There are two thresholds depending on the kind and severity of the breach. The lower threshold is 2% of annual income or €10 million and the higher threshold is 4% of annual income or €20 million. The fine that a company receives depends on what part of the legislation that they have breached. These rules apply to both controllers and processors.