Is breaching GDPR a criminal offence?

Asked by: Kristin Will  |  Last update: June 1, 2026
Score: 4.3/5 (7 votes)

Breaching GDPR isn't inherently a criminal offense under the regulation itself, but national laws (like the UK's DPA 2018) can introduce criminal penalties for specific serious violations, such as unlawfully obtaining or disclosing data, leading to potential prosecution, fines, or imprisonment, though large administrative fines (up to 4% global revenue or €20m) are the primary deterrent for organizations. While regulatory bodies focus on massive fines, specific actions like an employee intentionally misusing data can lead to criminal charges under national laws.

What happens if you violate GDPR?

83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher. Especially important here, is that the term “undertaking” is equivalent to that used in Art.

What happens if you breach GDPR rules?

Tools at our disposal include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, we have the power to issue fines of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher.

Is breaking GDPR gross misconduct?

Repeated breaches, or a significant breach capable of constituting gross misconduct, could lead to the employee's dismissal following a fair disciplinary process as required.

Can you be fired for a GDPR breach?

Your employer is allowed to dismiss people, but if they do it unfairly you can challenge your dismissal. To find out if your dismissal is unfair, you'll need to check: that you were an employee - you can only challenge an unfair dismissal if you were an employee.

What is a Breach for GDPR

34 related questions found

Is data breach a crime?

Hackers and cybercriminals can face criminal charges like computer fraud, identity theft, and wrongful disclosure, which may lead to jail sentences. Depending on the nature of the crime and the jurisdiction, the hacking itself may be classified as a misdemeanor (less serious) or a felony (more serious).

What are some famous GDPR breach examples?

  • Meta's 1.2 billion euro fine: The cross-border data transfer debacle.
  • Google's violation of GDPR's right to be forgotten.
  • Twitter's failure to notify the breach.
  • Cathay Pacific: A wake-up call for the industry.
  • TIM S.P.A – failure to uphold data subjects' rights.
  • Make GDPR compliance easy and your default state with Sprinto.

What is a serious breach of GDPR?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

Can GDPR be enforced in the US?

GDPR enforcement in the US comes from EU Data Protection Authorities (DPAs), rather than US regulators. This might seem counterintuitive, but it's how the regulation is designed to work across borders. EU Data Protection Authorities have full jurisdiction over US companies that process EU personal data.

What is the punishment for data breach?

Section 72A — Breach of lawful contract: disclosing personal data obtained under a contract without consent; penalties up to ₹25 lakh (typical risk vector: vendors/processors). Sections 43(b) & 66 — Unauthorized downloading/copying/extraction of data: imprisonment up to 3 years, fines up to ₹5 lakh, or both.

Is it illegal to not report a data breach?

California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.

Does GDPR have criminal penalties?

The GDPR is primarily a civil law, imposing administrative fines and sanctions for non-compliance. However, the GDPR does allow Member States to impose criminal penalties for certain violations of the regulation.

Has anyone been fined under GDPR?

The UK DPA has imposed a fine of £ 1,228,283 (EUR 1,400,000) on LastPass UK Ltd. The controller suffered a succesfull cyber attack due to insufficient technical and organisational measures to ensure data security. The Romanian DPA has imposed a fine of EUR 15,000 on Crowd Entertainment Limited.

What are the consequences of breach of GDPR?

Under GDPR, the most severe infractions can result in fines of up to €20 million or 4% of global annual turnover, whichever is higher. For lesser violations, penalties may reach €10 million or 2% of annual turnover.

How do you prove a GDPR breach?

Potential Evidence That Could Help You Make A Data Protection Breach Claim

  1. Correspondence from the organisation relating to the data breach incident.
  2. Medical reports or records that illustrate how the breach has affected your mental health.
  3. Bills, receipts and invoices that prove financial losses were caused by the breach.

Who is liable for GDPR breaches?

Any person who has suffered damage as a result of infringement of the GDPR has the right to receive compensation from the controller or the processor. Under the Data Protection Directive, liability for compensation is limited to controllers only.

What are 10 examples of sensitive personal information?

Definition of Sensitive Personal Information

  • Racial or ethnic origin.
  • Political opinions.
  • Religious or philosophical beliefs.
  • Trade union membership.
  • Genetic data.
  • Biometric data.
  • Health data.
  • Sexual orientation or sex life.

Can you be prosecuted for a data breach?

As breaching section 170(1) is a criminal offence, your employer or the individuals whose data have been breached may report you to the police. This could lead to you being charged and prosecuted.

Is a breach a criminal offence?

A breach is not necessarily an independent offence, but rather is simply a claim to reconsider the terms of the conditional sentence under s. 742.6. A breach hearing must commence within 30 days of the allegation.

Is it worth suing over a data breach?

The value of a data breach claim depends on the harm you suffered. Courts and insurance companies look at both economic and non-economic damages. Common categories include: Fraud-related financial harm: fraudulent charges, unauthorized bank withdrawals, or costs of credit monitoring services.

Am I entitled to compensation for a GDPR breach?

The Court noted that Article 82 (1) of the GDPR provides that a person who has suffered material or non-material damage as a result of an infringement of the regulation shall have the right to receive compensation for the damage suffered.

What is the average payout for a data breach?

The sort of breach that occurred, the information's high-risk status, and whether you had any hardship, as a result, will all affect how much compensation you might be entitled to from a data breach claim. The average compensation claim amount awarded for a GDPR data breach is between £1,000 and £42,000.