GDPR Fines & Penalties: Complete List and Guide (2026)
The GDPR gives European data protection authorities the power to impose substantial fines on organizations that violate its provisions. Since the regulation took effect on May 25, 2018, supervisory authorities across the EU have issued thousands of fines totaling over EUR 7.1 billion.
This guide explains the GDPR's penalty structure, breaks down how fines are calculated, lists the largest fines to date, and covers practical strategies for reducing enforcement risk. For an overview of the regulation itself, see our guide to What Is GDPR.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection attorney or privacy professional for guidance specific to your situation.
The Two-Tier Penalty Structure (Article 83)
Article 83 of the GDPR establishes two tiers of maximum fines. The tier that applies depends on which GDPR provision was violated.
Lower Tier: Up to EUR 10 Million or 2% of Global Turnover
The lower tier applies to violations of:
- Controller and processor obligations (Articles 8, 11, 25-39, 42, 43)
- Certification body obligations (Articles 42, 43)
- Monitoring body obligations (Article 41)
These are primarily organizational and procedural requirements: failing to maintain records of processing activities, not conducting required DPIAs, failing to appoint a DPO when required, or inadequate breach notification procedures.
Upper Tier: Up to EUR 20 Million or 4% of Global Turnover
The upper tier applies to violations of:
- The basic principles for processing, including conditions for consent (Articles 5, 6, 7, 9)
- Data subject rights (Articles 12-22)
- International data transfer rules (Articles 44-49)
- National law provisions under Chapter IX
- Non-compliance with a supervisory authority order
The fine is always whichever amount is higher: the fixed EUR amount or the percentage of turnover. For a company with EUR 10 billion in annual global revenue, 4% means a potential fine of EUR 400 million, far exceeding the EUR 20 million fixed cap.
Beyond Fines: Other Corrective Powers
Supervisory authorities can also issue warnings, reprimands, orders to comply, temporary or permanent processing bans, orders to erase data, and orders to suspend data transfers. These non-monetary sanctions can be even more disruptive than fines, particularly processing bans that halt business operations.
How GDPR Fines Are Calculated
The EDPB Guidelines 04/2022 on the calculation of administrative fines establish a five-step methodology that supervisory authorities follow.
Step 1: Identify the Processing Operations and Infringements
The authority first determines which processing operations are at issue and which GDPR provisions have been infringed. Multiple infringements arising from the same processing may result in a single fine for the most serious violation.
Step 2: Determine the Starting Amount
The starting amount is based on:
- Nature of the infringement: Which provisions were violated and whether they fall under the lower or upper tier
- Gravity: The scope and severity of the violation, including the number of data subjects affected, the extent of damage, and the sensitivity of the data involved
- Duration: How long the infringement continued
Step 3: Evaluate Aggravating and Mitigating Factors
Article 83(2) lists specific factors that supervisory authorities must consider:
| Factor | Aggravating | Mitigating |
|---|---|---|
| Intent | Deliberate violation | Negligent oversight |
| Mitigation steps | None taken | Prompt remediation |
| Past conduct | Previous GDPR violations | Clean compliance record |
| Cooperation | Obstructed the investigation | Fully cooperated with authority |
| Data categories | Special category data affected | Non-sensitive data only |
| Self-reporting | Authority discovered the issue | Organization self-reported |
| Certifications | None in place | Approved codes of conduct followed |
Step 4: Apply Legal Maximums
The calculated fine is then checked against the applicable ceiling (EUR 10M/2% or EUR 20M/4%). The fine cannot exceed the maximum for the relevant tier.
Step 5: Ensure Proportionality
The final fine must be effective, proportionate, and dissuasive. Supervisory authorities assess whether the calculated amount achieves these three goals, adjusting if necessary.
