Biggest GDPR Fines: Data Breaches and Penalties

Updated: June 2026

What are the most significant GDPR fines ever issued? Since GDPR came into force in May 2018, data protection authorities across the EU and UK have recorded more than 3,000 enforcement actions. Total fines now exceed €6.31 billion, with individual penalties reaching into the hundreds of millions. This article covers the largest fines on record and the patterns behind them.

Key Takeaways

• Total GDPR fines exceeded €6.31 billion by June 2026, with individual penalties reaching up to €1.2 billion for the most serious violations.

• Meta, TikTok, and WhatsApp have each received multiple major fines, pointing to ongoing issues with consent, transparency, and data transfers.

• The most common triggers for large fines are unlawful international data transfers, invalid consent mechanisms, and failures to respect transparency obligations.

What are the biggest GDPR fines on record?

The fines below are the largest individual penalties issued under GDPR to date. All figures are confirmed from official supervisory authority press releases.

Meta Platforms Ireland – €1.2 billion (May 2023). The Irish Data Protection Commission issued the largest GDPR fine on record after finding that Meta had transferred European users’ personal data to the United States without adequate safeguards. The scale of the transfers – affecting hundreds of millions of users – drove the penalty to the upper end of the available range.

TikTok Technology – €530 million (April 2025): The Irish DPC fined TikTok for transferring European user data to China without adequate protection. The decision found that TikTok could not guarantee the data would not be accessed by Chinese authorities, and imposed an order to suspend the transfers within six months if the issue was not resolved.

TikTok Technology – €345 million (September 2023): A separate Irish DPC action against TikTok, focused on how the platform processed children’s personal data. The investigation found that child accounts were set to public by default and that the “Family Pairing” feature did not adequately verify parental relationships.

LinkedIn Ireland – €310 million (October 2024). The Irish DPC fined LinkedIn for relying on invalid consent and on claimed legitimate interests to process members’ data for behavioural analysis and targeted advertising. The investigation also found failings in LinkedIn’s transparency obligations under Articles 13 and 14.

Uber Technologies – €290 million (August 2024). The Dutch Data Protection Authority fined Uber for transferring European drivers’ personal data to the United States for over 2 years without using the standard contractual clauses required following the Schrems II ruling.

Meta Platforms Ireland – €265 million (November 2022). The Irish DPC issued this fine following an investigation into a data-scraping incident that exposed the personal data of hundreds of millions of Facebook users. The investigation centred on whether Meta had implemented appropriate technical and organisational measures.

Meta Platforms Ireland – €251 million (December 2024). A further Irish DPC fine, arising from the 2018 Facebook security breach that exposed the personal data of millions of users, including names, phone numbers, locations, and email addresses.

WhatsApp Ireland – €225 million (September 2021). The Irish DPC fined WhatsApp for failing to meet GDPR transparency obligations, specifically for inadequate disclosure to users of how their personal data was shared with other Meta Group companies.

Note on the Amazon fine: Luxembourg’s National Commission for Data Protection issued Amazon a €746 million fine in July 2021, then the second-largest GDPR penalty on record. A Luxembourg court annulled that decision in March 2026 following Amazon’s appeal. The fine no longer stands.

What trends are shaping GDPR enforcement?

Have individual GDPR fines been increasing over time?

Yes. In the early years of enforcement, most GDPR fines were in the tens of thousands of euros. By 2021, individual penalties had reached the hundreds of millions, and by 2023 the first billion-euro fine had been issued. Total cumulative fines exceeded €6.31 billion by June 2026, according to the GDPR Enforcement Tracker.

Regulators have grown more confident in their roles and more experienced in investigating large technology companies. The Irish DPC, which acts as the lead supervisory authority for many major platforms with European headquarters in Ireland, has imposed several of the largest individual penalties.

Which companies have received multiple GDPR fines?

Meta has received the largest number of major fines – four separate penalties totalling over €1.9 billion, spanning data transfers, data scraping, security breaches, and transparency failures. TikTok has been fined twice by the Irish DPC, for a combined €875 million.

Multiple fines against the same company indicate that earlier enforcement actions did not resolve the underlying compliance issues. Regulators have shown they will investigate and fine each discrete violation separately.

Why do international data transfers attract the largest GDPR fines?

