GDPR Fines and Penalties: 2026 Guide

Everything you need to know about GDPR enforcement, including fine tiers, the biggest fines issued, and strategies to avoid penalties.

15 min read Updated April 2026

GDPR Enforcement Overview

The General Data Protection Regulation (GDPR) is enforced by supervisory authorities in each EU member state. These authorities have the power to issue substantial fines for non-compliance, making GDPR one of the most powerful privacy regulations in the world.

As of 2026, GDPR enforcement has matured significantly, with authorities issuing larger and more sophisticated penalties. Total fines across the EU have exceeded €4 billion since the regulation took effect.

GDPR Enforcement Key Facts

  • Total Fines: Over €4 billion since 2018
  • Maximum Fine: €20 million or 4% of global revenue
  • Enforcement: National supervisory authorities
  • Appeals: Can be challenged in national courts

GDPR Fine Tiers

Article 83 of GDPR establishes two tiers of administrative fines:

Tier 1: Less Serious Violations

For violations of certain articles, fines can reach up to:

  • €10 million, or
  • 2% of the company's total worldwide annual revenue from the preceding financial year

Whichever is higher.

Tier 2: More Serious Violations

For violations of other articles, fines can reach up to:

  • €20 million, or
  • 4% of the company's total worldwide annual revenue from the preceding financial year

Whichever is higher.

Which Violations Qualify for Each Tier?

Tier 1 (Up to €10M or 2%) Tier 2 (Up to €20M or 4%)
Article 8 (Children's consent) Article 5 (Principles)
Article 11 (Processing requiring identification) Article 6 (Lawfulness)
Articles 25-39 (Data protection by design, records, security) Article 7 (Conditions for consent)
Article 41 (Data protection certification) Article 9 (Special categories)
Article 42 (Certification criteria) Article 12-22 (Data subject rights)
Article 43 (Certification bodies) Article 44-49 (Transfers)

Biggest GDPR Fines

Here are the largest GDPR fines issued to date:

Top 10 Largest GDPR Fines

Company Fine Year Country
Meta (Facebook) €1.3 billion 2023 Ireland
Amazon €746 million 2022 Luxembourg
Meta (Instagram) €405 million 2022 Ireland
Google/TikTok (ByteDance) €345 million 2023 France
Uber €290 million 2023 Netherlands
WhatsApp €255 million 2021 Ireland
H&M €35.3 million 2020 Germany
British Airways £20 million 2020 UK
Marriott £18.4 million 2020 UK
Google €50 million 2019 France

Note

Fines can be reduced through appeals. For example, the €1.3 billion Meta fine was reduced from an initial €1.2 billion. The largest fines often face lengthy legal challenges that can last years.

Real Examples of GDPR Violations

Understanding specific cases helps illustrate what triggers enforcement:

1. Meta (Facebook) - €1.3 Billion

Violation: Transfer of personal data to the US without adequate protections

Issue: The EU-US Privacy Shield was invalidated (Schrems II ruling), and Meta continued transferring data without proper safeguards. The fine was for systematic, repeated, and continuous data transfers.

2. Amazon - €746 Million

Violation: Personalized advertising and data processing

Issue: Amazon's advertising practices were found to violate GDPR through opaque processing of user data for targeted advertising, lack of proper consent mechanisms, and unfair data processing.

3. TikTok (ByteDance) - €345 Million

Violation: Handling of children's data

Issue: TikTok failed to protect children on its platform, including making children's accounts public by default, using dark patterns, and insufficient verification of user ages.

4. Uber - €290 Million

Violation: Unlawful data transfers and lack of transparency

Issue: Uber transferred driver data (including sensitive location data) to US servers without proper legal mechanisms and failed to adequately inform drivers about data processing.

5. H&M - €35.3 Million

Violation: Extensive employee monitoring

Issue: H&M monitored employees in Germany at call centers, storing detailed records of their personal lives, health conditions, and family problems in a "Spreadsheet of Sorrow."

