In the European Union (EU) and European Economic Area (EEA), the General Data Protection Regulation (GDPR) has applied since May 2018. It was designed to strengthen individuals’ control over their personal data and set clear expectations for how organizations collect, use, and share that data.
Since its introduction, the GDPR has become the world’s most influential privacy framework, shaping laws far beyond Europe and fundamentally changing how companies approach data governance.
Enforcement has only intensified, with regulatory fines and investigations serving as a visible reminder that privacy compliance is now a core business issue and not just a legal afterthought.
Companies of any size can be fined for data protection breaches, but the news stories that make headlines often involve tech giants with global reach and billions of users. GDPR fines for misusing personal data in those cases have risen into the billions.
At a glance
- GDPR fines can reach up to €20 million or 4% of global annual turnover, making noncompliance a serious financial risk.
- Regulators consider severity, intent, duration, cooperation, and prior violations when deciding fine amounts.
- Any organization processing EU or UK resident data can be fined, regardless of size, sector, or location.
- Invalid consent, unlawful data transfers, and weak security measures are among the most common causes of fines.
- Data processors can be held directly liable under the GDPR and are subject to enforcement actions for violations of their own statutory obligations.
- Strong compliance programs and fast breach response can help reduce the risk of fines and reputational damage.
What are GDPR fines and penalties?
If a company that processes personal data — including special categories of personal data, often referred to as sensitive data in laws outside the EU — belonging to EU residents, is found to have violated the EU’s General Data Protection Regulation (GDPR), there are several types of potential penalties, outlined in Art. 83 GDPR.
Data protection authorities (DPAs) can impose administrative GDPR fines, including the maximum penalty, depending on the severity and nature of the infringement. Beyond fines, a DPA can:
Issue warnings and reprimands
Order organizations to comply with the GDPR
Impose temporary or permanent restrictions on processing
Order the erasure, rectification, or restriction of personal data
Suspend or prohibit international data transfers to third countries
Approve, withdraw, or revoke certifications and codes of conduct
Order controllers or processors to respond to data subject requests
Carry out investigations and audits
Administrative fines are probably the most well-known penalty of the GDPR. There are two levels of administrative fines, depending on the severity of the infraction and other considerations.
Tier one administrative fines
First-tier GDPR fines are generally for first-time or less severe infractions. They can be up to EUR 10 million per infraction or two percent of global annual turnover for the preceding financial year, whichever is greater.
Tier two administrative fines
Second-tier GDPR fines are generally for repeat violators or more severe infractions. They can be up to EUR 20 million per infraction or four percent of global annual turnover for the preceding financial year, whichever is higher. These maximum GDPR fines are reserved for the most serious or repeat offenses.
What regulators consider when issuing GDPR fines
When a breach is identified, data protection authorities evaluate a defined set of criteria to determine the appropriate fine. These include:
The nature, gravity, and duration of the infringement
Whether the violation was intentional or negligent, including whether it is a repeat infringement
Any action taken by the organization to mitigate damage
The degree of cooperation with supervisory authorities during investigations
The categories of personal data affected
Any relevant previous infringements
How the supervisory authority became aware of the infringemen
Whether the organization complied with approved codes of conduct or certification mechanisms
Any financial benefits gained, or losses avoided, as a result of the infringement
This framework is designed to make fines proportionate to the offense and to account for the specific circumstances of each case.
Who can be fined under the GDPR?
Any organization that processes the data of EU residents or monitors their behavior and fails to comply with GDPR requirements can be fined, whether or not the entity is also located in the EU. So a U.S.-based company with EU-based customers would still have to comply with the GDPR.
This includes data controllers and processors or joint controllers, applicable when two or more entities jointly determine the purposes and means of processing personal data.
While violations tend to affect commercial entities, other types of organizations can be fined for data privacy violations under the GDPR as well. This includes nonprofit organizations and charities.
Enforcement action against smaller entities is also more common than many people think, largely because only massive fines levied against big tech companies tend to garner headlines.
However, even a fine that’s much less than a billion dollars can be a substantial financial hit for a small organization.
Learn more about “shadow enforcement” — the GDPR actions that don’t make headlines.
Can data processors be fined under GDPR?