Top 10 Largest GDPR Fines
The following table lists the ten largest GDPR fines issued as of early 2026. These penalties reflect the regulation's enforcement trajectory, with the largest fines increasingly targeting international data transfers and behavioral advertising.
| Rank | Company | Fine (EUR) | DPA | Year | Violation |
|---|---|---|---|---|---|
| 1 | Meta (Facebook) | 1.2 billion | Irish DPC | 2023 | Transferring EU user data to the US without adequate safeguards under Chapter V |
| 2 | Amazon | 746 million | Luxembourg CNPD | 2021 | Non-compliance with data processing principles for targeted advertising |
| 3 | TikTok | 530 million | Irish DPC | 2025 | Transferring EEA user data to China without adequate safeguards |
| 4 | Meta (Instagram) | 405 million | Irish DPC | 2022 | Processing children's data without adequate protections |
| 5 | Meta (Facebook/Instagram) | 390 million | Irish DPC | 2023 | Lacking valid legal basis for behavioral advertising |
| 6 | TikTok | 345 million | Irish DPC | 2023 | Failures in handling children's data and default privacy settings |
| 7 | 310 million | Irish DPC | 2024 | Insufficient legal basis for behavioral analysis and targeted advertising | |
| 8 | Uber | 290 million | Dutch AP | 2024 | Transferring EU driver data to the US without adequate safeguards |
| 9 | Meta (Facebook) | 265 million | Irish DPC | 2022 | Insufficient security measures leading to scraping of 533 million user records |
| 10 | Meta (Facebook) | 251 million | Irish DPC | 2024 | Security breach affecting 29 million users globally including 3 million in Europe |
Key Observations
Meta dominates the list. Six of the ten largest fines target Meta platforms (Facebook, Instagram). The company has accumulated well over EUR 2.5 billion in GDPR fines since 2022. Ireland's DPC handles most Meta enforcement because the company's European headquarters are in Dublin.
International data transfers are the costliest violation. Three of the top five fines relate to transferring EU personal data to countries without adequate protection. The Meta EUR 1.2 billion decision and the TikTok EUR 530 million decision both centered on data transfers without proper legal mechanisms.
Children's data triggers heavy penalties. Both the Instagram EUR 405 million fine and the TikTok EUR 345 million fine involved inadequate protection of children's data, reflecting the GDPR's heightened protections for minors.
Enforcement by Country
GDPR enforcement varies significantly across EU member states. Some supervisory authorities issue frequent fines, while others rely more heavily on warnings and corrective orders.
Ireland: The Big Tech Regulator
Ireland's Data Protection Commission (DPC) has issued approximately EUR 4 billion in aggregate GDPR fines, making it the largest enforcer by total fine value. This is primarily because Meta, Google, Apple, TikTok, LinkedIn, Microsoft, and other major technology companies have their European headquarters in Dublin under the GDPR's one-stop-shop mechanism.
The DPC's enforcement pace accelerated significantly after 2022, following criticism from other EU supervisory authorities and the EDPB's increasing use of binding decisions to resolve cross-border disagreements.
Spain: The Volume Leader
Spain's Agencia Espanola de Proteccion de Datos (AEPD) has issued more individual fines than any other EU supervisory authority, with over 1,000 penalties since 2018. Most Spanish fines are smaller amounts targeting domestic companies, often for video surveillance violations, direct marketing without consent, or inadequate data subject rights responses.
France: Major Fines Across Sectors
France's CNIL has imposed significant fines across multiple sectors, including technology, retail, and healthcare. Notable French enforcement actions include fines against Google, Amazon, and Criteo for advertising and cookie consent violations.
Other Active Enforcers
Italy's Garante, Germany's state-level DPAs, and the Dutch Autoriteit Persoonsgegevens (AP) are among the most active enforcement bodies. The Dutch AP's EUR 290 million fine against Uber in 2024 demonstrated that enforcement is not limited to the Irish DPC.
Common Violations That Lead to Fines
Understanding which violations most frequently trigger penalties helps organizations prioritize their compliance efforts.
Insufficient Legal Basis for Processing
Processing personal data without a valid legal basis under Article 6 is the single most common reason for large fines. This includes collecting data without proper consent, relying on an inapplicable legal basis, or failing to obtain specific consent for different processing purposes.
