Updated: June 2026
GDPR fines are central to how European data protection law is enforced. The General Data Protection Regulation establishes a two-tiered penalty structure that can reach up to €20 million or 4% of global annual turnover – whichever is higher – and regulators have shown they will use it. Total fines issued since GDPR came into force now stand at approximately €5.65 billion, with individual penalties reaching into the hundreds of millions.
The GDPR sets out two tiers of fines, calibrated to the severity of the breach. Both tiers apply to whichever figure is greater: the fixed maximum or the percentage of global annual turnover.
The lower tier applies to less severe infringements and covers failures related to:
1. Controllers and processors (Articles 8, 11, 25–39, 42, and 43)
2. Certification bodies (Articles 42 and 43)
3. Monitoring bodies (Article 41)
Lower-tier fines are typically imposed for administrative or technical failures – for example, failing to properly document data processing activities, failing to appoint a Data Protection Officer when one is required, or failing to conduct a Data Protection Impact Assessment for high-risk processing.
The higher tier is reserved for the most serious violations – those that strike at the core principles of data protection. It covers:
1. Basic principles of data processing (Articles 5, 6, and 9)
2. Conditions for consent (Article 7)
3. Data subjects’ rights (Articles 12–22)
4. Transfers of personal data to third countries or international organisations (Articles 44–49)
These fines apply where individuals’ rights and freedoms are directly affected – for instance, processing personal data without a lawful basis, ignoring erasure requests, or sending data to countries without adequate protection.
Lower tier violations (2% or €10 million):
– Collecting personal data of children without parental consent
– Failing to maintain records of data processing activities
– Not notifying authorities or individuals about a data breach
– Neglecting to carry out a Data Protection Impact Assessment
Higher tier violations (4% or €20 million):
– Processing personal data without a legitimate purpose
– Failing to obtain proper consent for data processing
– Not respecting data subjects’ rights (for example, the right to erasure)
– Transferring personal data to a third country without adequate safeguards
The fines are not theoretical. In May 2023, Meta received a €1.2 billion fine from the Irish Data Protection Commission for transferring European users’ personal data to the United States without adequate protection mechanisms – the largest GDPR fine to date.
Regulators do not apply fines mechanically. The final amount reflects a careful assessment of multiple factors to ensure penalties are effective, proportionate, and dissuasive in each case.
The nature and gravity of the infringement are the starting point in any assessment. Regulators examine the type of violation, how many people were affected, the category of data involved, and the actual or potential harm caused. A large-scale breach of sensitive personal data – health records, financial data, or biometric information – will be treated more seriously than an administrative lapse.
The scope and purpose of the processing also matter. Systematic, extensive profiling of individuals, or violations central to a company’s core business activities, increase the potential fine amount.
Yes. Intentional violations – where an organisation knowingly disregarded the law – are treated more seriously than negligent ones. Where senior management authorised unlawful processing with awareness of the risks, that weighs heavily against the organisation.
Negligent infringements, such as failures to train staff on data handling or implement adequate policies, can still attract significant fines. The distinction affects where within the tiered range the final penalty lands.
Steps taken to limit the impact of a breach are recognised as a mitigating factor. An organisation that responds quickly, notifies affected individuals promptly, offers support services, and implements additional security measures to prevent recurrence can expect this to be viewed favourably by the regulator.
This makes an effective data breach response plan a practical compliance investment, not just a box-ticking exercise. The alternative – delayed, incomplete, or absent response – can push a fine toward the top of the applicable range.
A company’s track record is directly relevant. Previous infringements – particularly those involving similar issues or occurring recently – are treated as aggravating factors. Repeated violations signal a persistent disregard for data protection and will increase the fine.
The absence of previous infringements is not treated as a mitigating factor. Compliance is the expected baseline, and organisations cannot treat a clean record as a reason for a reduced penalty if a violation occurs.
Enforcement has grown significantly in both frequency and scale since 2018. The cases below illustrate the range of violations that have attracted the largest penalties.
Meta Platforms Ireland – €1.2 billion (May 2023). The Irish Data Protection Commission issued the largest GDPR fine on record for Meta’s transfers of European users’ personal data to the United States without adequate safeguards. The fine reflected the scale of the transfers and the number of individuals affected.
TikTok Technology – €530 million (2025). The Irish Data Protection Commission issued this fine over TikTok’s transfers of European user data to China. It stands as the third-largest GDPR penalty on record and the largest fine issued under the GDPR outside the Meta case.