In short, yes. Data processors process personal data on behalf of and under the instruction and authority of data controllers, but are not immune from penalties.
GDPR compliance failures for data processors could include not implementing appropriate security measures, processing data for purposes not stated or for which there is not a valid legal basis, or failing to work with the data controller to fulfill obligations under the GDPR.
Can employees be fined under the GDPR?
Generally, employees of organizations would not be fined under the GDPR, as responsibility tends to fall on the company (controller) or the data processor(s), not individuals.
Employees certainly play a role in GDPR compliance, and can be partly responsible for a violation, like a data breach. Where there is a deliberate or recklessly damaging action that results in a GDPR violation, an employee could be subject to disciplinary action by their employer and could be penalized by other relevant laws.
Organizations are expected to provide employees with appropriate training and guidelines for data security and handling, and companies should have clear, accessible policies in place around data access, security, and related concerns.
Can individuals be fined under GDPR?
Private persons cannot be fined under the GDPR, but can be held liable for actions or negligence regarding data protection. Many countries have additional data privacy and security laws, and individuals involved in a data breach, for example, could face criminal or civil legal consequences.
What happens after a GDPR breach?
What happens after a GDPR breach
Step 1
Identify and assess the breach quickly
Step 2
Report to the data protection authority within 72 hours
Step 3
Take steps to contain the breach and reduce impact
Step 4
Document all details of the incident and response
Step 5
Authorities may investigate and impose corrective measures
Step 6
Consider reputational, operational, and legal consequences
A clear, fast, and organized response helps maintain trust and reduce risk
When a GDPR breach occurs, the affected organization must act quickly. Under the regulation, any personal data breach that may pose a risk to individuals’ rights and freedoms must be reported to the relevant data protection authority within 72 hours.
In some cases, a company must also inform affected individuals without undue delay.
A typical breach response includes:
- Investigating the cause and scope of the breach
- Notifying the appropriate authorities and individuals, if necessary
- Taking steps to contain and mitigate the breach’s impact
- Documenting all details of the incident and the response
The supervisory authority may launch an investigation. If the organization is found to have failed in its data protection duties, fines or corrective measures may follow.
These can include warnings, orders to change data processing practices, temporary data restrictions, or maximum GDPR fines.
Beyond financial penalties, a breach can have serious reputational, operational, and legal consequences. A swift, transparent, and effective response can help minimize damage and mitigate loss of trust.
UK GDPR fines and penalties
GDPR enforcement doesn’t stop at EU borders. Post-Brexit, the UK enforces its own version of the regulation with similar consequences.
Upon leaving the European Union on January 31, 2020, the United Kingdom adopted a near-identical version of the GDPR, commonly referred to as the UK GDPR. In the years since, that regulation has evolved, and can and will work in conjunction with additional UK data protection legislation, such as the Data (Use and Access) Act.
Fines and penalties for noncompliance remain aligned with the original EU regulation. UK GDPR enforcement is the responsibility of the Information Commissioner’s Office (ICO), and as with the EU GDPR, there are two tiers of fines.
Tier one administrative fines under the UK GDPR
First-tier UK GDPR fines are for first-time or less severe infractions. They can be up to GBP 8.7 million or two percent of global annual turnover for the preceding financial year, whichever is greater.
Tier two administrative fines under the UK GDPR
Second-tier UK GDPR fines are for repeat violators or more severe infractions. They can be up to GBP 17.5 million or four percent of global annual turnover for the preceding financial year, whichever is greater.
What are the biggest GDPR fines so far?
There have been hundreds of thousands of breach notifications sent to organizations under GDPR rules. Enforcement activity has been increasing each year since the law came into effect in 2018.
According to the GDPR Enforcement Tracker, authorities continue to issue GDPR fines at a steady rate. More than 360 fines were reported on the site in 2025 alone.
Here are the biggest GDPR fines imposed on companies by the EU DPAs in the past five years.
1. Meta (Facebook) — EUR 1.2 Billion
In May 2023, Ireland’s Data Protection Commission handed Meta a record-breaking EUR 1.2 billion fine. The issue? Meta was systematically transferring European user data to U.S. servers without proper safeguards against surveillance laws.
