Companies in breach of the GDPR are facing a few channels of sanctions:
1. Supervisory Authority enforcement. The SAs are authorized to make inquiries, investigate, and issue administrative fines to Companies. The SAs are authorized to determine administrative fines of up to the higher of EUR 20,000,000 or 4% of the annual global turnover of a company (could also be, a group of companies, as yet remains to be seen how will the SA will interpret and implement the GDPR). Some obligations of the GDPR are subject to a bit lesser fines, up to the higher of EUR 10,000,000 OR 2% of the annual global turnover, but this is pretty hefty too. These fines may be levied by the SA without any claim brought by a data subject or a third party, and they have investigative authorities.
2. Member State Courts – data subjects may bring claims against breaching companies, in accordance with local legal procedures of the applicable member state. Each of the states also has the right to determine that certain breaches of the GDPR shall be subject to criminal penalties.