Fines of up to 20 million euros or up to 4 percent of the total worldwide annual turnover of the previous financial year, whichever is greater, may be imposed. Many violations, such as the failure to appoint a Data Protection Officer, are considered gross negligence. Managing Directors may have unlimited liability with their private assets.
It took less than half a year for the first company to suffer the consequences of the GDPR: Due to a security breach the chat provider Knuddels from Karslruhe had to pay a penalty of 20,000 Euro. Now that the first punishments have been carried out, other companies no longer have the benefit of a grace period to be GDPR compliant. The supervisory authorities are now consistently in search of violations.