receives a notification of the opening of proceedings by the Agencia Española de Protección de Datos (AEPD) — Spain's Data Protection Authority — the first question is: how much could this cost? The answer is not straightforward: Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) create a tiered system in which the fine amount is never automatic — it is the result of weighing multiple criteria. Understanding how that system works is the first step to managing it diligently.

This article explains the legal framework for AEPD sanctions, the two fine tiers in Article 83 of the GDPR, the LOPDGDD's own typology of infringements, and the factors that can aggravate or mitigate the final amount. Specific resolution figures are not cited because every case is unique; what is described here is the regulatory framework that applies as a general matter.

Article 83 of the GDPR: Two Tiers, Two Ceilings

Article 83 of the GDPR is the cornerstone of the European data-protection penalty regime. It requires that fines be effective, proportionate and dissuasive (art. 83.1) and sets two fine tiers based on the gravity of the infringement.

The first tier (Article 83.4 of the GDPR) covers infringements of obligations applicable to controllers and processors relating to technical and organisational measures, processor conditions, records of processing activities, cooperation with the supervisory authority, security of processing, notification of security breaches, impact assessments and the designation of the data protection officer. The maximum fine in this tier is €10,000,000 or 2 % of total worldwide annual turnover of the preceding financial year, whichever is higher.

The second tier (Article 83.5 of the GDPR) reserves the highest fines for the most serious infringements: violation of the basic principles of processing (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality), violation of the conditions for consent, violation of data subjects' rights, non-compliance with rules on international data transfers, and non-compliance with orders issued by the supervisory authority. The ceiling in this tier rises to €20,000,000 or 4 % of total worldwide annual turnover, whichever is higher. Article 83.6 also applies this second tier to non-compliance with a supervisory-authority order issued pursuant to Article 58.2.

Comparison of the two penalty tiers under Article 83 of the GDPR
Tier Typical infringements Maximum fine
Article 83.4 GDPR Security measures, records of processing activities, breach notification, DPO, impact assessments, processor obligations €10,000,000 or 2 % worldwide turnover (whichever is higher)
Article 83.5 GDPR Basic principles, consent, data subjects' rights, international transfers, non-compliance with supervisory-authority orders €20,000,000 or 4 % worldwide turnover (whichever is higher)

It is important to stress that these amounts are maximum ceilings, not automatic fines. The specific amount within each tier depends on the grading criteria analysed below.

The LOPDGDD: A Three-Category Typology of Infringements

The LOPDGDD complements the GDPR framework with its own typology of infringements organised into three levels, following the tradition of Spanish administrative sanctioning law. This classification does not replace Article 83 of the GDPR; it supplements it for infringements whose legal basis lies specifically in the organic law.

Article 72 of the LOPDGDD lists very serious infringements, including, by way of non-exhaustive example: processing data in breach of the principles set out in Article 5 of the GDPR, processing without a valid legal basis where the data belong to special categories (art. 9 GDPR), breach of the duty of confidentiality, failure to comply with the obligations imposed on processors to the detriment of data subjects' rights, or international transfers of data to countries without an adequate level of protection without the required safeguards. The limitation period for these infringements is three years.

Article 73 of the LOPDGDD covers serious infringements, which include failing to fulfil, or fulfilling inadequately, data subjects' rights of access, rectification, erasure, portability and objection; failure to appoint a representative where required; absence of a record of processing activities; or failure to notify the AEPD of security breaches. These become time-barred after two years.

Article 74 of the LOPDGDD classifies minor infringements, which include formal or less significant breaches: failing to fulfil data subjects' requests within the time limits in situations not classified as serious, failing to publish the data protection officer's contact details, or failing to notify the AEPD of the appointment or removal of the DPO. These become time-barred after one year.

Article 76 of the LOPDGDD (Sanctions and corrective measures) sets no amounts of its own in euros and is not limited to subjects outside Article 83 of the GDPR; it applies the amounts in Article 83(4), (5) and (6) of the GDPR and adds supplementary grading criteria to those in Article 83(2), such as the continued nature of the infringement, the link between the organisation's activity and the processing of personal data, or the benefit obtained (art. 76.2). The special regime for public authorities — a formal warning without a financial penalty — is Article 77, addressed in the following section.

The Eleven Grading Criteria in Article 83.2 of the GDPR

Within each tier, the AEPD does not set the fine at its discretion: it is bound by the grading criteria in Article 83.2 of the GDPR. These eleven criteria determine in practice whether the fine will be closer to the minimum or the maximum within the tier.

  1. Nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing, the number of data subjects affected and the level of damage suffered by them.
  2. Intentional or negligent character of the infringement.
  3. Measures taken to mitigate the damage suffered by data subjects.
  4. Degree of responsibility of the controller or processor, taking into account the technical and organisational measures implemented.
  5. Relevant previous infringements by the controller or processor.
  6. Degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate its possible negative effects.
  7. Categories of personal data affected by the infringement (special-category data under art. 9 and data relating to criminal convictions under art. 10 increase the severity assessment).
  8. Manner in which the supervisory authority became aware of the infringement, in particular whether the controller notified it and to what extent.
  9. Prior compliance with measures referred to in Article 58.2 of the GDPR, where such measures had previously been imposed on the controller or processor concerned.
  10. Adherence to approved codes of conduct pursuant to Article 40 of the GDPR, or to approved certification mechanisms pursuant to Article 42.
  11. Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

The weighing of these criteria turns every sanctioning process into an individualised analysis. Two organisations that commit the same infringement may receive very different fines depending on their size, compliance history, attitude during the proceedings and the measures they have taken to minimise the impact on the individuals concerned.