LinkedIn Ireland – €310 million (October 2024) The Irish Data Protection Commission fined LinkedIn for relying on invalid consent to process member data for behavioural analysis and targeted advertising, and for breaching transparency requirements under Articles 13 and 14 of the GDPR.
Uber Technologies – €290 million (2024) The Dutch Data Protection Authority fined Uber for improperly transferring European drivers’ personal data to the United States without the required safeguards.
Meta Platforms Ireland – €265 million (November 2022) A separate Irish DPC investigation into a data scraping incident that exposed the personal data of hundreds of millions of Facebook users.
Meta Platforms Ireland – €251 million (December 2024) A further Irish DPC fine related to a security breach from 2018 that exposed personal data including names, phone numbers, locations, and email addresses.
WhatsApp Ireland – €225 million (September 2021) The Irish DPC fined WhatsApp for failing to meet transparency obligations, including inadequate disclosure to users about how their personal data was shared with other Meta companies.
TikTok Technology – €345 million (September 2023) A separate Irish DPC action against TikTok concerning the processing of children’s personal data, including default public settings for child accounts and the use of a “Family Pairing” feature that did not adequately verify parental relationships.
The scale of enforcement has grown sharply since GDPR came into force. In November 2018, German chat app Knuddels received one of the first GDPR fines – €20,000 – after a breach exposed the data of 300,000 users. By 2023 and 2024, individual fines were reaching hundreds of millions of euros, with the cumulative total now standing at approximately €5.65 billion.
The direction of travel is consistent: authorities are more confident in their enforcement roles, more willing to investigate large technology companies, and more prepared to impose penalties at the upper end of the available range for serious violations.

Looking across GDPR enforcement, the violations that most frequently attract fines fall into a consistent pattern: insufficient legal basis for processing, inadequate technical and organisational measures, failures in transparency and information obligations, non-compliance with data subject rights requests, and unlawful international data transfers.
The concentration of large fines among technology platforms reflects both the scale of their data processing and the scrutiny applied by regulators – particularly the Irish DPC, which acts as lead supervisory authority for many companies with European headquarters in Ireland.
GDPR fines have grown substantially since enforcement began in 2018, with cumulative penalties now exceeding €5.65 billion. The two-tier structure, combined with regulators’ willingness to impose penalties in the hundreds of millions, means the financial consequences of non-compliance are real and significant.
The cases of Meta, TikTok, LinkedIn, and others demonstrate that violations across a wide range of GDPR obligations – from data transfers to consent practices to transparency requirements – can attract major fines. Organisations that process personal data of EU or UK residents should treat compliance as an ongoing operational priority, not a one-time exercise.
The highest tier of GDPR fines can reach €20 million or 4% of global annual turnover from the previous financial year, whichever is greater. This applies to the most serious violations, including unlawful processing, invalid consent, failure to respect data subjects’ rights, and unlawful international data transfers.
Lower tier fines apply to less serious infringements and are capped at €10 million or 2% of global annual turnover, whichever is higher. They typically cover administrative and procedural failures such as inadequate record-keeping, failure to appoint a DPO when required, or failure to notify regulators of a breach within 72 hours.
Under UK GDPR and the Data Protection Act 2018, the ICO can issue fines of up to £17.5 million or 4% of global annual turnover for the most serious violations. The two-tier structure mirrors the EU GDPR framework, with a lower tier of up to £8.7 million or 2% of global turnover for less serious infringements.
The largest GDPR fine remains Meta’s €1.2 billion penalty from the Irish DPC in May 2023 for unlawful data transfers to the United States. Other major fines include Amazon (€746 million, 2021), TikTok (€530 million, 2025), LinkedIn (€310 million, 2024), Uber (€290 million, 2024), and multiple fines against Meta and WhatsApp ranging from €225 million to €265 million.
Regulators assess the nature, gravity, and duration of the infringement; whether it was intentional or negligent; the number of individuals affected; the categories of data involved; any steps taken to mitigate harm; the organisation’s compliance history; and the financial benefit gained from the violation. The final amount sits within the applicable tier but is set at a level designed to be effective, proportionate, and dissuasive for that specific case.
About the Author
Zlatko Delev
Country Manager & Head of Commercial — GDPRLocal
Zlatko specialises in data protection compliance, ISMS strategy, and AI law. With a legal background and hands-on experience supporting organisations globally, he helps businesses navigate GDPR, the EU AI Act, and international privacy frameworks.