GDPR Fines & Penalties: Real Examples
Quick Answer
GDPR fines can reach EUR 20 million or 4% of global annual revenue (whichever is higher). Since 2018, over EUR 4.3 billion in fines have been issued, with major penalties against Meta (EUR 1.2B), Amazon (EUR 746M), and many others.
GDPR Penalty Structure
GDPR provides two tiers of administrative fines, with the maximum fine determined by the severity of the violation. These are maximum amounts — supervisory authorities have discretion to impose lower fines based on circumstances.
Key Takeaways
- Upper tier: EUR 20M or 4% of global annual revenue for core violations (data processing principles, consent, data subject rights, international transfers)
- Lower tier: EUR 10M or 2% of global annual revenue for administrative violations (record-keeping, DPO, security measures, breach notification)
- Fines are per violation — multiple violations can result in multiple fines
- Total GDPR fines issued since 2018: over EUR 4.3 billion
- Enforcement is increasing every year — both in frequency and fine amounts
Two Tiers of Fines
| Tier | Maximum Fine | Applies To |
|---|---|---|
| Upper (Art. 83(5)) | EUR 20M or 4% global revenue | Data processing principles, lawful basis, consent, data subject rights, international transfers |
| Lower (Art. 83(4)) | EUR 10M or 2% global revenue | Controller/processor obligations, DPO, security measures, breach notification, DPIAs, record-keeping |
Largest GDPR Fines to Date
| Organization | Fine | Year | Key Violation |
|---|---|---|---|
| Meta (Facebook) — Ireland | EUR 1.2 billion | 2023 | Illegal EU-US data transfers |
| Amazon — Luxembourg | EUR 746 million | 2021 | Targeted advertising without valid consent |
| Meta (Instagram) — Ireland | EUR 405 million | 2022 | Children's data processing violations |
| Meta (Facebook) — Ireland | EUR 390 million | 2023 | Forced consent for personalized advertising |
| Meta (WhatsApp) — Ireland | EUR 225 million | 2021 | Transparency failures in privacy notices |
| Google — France | EUR 150 million | 2022 | Cookie consent violations (hard to refuse) |
| TikTok — Ireland | EUR 345 million | 2023 | Children's data, default public settings |
| H&M — Germany | EUR 35 million | 2020 | Excessive employee surveillance |
| British Airways — UK | EUR 22 million | 2020 | Data breach (500,000 records) |
| Marriott — UK | EUR 20 million | 2020 | Data breach (339 million records) |
How Fines Are Calculated
Article 83(2) lists factors supervisory authorities must consider when determining the amount of a fine:
- Nature, gravity, and duration: How serious is the violation? How long did it last?
- Intentional or negligent: Intentional violations receive higher fines
- Actions taken to mitigate: What did you do to reduce harm to affected individuals?
- Degree of responsibility: What technical and organizational measures were in place?
- Previous infringements: Repeat offenders face higher fines
- Cooperation with authority: Cooperation can reduce fines; obstruction increases them
- Categories of data affected: Special category data (health, religion, etc.) carries higher penalties
- How the authority learned about it: Self-reported vs discovered through complaint
- Financial impact: The fine should be "effective, proportionate, and dissuasive"
Most Common Violation Types
Insufficient legal basis
#1 Violation
Processing without valid lawful basis
Non-compliance with rights
#2 Violation
Failing to honor data subject requests
Insufficient security
#3 Violation
Inadequate technical/organizational measures
Consent failures
#4 Violation
Invalid consent mechanisms (cookie walls, pre-ticked boxes)
Beyond Fines: Other Consequences
- Processing bans: Supervisory authorities can order you to stop processing personal data — effectively shutting down EU operations
- Mandatory audits: Required periodic compliance audits at your expense
- Reputational damage: GDPR enforcement actions are public. Media coverage amplifies the impact.
- Civil litigation: Data subjects have the right to compensation for GDPR violations. Class actions are increasingly common in the EU.
- Corrective orders: Mandatory changes to data processing practices, which can be costly to implement
✅ How to Minimize Fine Risk
Show good faith: maintain a ROPA, conduct DPIAs, have a DPO where required, document your decisions, train staff, and respond promptly to supervisory authority inquiries. Organizations that demonstrate genuine compliance efforts typically receive lower fines or corrective orders instead of monetary penalties.
Can small businesses really be fined under GDPR?
Yes. While the largest fines target major corporations, supervisory authorities have fined small businesses and even individuals. Fines are proportional — a small business won't face EUR 20M, but fines of EUR 5,000-$500,000 are realistic for SMBs. Some DPAs also issue reprimands and corrective orders as alternatives to fines.
Are GDPR fines increasing?
Yes, significantly. Both the number and average size of fines have increased every year since 2018. Supervisory authorities are becoming more experienced and assertive. The trend shows no signs of slowing down.
Can I appeal a GDPR fine?
Yes. Organizations can appeal GDPR fines through judicial review in the courts of the relevant member state. Several high-profile fines have been reduced or overturned on appeal. However, the appeal process is expensive and can take years.
Does cyber insurance cover GDPR fines?
It depends on the jurisdiction and policy. Some jurisdictions allow insurance coverage of regulatory fines; others don't (on public policy grounds). Cyber insurance typically covers breach response costs, legal fees, and some regulatory defense costs. Check your policy specifically for regulatory fine coverage.
Protect Against GDPR Fines
Implement proper compliance measures with tools that help you manage GDPR obligations.
Browse GDPR Compliance Tools