The extent of administrative sanctions (up to 4% of the total annual turnover – Article 83) suggests revising the data protection risk assessment approach, in order to update it and adjust the risks determination.

Infringement related to the processing of sensitive data (Article 9) is sanctioned with administrative fines of «up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher» (Article 83.5).

Violation of the prior consultation obligation is sanctioned with administrative fines of «up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher» (Article 83.4).

Violation of the obligation for the Controller to carry out the data protection impact assessment (DPIA) is sanctioned with administrative fines of «up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher» (art. 83.4).

Violation of the obligations regarding consent and its requirements as a prerequisite of lawfulness (Articles 6, 7 and 9) is sanctioned with administrative fines of «up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher» (Article 83.5).

Violation of any of the rights of data subjects is sanctioned with administrative fines of «up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher» (Article 83.5).