GDPR Fines: Who Pays When Data Processors and Controllers Share the Blame?
Table of Contents
Who Foots the Bill for a GDPR Violation?
Imagine you're at a restaurant with a friend, and you both order the same dish. If it's undercooked, who complains? The answer depends on who ordered it—and who's responsible for the kitchen. Under the GDPR, the same logic applies to data processing: controllers and processors share liability, but the fine doesn't always split evenly.
Featured Snippet Bait: Under the GDPR, both controllers and processors can be fined for violations, but the controller typically bears primary liability. However, if a processor acts outside the controller's instructions, it may face direct fines. The key is who determines the 'why' and 'how' of data processing.
Controller vs. Processor: The Classic Blame Game
The GDPR defines a controller as the entity that decides the purposes and means of processing personal data. The processor acts on the controller's behalf. Think of the controller as the CEO who says, 'We need to send marketing emails,' and the processor as the IT firm that actually sends them.
If the processor accidentally exposes email addresses, the controller is usually on the hook—because it chose the processor. But if the processor decides to use the data for its own purposes, it becomes a controller itself and faces separate liability.
When Processors Become Controllers (and Pay the Price)
In a 2023 case, a cloud provider stored client data but also used it to train its AI models without consent. The provider was deemed a controller for that processing and fined €10 million. The lesson: processors can't hide behind contracts if they go rogue.
Joint Controllers: Sharing the Pain
When two or more entities jointly determine the purposes and means of processing, they are joint controllers. They must allocate liability in a transparent arrangement, but the GDPR allows the supervisory authority to hold any joint controller liable for the entire fine. This means if one party can't pay, the other must cover the full amount.
For example, a hospital and a research institute jointly analyzing patient data for a study. If the data is leaked, both could be fined up to €20 million or 4% of annual turnover—whichever is higher.
Practical Tips to Avoid Being the One Who Pays
- Draft clear contracts: Specify each party's responsibilities and liability caps. Use the GDPR's Article 28 as a template for processor agreements.
- Conduct DPIAs: Data Protection Impact Assessments help identify who is doing what and flag potential liability issues early.
- Monitor processors: Don't just sign and forget. Regular audits can prevent processors from overstepping.
FAQ
Can a processor be fined directly under the GDPR?
Yes, if the processor violates specific obligations (e.g., failing to implement security measures) or acts outside the controller's instructions. In such cases, the processor may face fines up to €10 million or 2% of annual turnover.
What happens if a joint controller can't pay the fine?
The other joint controller(s) may be held liable for the entire amount. The GDPR allows supervisory authorities to impose the full fine on any joint controller, regardless of internal agreements.
How can companies minimize liability when sharing data?
By clearly defining roles in a joint controller agreement, conducting DPIAs, and ensuring each party has adequate insurance. Also, limit data sharing to what is strictly necessary.
⚖️ Liability Distribution at a Glance
| Role | Typical Fine Share | Key Risk |
|---|---|---|
| Controller | 70% | Primary liability for unlawful processing |
| Processor | 30% | Direct fines for acting outside instructions |
| Joint Controller | 50% each (but can be 100% for one) | Joint and several liability |
* Percentages are illustrative based on common enforcement trends. Actual liability depends on specific facts.

NakedPact Editorial Committee
Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.
Sources and Legal References

Do you own a website?
Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.
Recommended Readings
🛡️ Protect your rights with one click
Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.
Don't trust, verify.
Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.
Analyze Your Contract Now
