GDPR - Fines will be allocated
Under the GDPR, where there are violations of the GDPR, a supervisory authority can impose administrative fines (Art 83). The amount of the administrative fine is supposed to be effective to deter future violations and proportionate to the harm (Art 83(1)). Furthermore, the supervisory authority will allocate responsibility between the controller and processor (Art 83(2)(d)). Where a supervisory authority finds both the controller and processor responsible for the violation of the GDPR, they should each receive their own administrative fines. Controllers should be wary of signing any processor proposed Data Processing Agreements (DPA) without examining whether they are giving up their ability to recover any fines from the processor where the processor was at fault.
In the case of a personal data breach, administrative fines can reach up to 10 million Euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding year - whichever is higher (Art 83(4)(a)). An "undertaking" covers a parent-subsidiary relationship and affiliate relationship where one business controls another entity (GDPR Recital 150, citing Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU). Thus, a controller who unwittingly gives up their right to recover such fines could be incurring much greater liability than they assumed.