The Irish regulator found that relying on Standard Contractual Clauses (SCCs) wasn’t enough to protect EU citizens at the same level they’d expect at home. This landmark ruling made one thing clear: data sovereignty isn’t optional. If you’re operating across borders, you need to prove that user data gets the same protection wherever it goes.
2. Amazon Europe — EUR 746 Million
Luxembourg’s data authority, the CNPD, issued a EUR 746 million fine to Amazon in July 2021 following an investigation into its ad-targeting systems. A complaint representing 10,000 people alleged the company was targeting ads without obtaining genuine, freely given consent.
Therefore, the CNPD opened an investigation into how Amazon processes personal data of its customers and found infringements stemming from Amazon’s advertising targeting system, where ad targeting was carried out without proper consent.
Amazon pushed back, arguing the decision was based on subjective interpretations. But the ruling shows how behavioral advertising is under the microscope.
3. TikTok — EUR 530 Million
In April 2025, the Irish DPC fined TikTok EUR 530 million after discovering that personal data belonging to European users had been stored on and accessed from servers in China. The inquiry found that TikTok failed to verify or guarantee that the data transfers were subject to protections essentially equivalent to those in the EU, violating Art. 46(1) GDPR.
The investigation also revealed that TikTok’s public privacy policies between 2020 and 2022 were not transparent enough regarding the scope of remote access by personnel based in China. As a result of the ruling, TikTok was ordered to bring its cross-border data processing into compliance within six months or face a total suspension of further EEA data transfers to China.
4. Meta (Facebook) — EUR 479 Million
In November 2025, the Commercial Court of Madrid ordered Meta to pay EUR 479 million in damages relating to GDPR violations to 87 Spanish digital press publishers and news agencies. The court found that Meta had unlawfully processed user information for targeted advertising between May 2018 and August 2023 by relying on “contractual necessity” rather than user consent.
The judge estimated that Meta’s entire advertising profit in Spain during this five-year period was generated while in breach of the GDPR. The ruling noted that this practice gave Meta an unfair competitive advantage, and the company has since indicated its intention to appeal the court’s decision.
5. Meta (Instagram) — EUR 405 Million
In September 2022, the Irish DPC issued a EUR 405 million fine following an inquiry into Instagram’s processing of children’s data. Regulators found that children using business accounts had their phone numbers and email addresses publicly displayed by default. Additionally, the platform automatically set children’s personal accounts to “public” during the period investigated.
The decision emphasized that Meta could not rely on “legitimate interest” to justify the public disclosure of a minor’s contact details. The settlement included a formal reprimand and a compliance order requiring Meta to implement specific technical changes to how it manages the default privacy settings for younger users.
6. Meta (Facebook/Instagram) — EUR 390 Million
In January 2023, the Irish DPC fined Meta EUR 210 million for Facebook violations and EUR 180 million for Instagram violations. The cases focused on the “legal basis” Meta used for behavioral advertising, specifically their argument that targeted ads were a necessary part of the user contract.
The DPC concluded that Meta had effectively forced users to accept personalized tracking as a condition of using the platforms. In addition to the fine, Meta was ordered to modify its data processing framework within three months to provide users with a clearer, valid choice regarding ad-targeting.
7. TikTok — EUR 345 Million
The Irish DPC fined TikTok EUR 345 million in September 2023 for breaches related to the default account settings for child users. The investigation found that between July and December 2020, children’s profiles were public by default, making their content and location data visible to anyone online.
Regulators also scrutinized the “Family Pairing” feature, which allowed adults to link their accounts to children’s accounts without sufficient verification. TikTok was required to update its privacy settings and design practices within three months to better safeguard minors.
8. LinkedIn — EUR 310 Million
In October 2024, another data protection breach example, LinkedIn was fined EUR 310 million by the Irish DPC for failing to establish a valid legal basis for behavioral analysis and targeted advertising. The inquiry found that LinkedIn’s use of both first-party and third-party member data for ads was not supported by “freely given” or “informed” consent.
The DPC also found that the platform breached transparency and fairness principles by not clearly informing users how their data was being handled for ad profiling. Along with the GDPR fine, LinkedIn was issued a reprimand and ordered to align its advertising processing with GDPR standards within three months.
