GDPR Enforcement Overview
The General Data Protection Regulation (GDPR) is enforced by supervisory authorities in each EU member state. These authorities have the power to issue substantial fines for non-compliance, making GDPR one of the most powerful privacy regulations in the world.
As of 2026, GDPR enforcement has matured significantly, with authorities issuing larger and more sophisticated penalties. Total fines across the EU have exceeded €4 billion since the regulation took effect.
GDPR Enforcement Key Facts
- Total Fines: Over €4 billion since 2018
- Maximum Fine: €20 million or 4% of global revenue
- Enforcement: National supervisory authorities
- Appeals: Can be challenged in national courts
GDPR Fine Tiers
Article 83 of GDPR establishes two tiers of administrative fines:
Tier 1: Less Serious Violations
For violations of certain articles, fines can reach up to:
- €10 million, or
- 2% of the company's total worldwide annual revenue from the preceding financial year
Whichever is higher.
Tier 2: More Serious Violations
For violations of other articles, fines can reach up to:
- €20 million, or
- 4% of the company's total worldwide annual revenue from the preceding financial year
Whichever is higher.
Which Violations Qualify for Each Tier?
| Tier 1 (Up to €10M or 2%) | Tier 2 (Up to €20M or 4%) |
|---|---|
| Article 8 (Children's consent) | Article 5 (Principles) |
| Article 11 (Processing requiring identification) | Article 6 (Lawfulness) |
| Articles 25-39 (Data protection by design, records, security) | Article 7 (Conditions for consent) |
| Article 41 (Data protection certification) | Article 9 (Special categories) |
| Article 42 (Certification criteria) | Article 12-22 (Data subject rights) |
| Article 43 (Certification bodies) | Article 44-49 (Transfers) |
Biggest GDPR Fines
Here are the largest GDPR fines issued to date:
Top 10 Largest GDPR Fines
| Company | Fine | Year | Country |
|---|---|---|---|
| Meta (Facebook) | €1.3 billion | 2023 | Ireland |
| Amazon | €746 million | 2022 | Luxembourg |
| Meta (Instagram) | €405 million | 2022 | Ireland |
| Google/TikTok (ByteDance) | €345 million | 2023 | France |
| Uber | €290 million | 2023 | Netherlands |
| €255 million | 2021 | Ireland | |
| H&M | €35.3 million | 2020 | Germany |
| British Airways | £20 million | 2020 | UK |
| Marriott | £18.4 million | 2020 | UK |
| €50 million | 2019 | France |
Note
Fines can be reduced through appeals. For example, the €1.3 billion Meta fine was reduced from an initial €1.2 billion. The largest fines often face lengthy legal challenges that can last years.
Real Examples of GDPR Violations
Understanding specific cases helps illustrate what triggers enforcement:
1. Meta (Facebook) - €1.3 Billion
Violation: Transfer of personal data to the US without adequate protections
Issue: The EU-US Privacy Shield was invalidated (Schrems II ruling), and Meta continued transferring data without proper safeguards. The fine was for systematic, repeated, and continuous data transfers.
2. Amazon - €746 Million
Violation: Personalized advertising and data processing
Issue: Amazon's advertising practices were found to violate GDPR through opaque processing of user data for targeted advertising, lack of proper consent mechanisms, and unfair data processing.
3. TikTok (ByteDance) - €345 Million
Violation: Handling of children's data
Issue: TikTok failed to protect children on its platform, including making children's accounts public by default, using dark patterns, and insufficient verification of user ages.
4. Uber - €290 Million
Violation: Unlawful data transfers and lack of transparency
Issue: Uber transferred driver data (including sensitive location data) to US servers without proper legal mechanisms and failed to adequately inform drivers about data processing.
5. H&M - €35.3 Million
Violation: Extensive employee monitoring
Issue: H&M monitored employees in Germany at call centers, storing detailed records of their personal lives, health conditions, and family problems in a "Spreadsheet of Sorrow."
