EuroComply
Sign up
Fine exposure

How much can my company be fined under GDPR?

GDPR carries penalties of up to €20M or 4% of global turnover. This page breaks down every fine tier by article, explains who is at risk, and shows live enforcement examples.

GDPR penalties are among the highest in EU law, reaching €20 million or 4% of global annual turnover for serious violations. Data Protection Authorities in all 27 EU member states actively enforce these rules, with thousands of fines issued annually since 2018.

RegulationRegulation (EU) 2016/679 — GDPR
Maximum Fine (Serious Breaches)€20 million or 4% of global turnover
Maximum Fine (Other Breaches)€10 million or 2% of global turnover
EnforcerData Protection Authority (DPA) in each member state
In Force SinceMay 25, 2018 (6 years of enforcement history)

Common Questions

What are GDPR penalty tiers?
GDPR has two main penalty tiers: €10 million or 2% of annual global turnover (Article 83(4)) for violations including unlawful processing, failure to provide transparency, and procedural violations; €20 million or 4% of global turnover (Article 83(5)) for the most serious violations including processing without lawful basis, violating data subject rights, and international transfer violations.
How do DPAs calculate GDPR fines?
DPAs use: nature/gravity of the violation, intentionality, duration of breach, organizational size, prior violations, cooperation with the DPA, and remediation measures. The European Data Protection Board (EDPB) publishes fine benchmarks and guidelines to guide DPA decision-making.
What actions trigger GDPR penalties?
GDPR penalties apply to: processing without lawful basis, failure to obtain consent, lack of transparency, refusal to honour data subject rights, inadequate security, non-reporting of breaches, transfer of data outside the EEA without adequate safeguards, and failure to conduct Data Protection Impact Assessments.
Can organizations reduce their GDPR fines?
Yes. Cooperation with the DPA, voluntary disclosure of breaches, implementation of remedial measures, demonstrating Privacy by Design, and maintaining good compliance history all reduce fines. Some DPAs also reduce penalties for SMEs.
How many GDPR fines have been issued?
Since May 2018, over 2,800 GDPR fines have been issued across the EU. Notable enforcement: Meta (€1.2B for data transfers to US), Amazon (€746M for transparency), Google (€90M for consent), and thousands of SME cases.
What is the largest GDPR fine ever issued?
The largest GDPR fine is €1.2 billion imposed on Meta Platforms Ireland Limited (2023) for unlawful personal data transfers to the US without adequate safeguards. The second-largest is €750 million to Amazon (2021) for opaque consent mechanisms.

Maximum fine

€20M

or 4% of global turnover — whichever is higher

Source: Regulation (EU) 2016/679

How GDPR penalties work

GDPR Article 83 establishes a two-tier fine structure. The upper tier — up to €20M or 4% of global annual turnover — applies to the most fundamental data protection violations including unlawful processing, data transfers, and breach of data subject rights. The lower tier — €10M or 2% — covers procedural and administrative obligations such as recordkeeping, DPO appointment failures, and breach notification delays.

Fine tiers by article

Art. 83(5)

Most serious violations: basic principles, lawful basis, data subject rights, transfers, and obligations under member state law

€20,000,000

or 4% of global turnover

Applies to:

  • Processing personal data without lawful basis (Art. 6)
  • Unlawful international data transfers (Art. 44–49)
  • Violation of data subject rights (Art. 12–22): access, erasure, portability
  • Failure to comply with EDPB binding decisions
  • Absence of consent or invalid consent under Art. 7
EUR-Lex — Art. 83(5)
Art. 83(4)

Administrative and procedural violations: recordkeeping, DPO, breach notification, processor obligations

€10,000,000

or 2% of global turnover

Applies to:

  • Failure to maintain ROPA (Art. 30)
  • Failure to notify supervisory authority of a breach within 72 hours (Art. 33)
  • Not appointing a DPO when required (Art. 37)
  • Failure to conduct a DPIA when required (Art. 35)
  • Processor non-compliance with Art. 28 requirements
EUR-Lex — Art. 83(4)

Stacked exposure with other EU regulations

GDPR fines can stack with national ePrivacy penalties (cookie law), NIS2 fines where the breach also constitutes a cybersecurity incident, and DORA sanctions in the financial sector. Regulators have imposed multiple simultaneous fines for the same underlying incident.

Calculate your stacked fine exposure →

Frequently asked questions

What is the maximum GDPR fine?

The maximum GDPR fine is €20,000,000 or 4% of global annual turnover — whichever is higher — for the most serious violations under Article 83(5), including unlawful processing, invalid data transfers, and breach of data subject rights.

Who issues GDPR fines?

GDPR fines are issued by national Data Protection Authorities (DPAs), such as Ireland's DPC, France's CNIL, Germany's state DPAs (Landesdatenschutzbehörden), Spain's AEPD, and Italy's Garante. The European Data Protection Board (EDPB) can issue binding decisions in cross-border cases.

Can a small business receive a maximum GDPR fine?

In theory yes, but in practice DPAs apply proportionality. Article 83(1) requires penalties to be 'effective, proportionate and dissuasive'. SMEs typically receive lower fines, but turnover-based fines (4% of global revenue) mean even a €5M-revenue company could face up to €200,000.

What is your stacked fine exposure across all EU regulations?

Calculate your combined risk across GDPR, GDPR, NIS2, AI Act, DORA, and more — free, no signup.

Open fine risk calculator — free
GDPR compliance guide

For informational purposes only. This is not legal advice — consult qualified legal counsel for advice specific to your situation.

Last updated: