What’s the smallest GDPR fine you’ve heard of? Can you even remember? Probably not, since the headlines only tend to capture the truly eye-popping ones.
But does that mean that Data Protection Authorities (DPA) don’t bother checking up on smaller companies’ GDPR compliance? Can your business safely ignore GDPR compliance requirements?
We don’t recommend it. And not just because we at Usercentrics preach data privacy, Privacy-Led Marketing, and consent management solutions. It’s because there’s a lot more GDPR compliance enforcement happening than you may realize, and has been for years.
(The smallest recorded GDPR fine to date was issued in 2020 to a Hungarian entity for EUR 28.)
Who enforces the GDPR?
While the General Data Protection Regulation (GDPR) applies to residents of and organizations operating in the European Union (EU) and European Economic Area (EEA), enforcement doesn’t fall under a single entity.
There is the European Data Protection Board (EDPB). Each EU Member State has a DPA — hence why they’re also called National Supervisory Authorities — and all of those DPAs make up the EDPB, along with the European Data Protection Supervisor (EDPS).
Each country in the EU is responsible for investigating and correcting GDPR violations and levying penalties on the organizations responsible where appropriate.
What do Data Protection Authorities do?
DPAs don’t just issue fines. They try to prevent them in the first instance. These authorities are involved in the full privacy compliance lifecycle, with their functions divided into three main categories: advisory, investigative, and corrective.
DPA advisory powers and functions
- Provide expert guidance to national governments, organizations, and individuals on data protection matters
- Offer opinions on proposed legislation and administrative measures that affect personal data processing
- Advise organizations on their compliance obligations
- Promote public awareness of data protection rights and best practices
- Contribute to the development of codes of conduct and certifications
- Issue recommendations for consistent GDPR application across the EU
DPA investigative powers and functions
- Conduct audits and review data protection impact assessments (DPIA)
- Perform on-site inspections and access premises, equipment, personal data, and processing information
- Perform ongoing audits to ensure continued compliance after a violation
DPA corrective powers and functions
- Issue warnings, corrective measures, and reprimands for violations
- Restrict or ban data processing activities
- Order the rectification or deletion of personal data
- Suspend data transfers to third countries
- Impose administrative fines for violations
- Refer cases to the courts
What are the penalties for GDPR violations?
Under the GDPR there is a two-tiered system for administrative penalties. In addition to orders for corrective measures, organizations can be fined for violations.
The first tier is generally for less severe or first-time violations, and is up to EUR 10 million or two percent of global annual revenue, whichever is greater.
An example of a first-tier fine is Italian DPA Garante fining satellite TV platform Sky Italia EUR 842,062 in 2024 for unlawful telemarketing activities.
The second tier is generally for more serious or repeat violations, and is up to EUR 20 million or four percent of global annual revenue, whichever is greater.
The highest GDPR fine issued to date was a second-tier fine for Meta Platforms Ireland (parent company of Facebook, Instagram, and WhatsApp) for EUR 1.2 billion in 2023 for unlawful personal data transfers to the United States.
The most common cause of violations is Art. 5 GDPR, principles relating to processing of personal data. This includes issues like not having a valid legal basis for data processing, not being transparent about data processing or data subjects’ rights, or processing data for purposes beyond those communicated and covered under the chosen legal basis.
Fines are at DPAs’ discretion, and are not mandatory. Organizations can be warned or provided with a “cure period” during which they can correct noncompliance issues without facing fines. However, fines can also be issued along with other measures, like orders to stop data processing or to delete data.
What is shadow enforcement of the GDPR?
As noted, DPAs are doing plenty of GDPR enforcement that doesn’t make headlines. The billion-dollar fines may seem completely unrelatable to the average business owner, but it’s worth noting that big tech platforms can generally afford those fines more than SMBs can afford even much smaller potential noncompliance fines they might be issued.
In addition to fines, smaller organizations also don’t tend to have a lot of available resources for some of the other possible corrective functions that could be ordered after a violation or complaint, like providing information about data processing, submitting to repeated audits, performing DPIA, and other activities.
Various types of GDPR enforcement that make up the bulk of their actions but don’t make the headlines include warnings, sanctions, sub-billion-Euro fines, audits, and other activities.