Inadequate Technical Security
Failing to implement appropriate security measures under Article 32 results in frequent fines, particularly after data breaches. Supervisory authorities examine whether the organization had reasonable security in place before the breach occurred.
Transparency Violations
Failing to provide clear, complete privacy notices under Articles 13 and 14 or not adequately informing data subjects about how their data is used triggers enforcement action. The EDPB's 2026 coordinated enforcement action specifically targets transparency and information obligations.
Unlawful International Transfers
Transferring personal data outside the EU without adequate safeguards under Chapter V has generated the largest individual fines. Organizations must verify that valid transfer mechanisms (adequacy decisions, SCCs, BCRs) are in place for every international data flow.
Data Subject Rights Violations
Failing to respond to access, erasure, or other rights requests within the required timeframes regularly results in fines, particularly from enforcement-active authorities like Spain's AEPD.
How to Reduce Your Risk of GDPR Fines
Supervisory authorities consider cooperation, mitigation efforts, and proactive compliance when setting fine amounts. These practical steps can both prevent violations and reduce penalties if an issue arises.
Demonstrate Proactive Compliance
Maintain thorough documentation of your compliance program. Records of processing activities, completed DPIAs, staff training logs, and updated policies all demonstrate good faith. The GDPR's accountability principle (Article 5(2)) explicitly requires organizations to prove their compliance.
Respond Quickly to Incidents
When a breach or violation occurs, acting quickly matters. Prompt breach notification within the 72-hour window, immediate remediation steps, and full cooperation with the supervisory authority are mitigating factors. For details on breach reporting, see our guide to the GDPR 72-hour breach notification rule.
Cooperate Fully with Investigations
Organizations that cooperate transparently with supervisory authority investigations consistently receive lower fines than those that obstruct or delay. This includes providing requested information promptly, granting access for inspections, and implementing recommended changes.
Invest in Staff Training
Many GDPR violations stem from employee errors: sending data to the wrong recipient, failing to recognize a data subject rights request, or misconfiguring system access. Regular, documented training reduces these risks and serves as a mitigating factor.
Implement a Compliance Framework
Use our GDPR compliance checklist to build a structured compliance program. Organizations with documented frameworks, regular audits, and appointed DPOs are better positioned to both prevent violations and demonstrate accountability.
Consider Certification
Adhering to approved codes of conduct (Article 40) or obtaining GDPR certifications (Article 42) can serve as mitigating factors. While certification does not guarantee reduced fines, it demonstrates a commitment to compliance that supervisory authorities recognize.
More GDPR Guides
- What Is GDPR for a comprehensive overview of the regulation
- GDPR Compliance Checklist for a step-by-step compliance guide
- GDPR Data Subject Rights for all eight individual rights
- GDPR Consent Requirements for valid consent standards
- GDPR Breach Notification 72-Hour Rule for breach reporting obligations
- GDPR for Small Businesses for SME-specific guidance
- [EU Data Privacy Laws](/world-laws/world-data-privacy-laws/eu-data-privacy-laws) for the complete EU data protection overview
Sources and References
- GDPR Full Text - Article 83 (Fines)(eur-lex.europa.eu).gov
- EDPB Guidelines 04/2022 on Calculation of Administrative Fines(edpb.europa.eu).gov
- EDPB - 1.2 Billion Euro Fine for Facebook (Binding Decision)(edpb.europa.eu).gov
- EDPB - TikTok EUR 530 Million Fine (2025)(edpb.europa.eu).gov
- European Commission - Enforcement and Sanctions(commission.europa.eu).gov
- EDPB - Fines Topic Page(edpb.europa.eu).gov
- EDPB CEF 2026 - Coordinated Enforcement on Transparency(edpb.europa.eu).gov
- European Data Protection Board (EDPB)(edpb.europa.eu).gov
- GDPR Enforcement Tracker - Fines Database(enforcementtracker.com)
- DLA Piper GDPR Fines and Data Breach Survey January 2026(dlapiper.com)