9. Uber — EUR 290 Million
The Dutch Data Protection Authority (DPA) fined Uber EUR 290 million in July 2024 for transferring the personal data of European drivers to the U.S. without appropriate safeguards. The investigation found that Uber removed Standard Contractual Clauses (SCCs) from its internal agreements in 2021 but continued to move location data, payment details, and photos to its U.S. headquarters.
The regulator determined that Uber operated without a valid transfer mechanism for over two years, failing to ensure a level of protection essentially equivalent to that in the EU. The data breach fine followed an investigation triggered by a complaint from French drivers, highlighting that the Dutch DPA acted as the lead authority for Uber’s European operations.
10. Meta (Facebook) — EUR 265 Million
In November 2022, Meta was fined EUR 265 million by the Irish supervisory authority following the discovery of a dataset containing the personal information of 533 million users on a hacking forum. The Irish investigation found that attackers had used automated tools to scrape user data through Facebook’s Contact Importer features between 2018 and 2019.
The DPC ruled that Meta had failed to implement sufficient technical measures to prevent this type of large-scale data extraction by third parties. The settlement included a reprimand and an order for Meta to secure its features against unauthorized scraping.
11. Meta — EUR 251 Million
The Irish DPC issued administrative fines totaling EUR 251 million to Meta in December 2024 after investigating a massive data breach reported in 2018. Unauthorized parties had exploited vulnerabilities in Facebook’s “View As” and video upload features to steal “user tokens,” which allowed them to log in as approximately 29 million account holders globally.
Regulators found that Meta failed to build in data protection requirements during the design and development cycle of its platform features. The DPC’s final decisions also noted that Meta failed to document the breach facts properly and did not include all required information in its initial notification to the authority.
12. WhatsApp — EUR 225 Million
In September 2021, the Irish DPC fined WhatsApp EUR 225 million for failing to clearly explain how it processed and shared user data with other Meta companies. The investigation highlighted that information about the data processing was spread across multiple confusing documents, making it difficult for both users and non-users to understand their rights.
The DPC issued a formal reprimand and ordered WhatsApp to bring its privacy notice and transparency practices into compliance. This required the company to be much more specific about how user information is utilized across the Meta ecosystem.
13. Google LLC — EUR 200 Million
The French data protection authority CNIL fined Google LLC EUR 200 million in September 2025 for displaying advertisements in Gmail without obtaining valid user consent. The investigation also found that Google placed advertising cookies on users’ devices during account creation without providing a clear or informed way for users to refuse them.
The regulator noted that over 74 million users in France were affected by these practices. Google was ordered to stop displaying these ads without prior consent and to ensure that its cookie banners meet transparency requirements within six months.
14. Shein (Infinite Styles) — EUR 150 Million
In September 2025, France’s CNIL fined Shein’s Irish subsidiary, Infinite Styles Services, EUR 150 million for severe violations of cookie consent rules on its website. (Shein is a China-based e-commerce fast fashion retailer.) The investigation found that Shein used misleading interfaces that lacked clear information about the purpose of cookies and placed advertising trackers before any user choice was made.
Even when users attempted to “Reject all,” the CNIL found that new cookies were still placed and existing ones were not removed. While Shein implemented several compliance measures during the investigation, the scale of the violations — affecting 12 million monthly visitors in France — led to the final administrative fine.
15. Google LLC — EUR 90 Million
In December 2021, France’s CNIL fined Google LLC EUR 90 million for making it unnecessarily difficult for users of google.fr and youtube.com to refuse cookies. The site provided a button for immediate acceptance, but required users to navigate multiple extra steps to refuse trackers.
The regulator determined that this asymmetry in design manipulated users toward accepting cookies, infringing on their freedom of consent. Google was issued an injunction to modify its banner within three months or face additional daily penalties.
16. Meta (Facebook) — EUR 91 Million
The Irish DPC fined Meta EUR 91 million in September 2024 for storing social media user passwords in “plaintext” on its internal systems. The inquiry began in 2019 after Meta notified the DPC that it had inadvertently stored passwords without cryptographic protection or encryption.
