GDPR Fines and Penalties: Fine Structure, Real Examples & How to Avoid Them

GDPR Two-Tier Fine Structure

GDPR establishes two tiers of administrative fines under Article 83. The lower tier, defined in Article 83(4), allows fines of up to EUR 10 million or 2% of worldwide annual turnover, whichever is higher. This tier applies to violations of obligations regarding data protection by design and by default (Article 25), data processing records (Article 30), data breach notification (Articles 33-34), data protection impact assessments (Article 35), designation of a data protection officer (Article 37), and certification (Articles 42-43). The upper tier, defined in Article 83(5) and (6), allows fines of up to EUR 20 million or 4% of worldwide annual turnover, whichever is higher. This applies to violations of the core data processing principles (Articles 5, 6, 9), data subject rights (Articles 12-22), international data transfer rules (Articles 44-49), and any obligations under member state law adopted under Chapter IX. The turnover calculation uses the total worldwide annual turnover of the preceding financial year for the entire undertaking (corporate group), not just the individual entity that committed the violation. This means a subsidiary's violation can result in fines based on the parent company's global revenue, making GDPR penalties potentially enormous for large multinational organizations.

Lower tier: up to EUR 10 million or 2% of global turnover for procedural violations
Upper tier: up to EUR 20 million or 4% of global turnover for core principle violations
Turnover is calculated on the entire corporate group, not just the violating entity
Data subject rights violations fall under the higher penalty tier
Breach notification failures fall under the lower tier but can still result in substantial fines

Largest GDPR Fines to Date

The record GDPR fine was imposed on Meta Platforms Ireland in May 2023 by the Irish Data Protection Commission: EUR 1.2 billion for transferring EU user data to the United States without adequate safeguards following the Schrems II decision. Amazon received the second-largest fine of EUR 746 million from Luxembourg's CNPD in July 2021 for processing personal data in violation of GDPR consent and transparency requirements related to its advertising targeting practices. WhatsApp Ireland was fined EUR 225 million by Ireland's DPC in September 2021 for transparency violations regarding how it shared user data with other Meta companies. Google received fines of EUR 150 million from France's CNIL for making cookie rejection more difficult than cookie acceptance, and a separate EUR 90 million fine for similar cookie consent issues on YouTube. Instagram was fined EUR 405 million by Ireland's DPC in September 2022 for processing children's personal data, specifically for making teenager accounts and contact information publicly visible by default. TikTok received a EUR 345 million fine from Ireland's DPC for failing to protect children's privacy. These landmark fines demonstrate that supervisory authorities are willing to impose penalties at the upper end of the GDPR scale, particularly for systematic violations affecting large numbers of data subjects.

Meta holds the record GDPR fine at EUR 1.2 billion for inadequate US data transfer safeguards
Amazon was fined EUR 746 million for consent and transparency violations in advertising
Instagram received EUR 405 million for failing to protect children's data by default
TikTok was fined EUR 345 million for children's privacy failures
WhatsApp was fined EUR 225 million for transparency violations regarding data sharing

How GDPR Fines Are Calculated

Article 83(2) of GDPR specifies ten criteria that supervisory authorities must consider when determining fine amounts. These include the nature, gravity, and duration of the infringement, considering the scope of data processing, number of data subjects affected, and level of damage suffered. The intentional or negligent character of the infringement is weighed, with deliberate violations receiving heavier penalties. Actions taken by the controller or processor to mitigate damage to data subjects can reduce the fine. The degree of responsibility, considering technical and organizational measures implemented under Articles 25 and 32, is assessed. Any previous infringements by the controller or processor are considered as aggravating factors. The degree of cooperation with the supervisory authority in remedying the infringement affects the outcome. The categories of personal data involved matter significantly, with special category data (health, biometric, genetic) and financial data attracting higher penalties. How the authority became aware of the infringement is relevant, as self-reporting typically results in more favorable treatment than discovery through complaints or investigations. Compliance with previously ordered measures and adherence to approved codes of conduct or certification mechanisms are also considered. The European Data Protection Board has published guidelines on fine calculation methodology to promote consistency across EU member states.

