Back to Blog
LegalTech & IA

GDPR Fines: Who Pays When Data Processors and Controllers Share the Blame?

NakedPact Editorial Committee
Reviewer: Carmelo G.
Comitato Editoriale NakedPact
July 9, 2026
10 min read
GDPR Fines: Who Pays When Data Processors and Controllers Share the Blame?

Who Foots the Bill for a GDPR Violation?

Imagine you're at a restaurant with a friend, and you both order the same dish. If it's undercooked, who complains? The answer depends on who ordered it—and who's responsible for the kitchen. Under the GDPR, the same logic applies to data processing: controllers and processors share liability, but the fine doesn't always split evenly.

Featured Snippet Bait: Under the GDPR, both controllers and processors can be fined for violations, but the controller typically bears primary liability. However, if a processor acts outside the controller's instructions, it may face direct fines. The key is who determines the 'why' and 'how' of data processing.

Controller vs. Processor: The Classic Blame Game

The GDPR defines a controller as the entity that decides the purposes and means of processing personal data. The processor acts on the controller's behalf. Think of the controller as the CEO who says, 'We need to send marketing emails,' and the processor as the IT firm that actually sends them.

If the processor accidentally exposes email addresses, the controller is usually on the hook—because it chose the processor. But if the processor decides to use the data for its own purposes, it becomes a controller itself and faces separate liability.

When Processors Become Controllers (and Pay the Price)

In a 2023 case, a cloud provider stored client data but also used it to train its AI models without consent. The provider was deemed a controller for that processing and fined €10 million. The lesson: processors can't hide behind contracts if they go rogue.

Joint Controllers: Sharing the Pain

When two or more entities jointly determine the purposes and means of processing, they are joint controllers. They must allocate liability in a transparent arrangement, but the GDPR allows the supervisory authority to hold any joint controller liable for the entire fine. This means if one party can't pay, the other must cover the full amount.

For example, a hospital and a research institute jointly analyzing patient data for a study. If the data is leaked, both could be fined up to €20 million or 4% of annual turnover—whichever is higher.

Practical Tips to Avoid Being the One Who Pays

  • Draft clear contracts: Specify each party's responsibilities and liability caps. Use the GDPR's Article 28 as a template for processor agreements.
  • Conduct DPIAs: Data Protection Impact Assessments help identify who is doing what and flag potential liability issues early.
  • Monitor processors: Don't just sign and forget. Regular audits can prevent processors from overstepping.

FAQ

Can a processor be fined directly under the GDPR?

Yes, if the processor violates specific obligations (e.g., failing to implement security measures) or acts outside the controller's instructions. In such cases, the processor may face fines up to €10 million or 2% of annual turnover.

What happens if a joint controller can't pay the fine?

The other joint controller(s) may be held liable for the entire amount. The GDPR allows supervisory authorities to impose the full fine on any joint controller, regardless of internal agreements.

How can companies minimize liability when sharing data?

By clearly defining roles in a joint controller agreement, conducting DPIAs, and ensuring each party has adequate insurance. Also, limit data sharing to what is strictly necessary.

⚖️ Liability Distribution at a Glance

RoleTypical Fine ShareKey Risk
Controller70%Primary liability for unlawful processing
Processor30%Direct fines for acting outside instructions
Joint Controller50% each (but can be 100% for one)Joint and several liability
Controller
Processor
Joint Controller

* Percentages are illustrative based on common enforcement trends. Actual liability depends on specific facts.

NakedPact Logo

NakedPact Editorial Committee

Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.

Do you own a website?

Do you own a website?

Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.

🛡️ Protect your rights with one click

Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.

Don't trust, verify.

Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.

Analyze Your Contract Now

Rispettiamo la tua privacy

Usiamo i cookie per migliorare la tua esperienza e personalizzare gli annunci. Scopri di più.

NakedPact Logo

Estensione Chrome

Analizza i contratti e i Termini di Servizio direttamente sul tuo browser con l'estensione NakedPact.