EuroComply
Zarejestruj się
Fine exposure

How much can my company be fined under GDPR?

GDPR carries penalties of up to €20M or 4% of global turnover. This page breaks down every fine tier by article, explains who is at risk, and shows live enforcement examples.

Maximum fine

€20M

or 4% of global turnover — whichever is higher

Source: Regulation (EU) 2016/679

How GDPR penalties work

GDPR Article 83 establishes a two-tier fine structure. The upper tier — up to €20M or 4% of global annual turnover — applies to the most fundamental data protection violations including unlawful processing, data transfers, and breach of data subject rights. The lower tier — €10M or 2% — covers procedural and administrative obligations such as recordkeeping, DPO appointment failures, and breach notification delays.

Fine tiers by article

Art. 83(5)

Most serious violations: basic principles, lawful basis, data subject rights, transfers, and obligations under member state law

€20,000,000

or 4% of global turnover

Applies to:

  • Processing personal data without lawful basis (Art. 6)
  • Unlawful international data transfers (Art. 44–49)
  • Violation of data subject rights (Art. 12–22): access, erasure, portability
  • Failure to comply with EDPB binding decisions
  • Absence of consent or invalid consent under Art. 7
EUR-Lex — Art. 83(5)
Art. 83(4)

Administrative and procedural violations: recordkeeping, DPO, breach notification, processor obligations

€10,000,000

or 2% of global turnover

Applies to:

  • Failure to maintain ROPA (Art. 30)
  • Failure to notify supervisory authority of a breach within 72 hours (Art. 33)
  • Not appointing a DPO when required (Art. 37)
  • Failure to conduct a DPIA when required (Art. 35)
  • Processor non-compliance with Art. 28 requirements
EUR-Lex — Art. 83(4)

Stacked exposure with other EU regulations

GDPR fines can stack with national ePrivacy penalties (cookie law), NIS2 fines where the breach also constitutes a cybersecurity incident, and DORA sanctions in the financial sector. Regulators have imposed multiple simultaneous fines for the same underlying incident.

Calculate your stacked fine exposure →

Frequently asked questions

What is the maximum GDPR fine?

The maximum GDPR fine is €20,000,000 or 4% of global annual turnover — whichever is higher — for the most serious violations under Article 83(5), including unlawful processing, invalid data transfers, and breach of data subject rights.

Who issues GDPR fines?

GDPR fines are issued by national Data Protection Authorities (DPAs), such as Ireland's DPC, France's CNIL, Germany's state DPAs (Landesdatenschutzbehörden), Spain's AEPD, and Italy's Garante. The European Data Protection Board (EDPB) can issue binding decisions in cross-border cases.

Can a small business receive a maximum GDPR fine?

In theory yes, but in practice DPAs apply proportionality. Article 83(1) requires penalties to be 'effective, proportionate and dissuasive'. SMEs typically receive lower fines, but turnover-based fines (4% of global revenue) mean even a €5M-revenue company could face up to €200,000.

What is your stacked fine exposure across all EU regulations?

Calculate your combined risk across GDPR, GDPR, NIS2, AI Act, DORA, and more — free, no signup.

Open fine risk calculator — free
GDPR compliance guide

For informational purposes only. This is not legal advice — consult qualified legal counsel for advice specific to your situation.

Last updated: