Article 100 — Amendment of Directive 2014/90/EU

Article 100
Administrative fines on Union institutions, bodies, offices and agencies

1. The European Data Protection Supervisor may impose administrative fines on Union institutions, bodies, offices and
agencies falling within the scope of this Regulation. When deciding whether to impose an administrative fine and when
deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation
shall be taken into account and due regard shall be given to the following:

116/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj
OJ L, 12.7.2024 EN

(a) the nature, gravity and duration of the infringement and of its consequences, taking into account the purpose of the AI
system concerned, as well as, where appropriate, the number of affected persons and the level of damage suffered by
them;

(b) the degree of responsibility of the Union institution, body, office or agency, taking into account technical and
organisational measures implemented by them;

(c) any action taken by the Union institution, body, office or agency to mitigate the damage suffered by affected persons;

(d) the degree of cooperation with the European Data Protection Supervisor in order to remedy the infringement and
mitigate the possible adverse effects of the infringement, including compliance with any of the measures previously
ordered by the European Data Protection Supervisor against the Union institution, body, office or agency concerned
with regard to the same subject matter;

(e) any similar previous infringements by the Union institution, body, office or agency;

(f) the manner in which the infringement became known to the European Data Protection Supervisor, in particular
whether, and if so to what extent, the Union institution, body, office or agency notified the infringement;

(g) the annual budget of the Union institution, body, office or agency.

2. Non-compliance with the prohibition of the AI practices referred to in Article 5 shall be subject to administrative
fines of up to EUR 1500000.

3. The non-compliance of the AI system with any requirements or obligations under this Regulation, other than those
laid down in Article 5, shall be subject to administrative fines of up to EUR 750000.

4. Before taking decisions pursuant to this Article, the European Data Protection Supervisor shall give the Union
institution, body, office or agency which is the subject of the proceedings conducted by the European Data Protection
Supervisor the opportunity of being heard on the matter regarding the possible infringement. The European Data
Protection Supervisor shall base his or her decisions only on elements and circumstances on which the parties concerned
have been able to comment. Complainants, if any, shall be associated closely with the proceedings.

5. The rights of defence of the parties concerned shall be fully respected in the proceedings. They shall be entitled to
have access to the European Data Protection Supervisor’s file, subject to the legitimate interest of individuals or
undertakings in the protection of their personal data or business secrets.

6. Funds collected by imposition of fines in this Article shall contribute to the general budget of the Union. The fines
shall not affect the effective operation of the Union institution, body, office or agency fined.

7. The European Data Protection Supervisor shall, on an annual basis, notify the Commission of the administrative fines
it has imposed pursuant to this Article and of any litigation or judicial proceedings it has initiated.