If your organisation is assessing its level of exposure or wants to reduce it proactively, at Summum Consultoría we guide organisations through GDPR compliance with a practical, sector-tailored approach, with offices in Castilla y León and the Canary Islands.

Mitigating Factors: How Fines Can Be Reduced

Although Article 83.2 of the GDPR lists aggravating and mitigating factors together, in practice some of them consistently operate in the infringer's favour when the party concerned acts diligently.

The most relevant mitigating factors are:

At the opposite end, aggravating factors include financial benefit obtained through the infringement, involvement of sensitive data (health, ideology, racial origin, biometric data), a high number of affected data subjects, recidivism, or non-compliance with prior orders issued by the authority.

Fines for Public Authorities

The sanctioning regime differs when the data controller is a public authority. Article 77 of the LOPDGDD provides that, in such cases, the AEPD does not impose financial penalties but instead issues a formal warning (apercibimiento), which is published in the Official State Gazette (BOE) and may include an order to adopt specific measures. The disciplinary liability of the individual staff members responsible may additionally be pursued through the channels provided for in public employment legislation.

This distinction does not mean that public entities escape real accountability: a public warning and the obligation to correct the non-compliance under AEPD supervision are significant consequences, particularly for organisations that handle large volumes of citizens' data.

The Sanctioning Procedure: From Preliminary Inquiries to Resolution

Understanding the sanctioning process helps identify the key moments at which the conduct of the investigated party can influence the outcome. The AEPD may open proceedings on its own initiative (ex officio, on the basis of public information or information from third parties) or following a complaint lodged by a data subject.

The typical procedure includes the following stages:

  1. Preliminary inquiries or investigative actions: the AEPD gathers information to determine whether there are indications of an infringement. At this stage it may request documentation from the party under investigation, who is obliged to cooperate.
  2. Decision to open sanctioning proceedings: if the indications are sufficient, the investigated party is notified of the opening of the file, including a description of the alleged facts and the provisional legal classification.
  3. Hearing and submissions: the investigated party may submit arguments, provide evidence and propose corrective measures. This is the most critical stage for exercising mitigating factors.
  4. Proposed resolution: the investigating officer issues a proposal containing the definitive classification and the proposed sanction.
  5. Resolution: the AEPD issues a resolution containing the final sanction, which may be challenged before the Audiencia Nacional (National High Court).

Infringements become time-barred according to their gravity — three years for very serious, two years for serious and one year for minor — under Articles 72 to 74 of the LOPDGDD; Article 78 governs the limitation period for sanctions based on their amount.

Having specialised advice from the very first inquiries makes the difference between a reactive response and a solid defence strategy. At Summum Consultoría we support organisations in Castilla y León and the Canary Islands both in prevention and in responding to AEPD proceedings.

Frequently Asked Questions

Can the AEPD impose corrective measures in addition to a fine?

Yes. Article 58.2 of the GDPR grants the AEPD a broad range of corrective powers that go beyond a monetary fine: warnings and reprimands, orders to comply with data subjects' requests, temporary or permanent restrictions on processing (including an outright ban), orders to rectify or erase data, suspension of cross-border data flows, and withdrawal of certifications. The fine may be the primary measure or may be combined with any of these. In some cases the AEPD opts to impose only corrective measures without a financial penalty, where the infringement is of low gravity or the infringer has acted with particular diligence.

How does company size affect the fine?

Company size has two effects. First, the ceiling on fines is calculated on total worldwide annual turnover, meaning that in absolute terms a large company may receive a much higher fine than an SME for the same infringement. Second, the grading criteria assess the degree of responsibility taking into account the technical and organisational measures implemented: a large company with greater resources is expected to have more robust controls in place, and its non-compliance may be assessed more negatively than that of a micro-enterprise with limited means. In any event, no company is exempt from compliance.

What happens if the same conduct infringes several provisions of the GDPR?

Article 83.3 of the GDPR provides that where a controller or processor infringes several provisions of the Regulation through the same or linked processing operations, the total fine may not exceed the amount applicable to the most serious infringement. This prevents the unlimited accumulation of fines for the same facts, although it does not preclude the concurrence of several infringements from being taken into account as an aggravating factor in the overall gravity assessment.

Does having a DPO reduce fines?

Having a properly designated data protection officer (DPO) with real functions does not automatically eliminate sanctioning liability, but it contributes positively in several ways: it facilitates the early detection of non-compliance, allows corrective measures to be adopted before the AEPD acts, and demonstrates to the authority that the organisation has taken its data-protection obligations seriously. Within the framework of the criteria in Article 83.2 of the GDPR, these elements may operate as mitigating factors. That said, a DPO who exists only on paper without real functions not only fails to mitigate liability but could aggravate the situation if the AEPD finds that the role is purely formal.