Ten criteria under Article 83(2) guide fine calculation by supervisory authorities
Intentional violations receive significantly higher fines than negligent ones
Cooperation with authorities and self-reporting can reduce penalty amounts
Special category data (health, biometric) involvement increases fine severity
The EDPB has published guidelines to promote consistent fine calculation across the EU

Common Violations That Trigger GDPR Fines

Analysis of GDPR enforcement actions reveals several categories of violations that most frequently result in fines. Insufficient legal basis for data processing is the most common trigger, accounting for the largest fines. Organizations that process personal data without valid consent, legitimate interest, or another legal basis face upper-tier penalties. Non-compliance with data subject rights is another frequent trigger. Failing to respond to access requests within the required one-month timeframe, making it difficult to exercise the right to erasure, or not honoring objections to processing can all result in enforcement. Insufficient technical and organizational measures, particularly inadequate security leading to data breaches, generate a high volume of fines across all EU member states. This includes weak encryption, poor access controls, lack of pseudonymization, and failure to implement privacy by design. Transparency violations are increasingly enforced, as privacy notices that fail to clearly communicate processing purposes, legal bases, data retention periods, and data subject rights attract attention from supervisory authorities. International data transfer violations have become a major enforcement area following the Schrems II decision, as organizations that transfer data outside the EU without adequate safeguards face significant penalties.

Insufficient legal basis for processing is the most common trigger for large fines
Failure to honor data subject rights (access, erasure, objection) frequently results in enforcement
Inadequate security measures leading to breaches generate high volumes of fines across EU states
Transparency failures in privacy notices attract increasing supervisory attention
International data transfers without adequate safeguards are a major enforcement area post-Schrems II

GDPR Fines by Country and Supervisory Authority

GDPR enforcement varies significantly across EU member states. Ireland's Data Protection Commission has issued the largest individual fines due to its jurisdiction over major tech companies headquartered there, including Meta, WhatsApp, and TikTok. France's CNIL has been one of the most active authorities, issuing fines against Google, Amazon France, and Criteo, and has been particularly aggressive on cookie consent violations. Luxembourg's CNPD imposed the EUR 746 million fine against Amazon. Spain's AEPD is notable for issuing a very high volume of smaller fines, demonstrating that enforcement is not limited to large corporations. Italy's Garante has issued substantial fines to telecommunications companies and public entities. Germany's enforcement is distributed across sixteen state-level authorities plus the federal commissioner, resulting in varied approaches. The European Data Protection Board plays a coordination role, particularly through the Article 65 dispute resolution mechanism, which was invoked in the Meta EUR 1.2 billion decision when Ireland's DPC and other concerned authorities disagreed on the outcome. Organizations operating across multiple EU member states must be aware that their lead supervisory authority may not be the only authority that can initiate enforcement, and fines can vary substantially depending on the enforcing authority's approach and priorities.

Ireland's DPC has issued the largest individual fines due to big tech headquarters there
France's CNIL is especially active on cookie consent and tracking violations
Spain's AEPD issues a high volume of smaller fines across many sectors
Germany has sixteen state-level authorities with varied enforcement approaches
The EDPB coordinates cross-border enforcement through Article 65 dispute resolution