The DPC found four separate breaches of the GDPR related to security, including a failure to document the incident as a personal data breach. While no evidence was found that the passwords were abused by external parties, the DPC issued a reprimand and a significant fine due to the sensitivity of account credentials.
17. Enel Energia — EUR 79.1 Million
Italy’s Data Protection Authority (Garante) issued a record-high EUR 79.1 million fine to Enel Energia in February 2024 for unlawful telemarketing practices. The investigation found that the company acquired thousands of contracts through third-party agencies that used illicit databases and made nuisance calls to consumers.
Garante identified severe security gaps in Enel’s customer management systems that allowed unauthorized agents to sign contracts without providing tangible benefits to users. Enel was ordered to improve its security measures, notify affected parties, and overhaul its contracts with marketing agencies.
18. Google Ireland — EUR 60 Million
Alongside the penalty for its parent company, Google Ireland was fined EUR 60 million by the CNIL in December 2021. The regulator held Google Ireland jointly responsible for the cookie banners on google.fr that did not offer a refusal method as simple as the acceptance method.
The CNIL emphasized that all entities involved in designing the tracking mechanisms for French users must share responsibility for compliance. This joint enforcement action brought the total penalty against Google to EUR 150 million at the time.
19. Facebook Ireland — EUR 60 Million
In December 2021, the CNIL also fined Facebook Ireland (now Meta Platforms Ireland) EUR 60 million for its noncompliant cookie refusal processes. The investigation found that Facebook users in France had to perform multiple clicks to refuse cookies on facebook.com, while acceptance could be done with a single click.
The CNIL noted that this practice discouraged users from refusing cookies and led to invalid consent. Meta was issued an order to provide a simpler refusal mechanism within three months or face daily fines of EUR 100,000 for each day of delay.
20. Criteo — EUR 40 Million
The French CNIL fined ad-tech company Criteo EUR 40 million in June 2023 for several breaches of GDPR involving its advertising network. The regulator found that Criteo failed to verify that its partners obtained valid consent and did not provide users with a transparent way to access or delete their data profiles.
The inquiry emphasized that companies in the behavioral advertising space must be able to demonstrate the lawfulness of the data they process. Following the decision, Criteo noted that it would appeal the fine while continuing to work on its compliance transparency.
21. H&M — EUR 35.3 Million
In October 2020, the Hamburg Commissioner for Data Protection fined retailer H&M EUR 35.3 million for illegally monitoring employees at its service center in Germany. Managers were found to have recorded extensive details about employees’ private lives, including health data, religious beliefs, and family problems, during “welcome back” talks following absences.
This private data was stored on a network drive and used to build detailed profiles for making work-related decisions. H&M accepted the penalty, apologized for the practices, and agreed to pay significant financial compensation to the several hundred employees affected.
22. Amazon France — EUR 32 Million
In January 2024, the CNIL fined Amazon France Logistique EUR 32 million for its overly intrusive employee monitoring system. The investigation revealed that Amazon used scanners to track workers’ activity with such precision that they had to justify interruptions of as little as one minute.
The regulator ruled that these monitoring practices, which included tracking “latency indicators” for idle time, lacked a valid legitimate interest and failed to inform temporary workers properly. Amazon was also cited for insecure video surveillance practices, including shared passwords among multiple users.
23. Clearview AI — EUR 30.5 Million
The Dutch DPA fined Clearview AI EUR 30.5 million in September 2024 for building an illegal facial recognition database. The company scraped billions of photos from the internet to create biometric codes, including those of Dutch citizens, without their knowledge or consent.
The regulator found that Clearview failed to be transparent about its data collection and did not cooperate with individuals’ requests to access their data. Clearview was ordered to stop the violations or face an additional GDPR fine of up to EUR 5.1 million.
24. TIM (Telecom Italia) — EUR 27.8 Million
In early 2020, Italy’s Garante fined Telecom Italia (TIM) EUR 27.8 million for millions of unlawful marketing calls and broad data processing violations. The investigation found that TIM had contacted individuals who had explicitly opted out of marketing or were on “do not call” lists.
The regulator ordered TIM to implement 20 corrective measures, including a ban on using data from certain consent forms that did not meet GDPR standards. The case highlighted a systemic lack of “privacy by design” in the company’s customer management and marketing systems.