France’s CNIL and enforcement for 2024
Let’s look at France’s DPA, the Commission Nationale de l’Informatique et des Libertés (CNIL), which is one of the more prominent and strict DPAs. In February 2025 they published their report on sanctions and corrective measures under their jurisdiction for 2024, with increases across the board compared to 2023 (except for fines, which were EUR 90 million in 2023.)
For 2024, the CNIL made 331 decisions, resulting in:
- 87 sanctions
- 180 compliance orders
- 64 reprimands
- 75 fines
- 14 fines with injunction under penalty, meaning an additional daily fine until the organization pays the imposed fine
- 7 decisions adopted in cooperation with other EU DPAs
- over EUR 55,212,400 in fines
As in 2023, failing to cooperate with the CNIL, e.g. not responding to the CNIL’s requests, was the most common reason for sanctions in simplified procedure cases (the procedure used for straightforward violation cases).
The CNIL’s decisions were for issues as varied as ads in emails, anonymization of healthcare data, failing to minimize data collection, and warnings to government departments to ensure personal data stored in their databases is accurate.
That’s a fair bit of activity, but what’s really notable is how many of those decisions were made public: only 12, or 3.6 percent. 96.4 percent of all of the CNIL’s GDPR compliance decisions were “shadow” enforcement.
A person reading the headlines or even doing some deeper digging into GDPR enforcement would have found almost none of that information. No wonder a lot of organizations still think GDPR requirements aren’t a concern.
It’s a bit ironic keeping so much enforcement quiet, given that DPAs’ mandate includes functions not only meant to correct violations, but to ensure companies know their responsibilities and comply with them to prevent violations.
Why so much GDPR enforcement is not publicized
Perhaps the most basic reason why most GDPR enforcement doesn’t make headlines, or get any coverage, is that it’s not that interesting or would take too much explaining to make the issues clear to the average person.
Attention spans, especially online, do not favor long, dry regulatory explanations.
Maybe if your main competitor was fined EUR 100,000 over noncompliant marketing practices, it would pique your interest, but to the media at large it’s not that exciting, and most of the companies fined are not likely ones you’ve heard of.
Not like a billion-Euro fine and/or a global tech giant, which is a lot of money by pretty much anyone’s standards for companies everyone’s heard of and whose platforms or services are used by billions of people.
Other reasons could include confidentiality. A violation becoming public could have a significant negative impact on brand reputation. Certain issues like data breaches require notifications, e.g. of authorities and affected customers but not all of them.
That information could be used by competitors, and could scare off potential customers, advertisers, partners, or investors, even if the issue has been rectified.
Many issues are relatively minor and can be fixed fairly quickly, without incurring fines or other significant penalties. Those leave little to talk about.
In some larger or trickier cases, investigations may be ongoing, so can’t be talked about or publicized for some time.
How organizations can achieve and maintain GDPR compliance
GDPR compliance responsibilities can be complex, but compliance doesn’t have to be. There are robust tools that are budget-friendly, don’t require a lot of resources to set up or maintain, and grow with your organization.
One of the most common GDPR violations is not meeting requirements to collect and process personal data. While other legal bases may seem more convenient to companies, users’ consent is the one that is required in many cases.
A consent management platform enables organizations of all sizes to achieve cookie compliance by obtaining informed, explicit consent. It enables transparency about your data processing and securely stores consent information in case of a DPA inquiry or audit.
In addition to avoiding fines and other penalties from DPAs, companies gain benefits from data privacy compliance. Protect advertising revenue and ensure continued use of major tech platforms’ services, like Google Ads or Analytics.
Show your customers and prospects that you respect their privacy and give them control over their personal data. This builds trust, which leads to long-term engagement and customer loyalty.
Future-proof your marketing strategies by moving away from outdated data sources like third-party cookies. Zero- and first-party data comes right from your users with their consent, so it’s higher quality and enables GDPR-compliant use for your Privacy-Led Marketing.
Data Protection Authorities in the EU can’t explicitly endorse individual consent management platforms, but they do recognize the importance of consent management in ongoing GDPR compliance efforts.
