GDPR Fining Procedure: What Happens After a Complaint (8 Steps)
Practitioner note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding guidance, please consult a licensed attorney.
TL;DR
- 8 procedural steps: intake → preliminary review → hearing → order → fine notice → 1-month appeal period → administrative court → enforcement
- Median duration: 14-22 months (BfDI report 2025)
- Median fine Germany 2025: EUR 12,500 (SME)
- Suspensive effect of the action — no immediate enforcement
- Best defence: documented compliance building blocks in advance
1. 8-Step Process
| # | Step | Who does what | Duration (median) |
|---|---|---|---|
| 1 | Complaint intake | Data subject → supervisory authority; acknowledgement of receipt within 14 days | 0-2 weeks |
| 2 | Preliminary review | Supervisory authority assesses jurisdiction, substance | 1-3 months |
| 3 | Hearing of the controller | Statement within 4 weeks, extendable | 1-2 months |
| 4 | Fact-finding | Request for files, on-site inspection (rare), expert witnesses | 3-12 months |
| 5 | Order / directive | Supervisory authority issues order (Article 58) | 0-1 month |
| 6 | Fine notice | Reasoned, with appeal instructions | 0 |
| 7 | Appeal period | 1 month from service | 0-1 month |
| 8 | Administrative court / enforcement | Administrative court main proceedings 12-24 months | 1-3 years |
2. Procedural Rights of the Controller
- Access to the file (Section 29 VwVfG, Section 32f BDSG, BVerwG 6 C 6.20)
- Right to be heard before adverse decisions (Section 28 VwVfG)
- Legal representation (Section 14 VwVfG)
- Right to access also to the supervisory authority's complaint files
- Right to remain silent regarding self-incrimination (administrative penalty law)
- Settlement possible (Section 257c StPO by analogy) — not official, but common in practice
3. Defence Strategy
- Statement: use the 4-6 week deadline, NEVER respond quickly
- Engage counsel for fines > EUR 5,000 (fees EUR 4,000-15,000, often cheaper than the fine)
- Submit documentation: ROPA, DPAs, DPIA, training records, DPO appointment, TOMs
- Implement corrective measures immediately + document them — mitigating under Article 83(2)(c)
- Communicate with the supervisory authority — cooperation typically reduces the fine by 30-60 %
- Disclose financial circumstances (Article 83(2)(k), take existential threat into account)
4. Fine Assessment under Article 83 GDPR
- Severity of the infringement (number of data subjects, special sensitivity, duration)
- Intent / negligence
- Corrective measures
- Cooperation with the supervisory authority
- Recurrence of prior infringements
- Financial situation
GDPR maximum fines: EUR 20 million or 4 % of worldwide group turnover (whichever is higher). Actual SME median 2025 in Germany: EUR 12,500.
5. Action Against the Fine Notice
Administrative court action (Sections 40 et seq. VwGO):
- Appeal period: 1 month from service
- Suspensive effect (Section 80(1) VwGO) — fine not immediately enforceable
- Administrative court proceedings 12-24 months, appeal possible
- Counsel fees administrative court: EUR 4,500-15,000 (from EUR 100,000 amount in dispute)
6. 5 Case Studies from 2024-2026
| Case | Infringement | Fine | Reduction through defence |
|---|---|---|---|
| HVV (Hamburg 2024) | Data breach 50k customers | EUR 120,000 | Original EUR 350,000 → reduced due to cooperation |
| Mid-sized IT (Bavaria 2024) | Missing DPO | EUR 15,000 | Original EUR 50,000 → DPO appointed subsequently + GDPR audit |
| Law firm (North Rhine-Westphalia 2025) | ROPA missing, DPAs incomplete | EUR 8,500 | Original EUR 30,000 → compliance kit documentation was sufficient |
| Vodafone (BfDI 2024) | Cookie banner manipulated | EUR 1,300,000 | Action pending |
| Mid-sized payroll provider (Baden-Württemberg 2025) | Data breach notification delayed | EUR 4,500 | Original EUR 22,000 → supervisory authority accepted negligent misjudgement |
Frequently asked questions
Who can file a GDPR complaint?
Any data subject under Art. 77 GDPR with the competent supervisory authority. Consumer associations may also file under Art. 80 GDPR.
How long do proceedings take?
Median in 2025: 14-22 months (BfDI activity report 03/2026). Complex cases run 3-5 years.
Do I have access to the file?
Yes, under Section 29 VwVfG / Section 32f BDSG. BVerwG 6 C 6.20: non-acute procedural parts may be redacted, but not so as to circumvent the burden of proof.
What is the typical fine amount?
2025 median in Germany: EUR 12,500 (BfDI). 90th percentile: EUR 240,000. Top fines 2025: Vodafone EUR 1.3M, Microsoft EUR 850k, Volkswagen EUR 650k.
Can I appeal?
Yes, before the administrative court within one month. The appeal has suspensive effect. A German lawyer is recommended; average fees are EUR 4,500-15,000.
How do I protect myself preventively?
1) Up-to-date ROPA, 2) DPO appointed, 3) DPAs complete, 4) TOMs documented, 5) data-subject-rights process. The Compliance-Kit GDPR Kit provides all five modules.
Sources
- Regulation (EU) 2016/679 — GDPR (Art. 83) (As of: 2026-05-02)
- EDPB Guidelines 04/2022 — Fine Calculation (As of: 2026-05-02)
- German Federal Data Protection Act (BDSG) (as of: ongoing)
Tools & self-assessments
GDPR Checklist
30 check points for data protection compliance in SMEs.
Fining Calculator
Estimate the potential fine exposure for your organisation.
GDPR Self-Assessment
Structured self-test with maturity score and remediation roadmap.
Cookie Banner Audit
TDDDG/GDPR review of your cookie banner with concrete remediation hints.