GDPR Enforcement and Fines
Articles 83 and 84 of the GDPR establish the framework for administrative fines. Supervisory authorities have imposed significant penalties since the GDPR came into force on 25 May 2018. Fines must be effective, proportionate and dissuasive in each individual case (Art. 83(1)).
When determining the amount of a fine, supervisory authorities consider: the nature, gravity and duration of the infringement; the intentional or negligent character; actions taken to mitigate damage; degree of responsibility; previous infringements; degree of cooperation; categories of personal data affected; and other aggravating or mitigating factors (Art. 83(2)).
Fine Tiers
| Tier | Maximum Fine | Legal Basis | Example Violations |
|---|---|---|---|
| Lower Tier | Up to EUR 10,000,000 or 2% of total worldwide annual turnover, whichever is greater | Article 83(4) | Obligations of the controller and processor (Art. 8, 11, 25-39, 42, 43), obligations of certification bodies (Art. 42, 43), obligations of monitoring bodies (Art. 41(4)). |
| Upper Tier | Up to EUR 20,000,000 or 4% of total worldwide annual turnover, whichever is greater | Article 83(5) | Basic principles for processing including conditions for consent (Art. 5, 6, 7, 9), data subject rights (Art. 12-22), international transfers (Art. 44-49), non-compliance with an order by a supervisory authority (Art. 58(2)). |
Notable Enforcement Actions
The following table lists ten of the largest GDPR fines imposed as of early 2025. Some decisions are subject to appeal or have been reduced on appeal.
| # | Organisation | Amount | Year | Authority | Violation | Articles |
|---|---|---|---|---|---|---|
| 1 | Meta Platforms Ireland | EUR 1,200,000,000 | 2023 | DPC (Ireland) | Transfer of personal data to the US without adequate safeguards following the Schrems II judgment. Systematic and large-scale transfers of EU user data without a valid transfer mechanism. | Art. 46(1) |
| 2 | Amazon Europe Core | EUR 746,000,000 | 2021 | CNPD (Luxembourg) | Processing personal data for targeted advertising without valid consent. Non-compliance with general data processing principles. | Art. 6, Art. 5 |
| 3 | Meta Platforms Ireland (Instagram) | EUR 405,000,000 | 2022 | DPC (Ireland) | Processing children's personal data, including making phone numbers and email addresses of minors publicly available on Instagram business accounts. | Art. 6(1), Art. 8, Art. 12-13 |
| 4 | Meta Platforms Ireland (Facebook) | EUR 390,000,000 | 2023 | DPC (Ireland) | Reliance on contractual necessity as a lawful basis for behavioural advertising, found to be invalid. Lack of transparency regarding data processing for advertising. | Art. 6(1)(b), Art. 5(1)(a), Art. 12-13 |
| 5 | TikTok Technology Limited | EUR 345,000,000 | 2023 | DPC (Ireland) | Processing of children's data, including default public account settings for child users and a 'Family Pairing' feature that allowed unverified adults to pair with child accounts. | Art. 5(1)(c), Art. 5(1)(f), Art. 24, Art. 25 |
| 6 | Meta Platforms Ireland (WhatsApp) | EUR 225,000,000 | 2021 | DPC (Ireland) | Failure to provide adequate transparency information to users and non-users regarding data processing, particularly data sharing with other Meta companies. | Art. 5(1)(a), Art. 12, Art. 13, Art. 14 |
| 7 | Google LLC | EUR 150,000,000 | 2022 | CNIL (France) | Making it difficult for users to refuse cookies on google.fr and youtube.com. Reject option required multiple clicks while accept was available in one click. | Art. 82 (Loi Informatique et Libertes) / ePrivacy |
| 8 | Google Ireland | EUR 90,000,000 | 2022 | CNIL (France) | YouTube cookie consent mechanism did not allow users to refuse cookies as easily as accepting them, violating requirements for valid consent. | Art. 82 (Loi Informatique et Libertes) / ePrivacy |
| 9 | Clearview AI | EUR 20,000,000 | 2022 | CNIL (France) / Garante (Italy) / ICO (UK) / DPA (Greece) | Unlawful processing of biometric data by scraping publicly available images from the internet to build a facial recognition database without a lawful basis or transparency. | Art. 6, Art. 9, Art. 12-14, Art. 15, Art. 17, Art. 27 |
| 10 | Criteo | EUR 40,000,000 | 2023 | CNIL (France) | Processing personal data for personalised advertising without valid consent. Insufficient information provided to data subjects about data collection and processing. | Art. 7, Art. 13, Art. 15, Art. 17, Art. 26 |
Supervisory Authorities (Selected)
Each EU/EEA Member State has one or more independent supervisory authorities responsible for monitoring GDPR compliance (Art. 51). The following is a selection of the most active authorities.
| Country | Authority | Abbreviation | Website |
|---|---|---|---|
| Austria | Datenschutzbehorde | DSB | dsb.gv.at |
| Belgium | Autorite de protection des donnees | APD/GBA | dataprotectionauthority.be |
| France | Commission nationale de l'informatique et des libertes | CNIL | cnil.fr |
| Germany | Der Bundesbeauftragte fur den Datenschutz und die Informationsfreiheit | BfDI | bfdi.bund.de |
| Ireland | Data Protection Commission | DPC | dataprotection.ie |
| Italy | Garante per la protezione dei dati personali | Garante | garanteprivacy.it |
| Netherlands | Autoriteit Persoonsgegevens | AP | autoriteitpersoonsgegevens.nl |
| Poland | Urzad Ochrony Danych Osobowych | UODO | uodo.gov.pl |
| Spain | Agencia Espanola de Proteccion de Datos | AEPD | aepd.es |
| Sweden | Integritetsskyddsmyndigheten | IMY | imy.se |
European Data Protection Board (EDPB)
The EDPB is established under Article 68 of the GDPR as an independent body that contributes to the consistent application of data protection rules throughout the EU. It issues guidelines, recommendations, and best practices, and resolves disputes between supervisory authorities. The EDPB replaced the Article 29 Working Party on 25 May 2018. Website: edpb.europa.eu
Disclaimer
This page provides general information about GDPR enforcement and does not constitute legal advice. Fine amounts and details are sourced from publicly available enforcement decisions and may be subject to appeal or revision. Consult qualified legal counsel for guidance specific to your organisation.