Transfer violations tend to produce the highest fines because they typically affect large numbers of individuals and involve systemic failures rather than isolated incidents. Meta’s €1.2 billion fine, TikTok’s €530 million fine, and Uber’s €290 million fine all arose from international data transfers without adequate safeguards.

The Schrems II ruling in 2020 created a strict requirement to verify that data sent to a third country receives equivalent protection to EU standards. Organisations that continued to rely on mechanisms that failed to meet this standard incurred the most severe penalties.

What factors determine the size of a GDPR fine?

How does the nature and severity of a violation affect the penalty?

Regulators assess the type of violation, the categories of personal data involved, how many people were affected, and whether the breach was ongoing or isolated. Violations affecting sensitive data – health records, biometric data, financial information, or children’s data – receive heavier treatment.

Violations that sit at the core of GDPR’s purpose, such as processing without a lawful basis or transferring data to countries without adequate protection, attract fines at the upper end of the range. Administrative failures, such as record-keeping gaps, typically fall into the lower tier.

Does company cooperation reduce a GDPR fine?

Cooperation during an investigation is a recognised mitigating factor. Organisations that respond promptly, supply requested information, and take remedial action during an investigation can expect this to be reflected in the final penalty. Non-cooperation, delays, or attempts to obstruct the process increase the fine.

The three-year investigation into WhatsApp’s practices, which concluded with a €225 million fine, reflects the time required to resolve cross-border disputes between supervisory authorities through the cooperation mechanism.

How does the number of affected individuals influence a fine?

The more people affected, the higher the likely penalty. Meta’s €1.2 billion fine reflected the scale of transfers involving hundreds of millions of European users. Fines are designed to be effective and dissuasive – a penalty that is negligible relative to the harm caused would not meet that test.

Regulators also consider the financial benefit the organisation gained from the violation. Where data processing generated commercial advantage, the fine must be set high enough to remove that incentive.

How can organisations avoid GDPR fines?

What security measures reduce the risk of a GDPR fine?

Organisations should implement technical and organisational measures appropriate to the risks associated with their data processing. This means regular security testing, access controls, encryption for sensitive data, and documented incident response procedures.

Data breach notification requirements include a 72-hour window to report to supervisory authorities. Organisations without response plans in place tend to miss this window, worsening their regulatory position.

What does transparent data practice look like under GDPR?

Transparency requires organisations to tell individuals what data is collected, why it is processed, how long it is retained, and with whom it is shared. Privacy notices must be clear, layered, and written in plain language.

WhatsApp’s €225 million fine arose from failures in this area. The company did not adequately disclose how personal data was transferred between its platform and other Meta Group companies. Vague or incomplete disclosure creates direct liability regardless of whether the underlying processing is lawful.

How does consent management affect the risk of a GDPR fine?

Valid consent under GDPR must be freely given, specific, informed, and unambiguous. LinkedIn’s €310 million fine was partly driven by the company relying on consent and legitimate interests for behavioural advertising where neither basis was properly satisfied.

Consent records must show when consent was given, what the individual was told, and how they indicated agreement. Where organisations cannot produce these records during an investigation, the assumption tends to go against them.

Frequently Asked Questions

What is the largest GDPR fine ever issued?

The largest GDPR fine on record is €1.2 billion, issued by the Irish DPC to Meta Platforms Ireland in May 2023 for unlawfully transferring EU users’ personal data to the United States without adequate safeguards.

Was Amazon’s €746 million GDPR fine upheld?

No. Luxembourg’s National Commission for Data Protection issued Amazon a €746 million fine in July 2021, but a Luxembourg court annulled the decision in March 2026 following Amazon’s appeal. The fine no longer stands.

What is the largest GDPR fine in the UK?

The ICO issued British Airways a £20 million fine in 2020 for a cyber attack that compromised the personal and financial data of over 400,000 customers. The fine was reduced from an initial notice of £183 million, in part due to the economic impact of the Covid-19 pandemic.

How many GDPR fines have been issued in total?

More than 3,000 enforcement actions have been recorded since GDPR came into force in May 2018, with total fines exceeding €6.31 billion as of June 2026, according to the GDPR Enforcement Tracker.

What violations most commonly lead to large GDPR fines?

Unlawful international data transfers and invalid consent mechanisms have driven the largest individual penalties. Meta, TikTok, and Uber were fined for transferring personal data to the US or China without the required safeguards. LinkedIn and WhatsApp were fined for failures in consent and transparency.