You can access the official legal text of GDPR Article 83 via the European Union’s legal database at eur-lex.europa.eu
Article 83(3)
This clause is about cumulative violations during the same or related processing operations. It ensures that: If an organization violates multiple GDPR provisions in one processing activity (e.g., failing to obtain consent and failing to notify a breach), The total fine imposed must not exceed the maximum allowed for the most serious violation among them.
Practical Example:
If a company breaches:
- Article 6 (lawful basis — high-tier, max €20M or 4% turnover), and
- Article 30 (record-keeping — low-tier, max €10M or 2% turnover),
Then the maximum fine must be capped at the higher threshold—€20M or 4% turnover—not the sum of both. This clause prevents stacking fines beyond what GDPR allows for the gravest breach.
Article 83(4)
“Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10,000,000 EUR, or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher…”
This means:
- Fines for these violations are capped at €10 million, or
- 2% of global annual turnover for companies (whichever is higher)
These fines are imposed in accordance with the criteria in Article 83(2)—which means authorities must consider factors like severity, intent, cooperation, etc.
What types of violations fall under Article 83(4)?
a. Obligations of Controllers and Processors
pursuant to Articles 8, 11, 25 to 39 and 42 and 43
Lower-Tier Violations
Maximum fine: €10 million or 2% of global annual turnover. These articles cover technical and procedural responsibilities and apply to breaches of:
| Article | Topic |
| 8 | Child’s consent for online services |
| 11 | Processing without requiring identification |
| 25–39 | Core obligations like data protection by design (Art. 25), security (Art. 32), breach notification (Art. 33), DPIAs (Art. 35), and record-keeping (Art. 30) |
| 42–43 | Certification mechanisms and requirements for certification bodies |
These are technical or procedural failures, not necessarily involving direct harm to individuals. These are compliance duties—not necessarily violations of fundamental rights, but failures in implementing GDPR safeguards.
b. Obligations of Certification Bodies pursuant to Articles 42 and 43
These bodies are responsible for:
- Issuing GDPR certifications
- Ensuring impartiality and competence
- Maintaining transparency and accountability
Violations here could include:
- Certifying organizations without proper review
- Failing to revoke certifications when required
c. Obligations of Monitoring Bodies pursuant to Article 41(4)
Monitoring bodies oversee compliance with approved codes of conduct. Article 41(4) requires them to:
- Be independent
- Have expertise in data protection
- Operate transparently and fairly
Violations might involve:
- Conflict of interest
- Failure to investigate breaches of the code
- Lack of oversight or reporting
Why These Are “Lower-Tier” Violations
These provisions relate to implementation and oversight rather than direct violations of data subjects’ rights. That’s why the maximum fine is lower than for breaches of core principles (which fall under Article 83(5)). However, they’re still serious—especially if poor implementation leads to broader risks or repeated non-compliance.
Practical Implications
- Companies must ensure robust internal compliance frameworks—especially around security, breach response, and documentation.
- Certification and monitoring bodies must maintain high standards of independence and transparency.
- Supervisory authorities will assess these violations using the ten criteria in Article 83(2) before deciding on the fine amount.
Article 83(5) GDPR — High-Tier Violations
“Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20,000,000 EUR, or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher:”
This paragraph sets the upper limit for fines:
- €20 million, or
- 4% of global annual turnover (whichever is higher)
These fines apply to serious violations—those that directly affect individuals’ rights or undermine the core principles of data protection.
a. Basic Principles for Processing pursuant to Articles 5, 6, 7 and 9. These articles form the foundation of lawful data processing:
| Article | Topic |
| 5 | Principles: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, accountability |
| 6 | Lawful bases for processing (e.g., consent, contract, legal obligation) |
| 7 | Conditions for valid consent (freely given, informed, specific, revocable) |
| 9 | Special category data (e.g., health, biometric, racial origin) — stricter rules |
Violating these principles means the processing itself is fundamentally unlawful.
b. Data Subject Rights pursuant to Articles 12 to 22. These articles guarantee individual rights over their personal data:
| Article Range | Rights Included |
| 12–14 | Right to transparent information |
| 15 | Right of access |
| 16 | Right to rectification |
| 17 | Right to erasure (“right to be forgotten”) |
| 18 | Right to restriction of processing |
| 19 | Notification obligation |
| 20 | Right to data portability |
| 21 | Right to object |
| 22 | Rights related to automated decision-making |
Failure to honor these rights is a direct violation of individual freedoms.
c. Transfers to Third Countries or International Organizations pursuant to Articles 44 to 49. These provisions regulate cross-border data transfers:
| Article Range | Key Concepts |
| 44–49 | Adequacy decisions, standard contractual clauses, binding corporate rules, derogations for specific situations |
Violations here can expose data to jurisdictions without adequate protection, which is a major risk under GDPR.
d. Obligations Under Member State Law (Chapter IX) – any obligations pursuant to Member State law adopted under Chapter IX” Chapter IX allows Member States to add specific rules for:
- Employment data
- Health data
- Archiving, research, and statistics
- Freedom of expression and information
Violating these national-level extensions of GDPR also falls under this high-tier category.
e. Non-Compliance with Supervisory Authority Orders pursuant to Article 58(2) or failure to provide access in violation of Article 58(1). This includes:
- Ignoring orders to stop processing, delete data, or notify data subjects
- Refusing to cooperate with investigations
- Denying access to records or systems
This is a direct challenge to regulatory authority and is treated as a serious offense.
Summary
| Violation Type | Articles Involved | Main Focus |
| Core principles | 5, 6, 7, 9 | Undermines lawful processing foundation |
| Data subject rights | 12–22 | Violates individual freedoms |
| Cross-border transfers | 44–49 | Risks exposure to inadequate protection |
| Member State obligations | Chapter IX | Breach of national-level rules |
| Authority non-compliance | 58(1), 58(2) | Obstructs enforcement and oversight |
Leave a Reply