How to Minimize Your GDPR Fine Risk

Organizations can significantly reduce their GDPR fine exposure through proactive compliance measures. First, ensure every processing activity has a clearly documented legal basis under Article 6, and for special category data under Article 9. Maintain a comprehensive record of processing activities as required by Article 30. Second, implement robust consent management, ensuring consent is freely given, specific, informed, and unambiguous, with equally easy mechanisms for granting and withdrawing consent. Third, invest in data subject rights infrastructure so your organization can respond to access, rectification, erasure, and portability requests within the one-month deadline. Fourth, conduct Data Protection Impact Assessments for high-risk processing activities before they begin. Fifth, implement appropriate technical and organizational security measures, including encryption, pseudonymization, access controls, and regular testing. Sixth, appoint a Data Protection Officer if required, and ensure they have genuine independence and adequate resources. Seventh, establish breach notification procedures that enable reporting to supervisory authorities within 72 hours and to affected individuals without undue delay. Eighth, review international data transfer mechanisms following Schrems II, implementing Standard Contractual Clauses with supplementary measures where necessary. Organizations that can demonstrate accountability through documentation, impact assessments, and proactive security measures are better positioned to receive reduced penalties if enforcement actions do occur.

Document the legal basis for every processing activity under Articles 6 and 9
Implement consent management with equally easy mechanisms for granting and withdrawing consent
Build infrastructure to respond to data subject rights requests within the one-month deadline
Conduct DPIAs for high-risk processing and maintain breach notification procedures for 72-hour reporting
Demonstrating accountability through documentation can reduce penalties in enforcement actions
Review international data transfer mechanisms and implement supplementary measures post-Schrems II

Key Takeaways

GDPR fines can reach up to 4% of global annual turnover or EUR 20 million for core principle violations
The largest GDPR fine is EUR 1.2 billion imposed on Meta for US data transfer violations
Ten criteria under Article 83(2) guide how supervisory authorities calculate fine amounts
Insufficient legal basis for processing is the most common trigger for substantial fines
Cooperation with authorities and self-reporting breaches typically result in reduced penalties
Enforcement varies significantly by country, with Ireland, France, and Spain among the most active
Proactive accountability measures including documentation and DPIAs can reduce fine exposure

Related Resources

gdpr data processing gdpr privacy notice gdpr dpia template gdpr breach notification gdpr consent records gdpr data processing agreement data subject access request breach notification privacy impact assessment

Other Compliance Guides

GDPR

HIPAA Business Associate Agreement (BAA) Guide

Frequently Asked Questions

What is the maximum GDPR fine?

The maximum GDPR fine is EUR 20 million or 4% of global annual turnover of the entire corporate group, whichever is greater. This upper tier applies to violations of core data processing principles, data subject rights, and international transfer rules. The lower tier allows fines up to EUR 10 million or 2% of turnover.

What is the largest GDPR fine ever issued?

The largest GDPR fine is EUR 1.2 billion, imposed on Meta Platforms Ireland by the Irish Data Protection Commission in May 2023 for transferring EU user data to the United States without adequate safeguards following the Court of Justice's Schrems II decision.

Can small businesses be fined under GDPR?

Yes. GDPR applies to all organizations that process personal data of EU residents, regardless of size. Spain's AEPD regularly fines small and medium businesses. However, supervisory authorities must consider proportionality when setting fine amounts, and smaller organizations typically receive lower fines than large corporations for similar violations.

How does GDPR calculate turnover for fines?

GDPR calculates turnover based on the total worldwide annual revenue of the preceding financial year for the entire undertaking or corporate group, not just the individual entity that committed the violation. This means a subsidiary's GDPR violation can result in a fine based on the parent company's global revenue.

Can GDPR fines be appealed?

Yes. GDPR Article 78 provides a right to judicial remedy against supervisory authority decisions, including fines. Organizations can appeal to the courts in the member state where the supervisory authority is established. Several major fines, including the Amazon and WhatsApp decisions, have been subject to appeals.

Does reporting a breach reduce the GDPR fine?

Self-reporting a breach and cooperating with the supervisory authority are factors that can reduce fine amounts under Article 83(2). Organizations that proactively notify authorities within 72 hours, take immediate mitigation steps, and cooperate fully with investigations typically receive more favorable treatment than those where violations are discovered through complaints.

GDPR Overview Requirements Guides Compliance Glossary Compare Frameworks