25. Enel Energia — EUR 26.5 Million
Enel Energia was fined EUR 26.5 million in January 2022 by the Italian Garante for its failure to manage user consent during promotional telemarketing campaigns. The investigation was triggered by numerous complaints from people receiving unwanted calls despite being registered on the national opt-out list.
Garante found that the company’s internal procedures for processing data from third-party partners were inadequate and lacked transparency. This initial fine was followed two years later by an even larger penalty for continued systemic failures in the company’s marketing operations.
Why Ireland leads in GDPR enforcement
Ireland’s DPC is widely regarded as the most active — and financially impactful — GDPR enforcer in the EU, largely because many of the largest global tech firms’ European operations are headquartered there, making it the lead regulator for major cross-border cases under the GDPR’s “one-stop-shop” framework.
Below is a summary of the biggest GDPR fines of the past five years.
| Rank | Company | Amount | Date | Country |
| 1 | Meta (Facebook) | €1.2 Billion | May 2023 | Ireland |
| 2 | Amazon Europe | €746 Million | Jul 2021 | Luxembourg |
| 3 | TikTok | €530 Million | Apr 2025 | Ireland |
| 4 | Meta (Facebook) | €479 Million | Nov 2025 | Spain |
| 5 | Meta (Instagram) | €405 Million | Sep 2022 | Ireland |
| 6 | Meta (Facebook/Instagram) | €390 Million | Jan 2023 | Ireland |
| 7 | TikTok | €345 Million | Sep 2023 | Ireland |
| 8 | €310 Million | Oct 2024 | Ireland | |
| 9 | Uber | €290 Million | Jul 2024 | Netherlands |
| 10 | Meta (Facebook) | €265 Million | Nov 2022 | Ireland |
| 11 | Meta | €251 Million | Dec 2024 | Ireland |
| 12 | €225 Million | Sep 2021 | Ireland | |
| 13 | Google LLC | €200 Million | 2025 | France |
| 14 | Shein (Infinite Styles) | €150 Million | 2025 | France |
| 15 | Google LLC | €90 Million | Dec 2021 | France |
| 16 | Meta (Facebook) | €91 Million | 2024 | Ireland |
| 17 | Enel Energia | €79.1 Million | 2024 | Italy |
| 18 | Google Ireland | €60 Million | Dec 2021 | France |
| 19 | Facebook Ireland | €60 Million | Dec 2021 | France |
| 20 | Criteo | €40 Million | Jun 2023 | France |
| 21 | H&M | €35.3 Million | Oct 2020* | Germany |
| 22 | Amazon France | €32 Million | Jan 2024 | France |
| 23 | Clearview AI | €30.5 Million | 2024 | Netherlands |
| 24 | TIM (Telecom Italia) | €27.8 Million | Jan 2020* | Italy |
| 25 | Enel Energia | €26.5 Million | Jan 2022 | Italy |
How to avoid GDPR fines
Whether you’re processing data belonging to residents in the EU or the UK, the most effective strategy is the same: avoid GDPR fines by prioritizing compliance from the start. Your company must understand its responsibilities to achieve and maintain compliance with the law’s requirements.
There are several steps organizations can take to support GDPR compliance and reduce risk:
Conduct regular data audits to fully understand data collection and processing activities
Implement data protection policies and procedures
Train employees on GDPR compliance and data security practices on an ongoing basis
Appoint a qualified and well-informed DPO when required, which can be an internal or external hire, as long as they have sufficient GDPR expertise
Work with trusted third-party vendors and service providers that are GDPR-compliant, and implement contracts prior to starting data processing operations
Use a consent management platform to collect and store valid user consent on websites, apps, connected TV, etc.
These steps lay the groundwork for GDPR compliance, but managing consent consistently across all channels can still be challenging. Usercentrics can help. Our consent management platform helps companies capture and manage user consent, understand and activate the data being collected, and maintain the visibility and control GDPR requires.
Whether you’re trying to avoid a maximum fine under the GDPR, prepare for audits, or simply build user trust, we give you the visibility and control you need to manage data responsibly.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
