What actually happens if I do not comply with the requirements of the GDPR? In this case, fines of a not inconsiderable amount are due, as well as claims for damages from those affected. As the name suggests, the controller or processor bears the responsibility.

The person responsible is liable: 

There is a national supervisory authority in each member state for the enforcement of the GDPR. Data subjects can contact these authorities with complaints. However, the supervisory authorities can also take action against data protection violations on their own initiative. 

In addition to monitoring and checking requirements, the tasks of the supervisory authorities also include imposing fines. These are imposed "depending on the circumstances of the individual case" (Art. 83 GDPR). The following factors are used to determine the amount of the fine:

• Nature, gravity and duration of the offence 
  
• wilful intent or negligence

This also takes into account whether the controller can provide documentation of its obligations under data protection law and prove that it has implemented appropriate measures to protect personal data. 

The GDPR provides for fines of up to EUR 20 million or, in the case of companies, up to 4% of the total annual global turnover generated in the previous financial year. Violations of regulations on third country transfers are penalised with the higher range of fines in accordance with Art. 83 Para. 5 GDPR.

However, the fines may well only be in the range of a few hundred or thousand euros. The "CMS.Law Enforcement Tracker" website provides an overview of the fines and penalties imposed by the data protection authorities. 

More informationen: https://www.enforcementtracker.com/