6. Google - €50 Million
Violation: Lack of transparency and invalid consent
Issue: Google's privacy policy was too broad, combining data across services without clear consent. Users couldn't make informed choices about what data was collected.
Types of Violations Leading to Fines
Several categories of violations consistently trigger enforcement:
1. Data Transfers
International data transfers outside the EU/EEA remain a top enforcement priority:
- Transferring data without proper legal mechanism
- Failure to implement supplementary measures
- Reliance on invalidated Privacy Shield
- Inadequate SCCs (Standard Contractual Clauses)
2. Insufficient Legal Basis
Processing without proper legal grounds:
- Lacking valid consent
- Processing beyond consent scope
- Reliance on "legitimate interest" without proper assessment
3. Data Subject Rights Violations
Failure to honor individual rights:
- Ignoring or delaying access requests
- Not providing data in portable format
- Failing to delete data upon request
- Not having processes for handling requests
4. Transparency Violations
Inadequate information provision:
- Vague or incomplete privacy notices
- Burying important information in long policies
- Not disclosing third-party sharing
- Combining data without clear explanation
5. Security Failures
Inadequate technical and organizational measures:
- Data breaches due to poor security
- Failure to implement encryption
- Inadequate access controls
- Lack of incident response procedures
6. Children's Data Protection
Special category requiring extra care:
- Processing children's data without proper verification
- Making children's profiles public by default
- Using children's data for profiling or advertising
- Not providing age-appropriate interfaces
Mitigation and Aggravating Factors
Supervisory authorities consider various factors when determining fine amounts:
Aggravating Factors (Increase Fine)
- Nature, gravity, and duration of violation
- Number of data subjects affected
- Level of damage suffered
- Intentional nature of violation
- Lack of cooperation with authority
- Previous violations
- Financial benefit gained
Mitigating Factors (Reduce Fine)
- Nature of violation (unintentional)
- Prompt remediation after discovery
- Good faith efforts to comply
- Cooperation with supervisory authority
- Prior compliance program
- Data minimization efforts
- Quick implementation of technical measures
Cooperation Matters
Companies that proactively engage with supervisory authorities, demonstrate good faith efforts, and cooperate during investigations consistently receive lower fines than those that are combative or non-cooperative.
How to Avoid GDPR Fines
Following these practices can help minimize enforcement risk:
1. Lawful Basis for Processing
- Document your legal basis for each processing activity
- Ensure consent is valid (freely given, specific, informed, unambiguous)
- Review legitimate interest assessments for validity
- Don't rely on consent for processing that's necessary
2. Data Subject Rights
- Establish clear processes for handling requests
- Train staff to recognize and escalate requests
- Respond within one month (extendable to two)
- Verify identity before fulfilling requests
- Document all requests and responses
3. Privacy Notices
- Write clear, accessible privacy policies
- Disclose all data collection and purposes
- Identify all third parties receiving data
- Explain data retention periods
- Provide information about data subject rights
4. Data Transfers
- Map all international data flows
- Use approved transfer mechanisms (SCCs, BCRs)
- Conduct transfer impact assessments
- Implement supplementary measures where needed
- Stay current on EU-US frameworks
5. Security Measures
- Implement appropriate technical measures
- Conduct regular security testing
- Train employees on data security
- Have breach detection and response procedures
- Maintain incident logs
6. Documentation
- Maintain records of processing activities (Article 30)
- Document DPIAs for high-risk processing
- Keep evidence of consent
- Record security measures implemented
- Document data breach decisions
7. Children
- Implement age verification mechanisms
- Apply age-appropriate defaults
- Don't process children's data for advertising
- Obtain parental consent where required
- Design child-friendly interfaces
Analyze Your Privacy Policy
Use PolicyLens to identify potential GDPR compliance gaps in your privacy policy before they become costly enforcement issues.
Analyze Your Policy Free