GDPR Tier 1 Fines: Article 83(4) Violations Explained
Last updated: 2026-04-05 — ComplianceStack Editorial Team
The GDPR's two-tier penalty system distinguishes between violations of technical/organizational obligations (Tier 1) and violations of core data subject rights and principles (Tier 2). Tier 1 violations under Article 83(4) carry fines up to €10,000,000 or 2% of the undertaking's total worldwide annual turnover of the preceding financial year — whichever is higher. For a company with €5B in global revenue, 2% is €100M. Understanding which obligations fall under Tier 1 is essential for calculating your maximum exposure.
Penalty Tier Breakdown
Tier 1 — Maximum Fine
Up to €10,000,000 or 2% global annual turnover (higher of the two)Article 83(4) applies this fine level to violations of: controller/processor obligations (Articles 8, 11, 25–39), certification body obligations (Articles 42–43), and monitoring body obligations (Article 41(4)). Key covered provisions include Privacy by Design, Data Protection Impact Assessments (DPIAs), Data Protection Officer (DPO) requirements, and breach notification to supervisory authorities.
Privacy by Design / Default (Article 25)
Up to €10M or 2% turnoverControllers must implement data protection by design and by default — both at the time of determining the means of processing and at the time of processing itself. Failures include excessive data collection, lack of pseudonymization where feasible, or defaulting to the least privacy-protective settings.
Data Protection Impact Assessment — DPIA (Article 35)
Up to €10M or 2% turnoverA DPIA is mandatory when processing is 'likely to result in a high risk' to individuals — including systematic profiling, large-scale sensitive data processing, systematic monitoring of public areas, and new technologies. Failure to conduct a DPIA before high-risk processing begins triggers Article 83(4) liability.
Data Protection Officer — DPO (Articles 37–39)
Up to €10M or 2% turnoverOrganizations that are public authorities, engage in large-scale systematic monitoring, or process special categories at large scale must designate a DPO. Violations include: failure to designate a required DPO, failure to involve the DPO in processing matters, providing the DPO with insufficient resources, or conflicts of interest in the DPO role.
Breach Notification to Supervisory Authority (Article 33)
Up to €10M or 2% turnoverControllers must notify the supervisory authority of a personal data breach within 72 hours of becoming aware of it (where feasible). Failure to notify at all, or notifying beyond the 72-hour window without justification, is a Tier 1 violation.
How Penalties Are Calculated
Supervisory authorities apply the Article 83(2) factors: (a) nature, gravity, duration of infringement; (b) intentional vs. negligent character; (c) categories of personal data affected (sensitive data = higher fine); (d) number of individuals affected; (e) technical/organizational measures taken; (f) cooperation with the supervisory authority; (g) prior infringements; (h) approved certifications or codes of conduct. The 2% / €10M cap is the maximum — actual fines are calibrated to be 'effective, proportionate, and dissuasive.' Group companies: the 'undertaking' for turnover calculation includes the entire corporate group's global revenue, not just the legal entity fined (confirmed in CJEU case law, 2022).
Recent Enforcement Actions
Understand Your GDPR Penalty Exposure
Use ComplianceStack's free tools to identify gaps before regulators do.
Take the Quiz → Gap Analyzer →Frequently Asked Questions
How does the 2% turnover calculation work for a multi-entity corporate group?
The GDPR uses 'undertaking' in the competition law sense — the entire economic unit engaged in economic activity, not the individual legal entity. This means fines are calculated based on the global annual turnover of the entire corporate group, including parent companies and subsidiaries. For a subsidiary fined by a DPA, if the parent exercises decisive influence over the subsidiary's data processing, the parent's global revenue can be the basis for the 2% calculation. The CJEU's 2022 ruling in Case C-807/21 (Deutsche Wohnen) confirmed supervisory authorities may directly attribute subsidiary conduct to parent companies for penalty purposes.
What's the difference between GDPR Tier 1 (Article 83(4)) and Tier 2 (Article 83(5)) violations?
Tier 1 (Article 83(4)) covers violations of technical and organizational obligations — DPIAs, privacy by design, DPO requirements, breach notification, and processor/controller obligations. The maximum is €10M or 2% of turnover. Tier 2 (Article 83(5)) covers violations of the core data protection principles (Articles 5, 6, 7, 9), data subject rights (Articles 12–22), and international transfer restrictions (Articles 44–49). The maximum is €20M or 4% of turnover. Many serious investigations result in both Tier 1 and Tier 2 violations being charged simultaneously — the fines are assessed per violation category but the total cannot exceed the highest applicable cap.
Can GDPR fines be reduced for cooperation or self-reporting?
Yes, significantly. Article 83(2)(f) explicitly lists 'cooperation with the supervisory authority in order to remedy the infringement' as a mitigating factor. DPAs across the EU have reduced fines by 30–60% for entities that: (1) proactively self-reported the violation; (2) immediately implemented corrective measures; (3) cooperated fully with the investigation without litigation delays; (4) maintained strong prior compliance records. Conversely, non-cooperation, legal challenges to DPA jurisdiction, and obstructing investigations have resulted in higher fines. Sweden's DPA in 2023 publicly stated that a company's refusal to answer questions during investigation increased the fine by approximately 25%.