6. Google - €50 Million

Violation: Lack of transparency and invalid consent

Issue: Google's privacy policy was too broad, combining data across services without clear consent. Users couldn't make informed choices about what data was collected.

Types of Violations Leading to Fines

Several categories of violations consistently trigger enforcement:

1. Data Transfers

International data transfers outside the EU/EEA remain a top enforcement priority:

  • Transferring data without proper legal mechanism
  • Failure to implement supplementary measures
  • Reliance on invalidated Privacy Shield
  • Inadequate SCCs (Standard Contractual Clauses)

2. Insufficient Legal Basis

Processing without proper legal grounds:

  • Lacking valid consent
  • Processing beyond consent scope
  • Reliance on "legitimate interest" without proper assessment

3. Data Subject Rights Violations

Failure to honor individual rights:

  • Ignoring or delaying access requests
  • Not providing data in portable format
  • Failing to delete data upon request
  • Not having processes for handling requests

4. Transparency Violations

Inadequate information provision:

  • Vague or incomplete privacy notices
  • Burying important information in long policies
  • Not disclosing third-party sharing
  • Combining data without clear explanation

5. Security Failures

Inadequate technical and organizational measures:

  • Data breaches due to poor security
  • Failure to implement encryption
  • Inadequate access controls
  • Lack of incident response procedures

6. Children's Data Protection

Special category requiring extra care:

  • Processing children's data without proper verification
  • Making children's profiles public by default
  • Using children's data for profiling or advertising
  • Not providing age-appropriate interfaces

Mitigation and Aggravating Factors

Supervisory authorities consider various factors when determining fine amounts:

Aggravating Factors (Increase Fine)

  • Nature, gravity, and duration of violation
  • Number of data subjects affected
  • Level of damage suffered
  • Intentional nature of violation
  • Lack of cooperation with authority
  • Previous violations
  • Financial benefit gained

Mitigating Factors (Reduce Fine)

  • Nature of violation (unintentional)
  • Prompt remediation after discovery
  • Good faith efforts to comply
  • Cooperation with supervisory authority
  • Prior compliance program
  • Data minimization efforts
  • Quick implementation of technical measures

Cooperation Matters

Companies that proactively engage with supervisory authorities, demonstrate good faith efforts, and cooperate during investigations consistently receive lower fines than those that are combative or non-cooperative.

How to Avoid GDPR Fines

Following these practices can help minimize enforcement risk:

1. Lawful Basis for Processing

  • Document your legal basis for each processing activity
  • Ensure consent is valid (freely given, specific, informed, unambiguous)
  • Review legitimate interest assessments for validity
  • Don't rely on consent for processing that's necessary

2. Data Subject Rights

  • Establish clear processes for handling requests
  • Train staff to recognize and escalate requests
  • Respond within one month (extendable to two)
  • Verify identity before fulfilling requests
  • Document all requests and responses

3. Privacy Notices

  • Write clear, accessible privacy policies
  • Disclose all data collection and purposes
  • Identify all third parties receiving data
  • Explain data retention periods
  • Provide information about data subject rights

4. Data Transfers

  • Map all international data flows
  • Use approved transfer mechanisms (SCCs, BCRs)
  • Conduct transfer impact assessments
  • Implement supplementary measures where needed
  • Stay current on EU-US frameworks

5. Security Measures

  • Implement appropriate technical measures
  • Conduct regular security testing
  • Train employees on data security
  • Have breach detection and response procedures
  • Maintain incident logs

6. Documentation

  • Maintain records of processing activities (Article 30)
  • Document DPIAs for high-risk processing
  • Keep evidence of consent
  • Record security measures implemented
  • Document data breach decisions

7. Children

  • Implement age verification mechanisms
  • Apply age-appropriate defaults
  • Don't process children's data for advertising
  • Obtain parental consent where required
  • Design child-friendly interfaces

Analyze Your Privacy Policy

Use PolicyLens to identify potential GDPR compliance gaps in your privacy policy before they become costly enforcement issues.

Analyze Your Policy Free