What is the maximum penalty for non-compliance with this notification obligation?

According to Article.33 of the GDPR the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.

What is the maximum penalty for non-compliance with this notification obligation?
A . 10.000.000 or 2% of the annual global turnover, whichever is higher
B . 20.000.000 or 4% of the annual global turnover, whichever is higher
C . Up to 500.000 with a minimum of 120.000
D . Up to 820.000 with a minimum of 350.000

View Answer

Answer: A

Explanation:

10.000.000 or 2% of the annual global turnover, whichever is higher. Correct. This is the maximum according to the GDPR for infringement of the personal data breach notification obligation. (Literature: A, Chapter 7; GDPR Article 33)

20.000.000 or 4% of the annual global turnover, whichever is higher. Incorrect. This fine is given for non-compliance or non-conformity to the basic principles for processing, including conditions for consent.

Up to 500.000 with a minimum of 120.000. Incorrect. This is an outdated number based on the Dutch Penal code. GDPR rules specify higher fines.

Up to 820.000 with a minimum of 350.000. Incorrect. This is an outdated number based on the Dutch Penal code. GDPR rules specify higher fines.