Quick answer: GDPR fines reached a cumulative total of over €4.5 billion by early 2026. The largest single fine was €1.2 billion (Meta, 2023). Your risk level depends on your company size, the type of data you process, and the violations found. Use this guide to understand your exposure and reduce it.
GDPR Fine Structure: How Penalties Are Calculated
GDPR fines are not arbitrary — data protection authorities follow specific criteria laid out in Article 83. Understanding these factors helps you estimate your own risk:
| Factor | How It Affects the Fine | Weight |
|---|---|---|
| Nature and gravity of the violation | More serious breaches = higher fines | Very high |
| Intentional vs negligent | Deliberate violations fined much more heavily | Very high |
| Number of data subjects affected | More people affected = higher penalty | High |
| Duration of the violation | Longer violations = higher fines | High |
| Actions taken to mitigate damage | Quick response can reduce the fine | Medium |
| Degree of cooperation with the DPA | Cooperation lowers, obstruction raises | Medium |
| Previous violations | Repeat offenders fined more heavily | High |
| Type of data involved | Special categories (health, biometrics) = higher | High |
The Two Tiers of GDPR Fines
| Tier | Maximum Fine | Violations |
|---|---|---|
| Tier 1 (Lower) | €10 million or 2% of global turnover | Record-keeping failures, no DPO appointed, insufficient security measures, no DPIA conducted |
| Tier 2 (Higher) | €20 million or 4% of global turnover | No lawful basis for processing, no consent, violating data subject rights, illegal international transfers |
Important: For large companies, the percentage of turnover usually results in a much higher amount than the flat maximum. Meta's €1.2 billion fine was based on their global revenue.
Top 10 Largest GDPR Fines (Updated 2026)
| # | Company | Fine | Year | Violation | Country |
|---|---|---|---|---|---|
| 1 | Meta (Facebook) | €1.2B | 2023 | Illegal EU-US data transfers | Ireland |
| 2 | Amazon | €746M | 2021 | Non-compliant targeted advertising | Luxembourg |
| 3 | Meta (Instagram) | €405M | 2022 | Children's data processing | Ireland |
| 4 | Meta (Facebook) | €390M | 2023 | Forced consent for personalized ads | Ireland |
| 5 | TikTok | €345M | 2023 | Children's privacy violations | Ireland |
| 6 | Meta (WhatsApp) | €225M | 2021 | Transparency failures | Ireland |
| 7 | Google (Ireland) | €150M | 2022 | Cookie consent dark patterns | France |
| 8 | Clearview AI | €20M | 2022 | Biometric data scraping (multiple DPAs) | Italy, France, UK, Greece |
| 9 | Criteo | €40M | 2023 | No valid consent for tracking | France |
| 10 | Uber | €290M | 2024 | Illegal driver data transfers to US | Netherlands |
Risk Assessment: Common Website Violations
Most GDPR fines start with a complaint or audit. Here are the most common website violations that trigger enforcement — and their typical penalty ranges:
High-Risk Violations (€50K–€20M+)
- No cookie consent banner: Loading tracking cookies without consent. Google fined €150M for this
- Invalid consent: Pre-checked boxes, dark patterns, or "consent walls" that force acceptance
- No privacy policy: Missing or incomplete privacy policy covering GDPR Article 13/14 requirements
- Illegal data transfers: Sending personal data to non-adequate countries without safeguards (SCCs)
- No lawful basis: Processing personal data without consent, contract, or legitimate interest
Medium-Risk Violations (€10K–€100K)
- Ignoring DSARs: Not responding to data access/deletion requests within 30 days
- Missing DPO: Required for public authorities and large-scale data processors
- No data processing records: GDPR Article 30 requires documented processing activities
- Insufficient security: Missing HTTPS, weak passwords, no encryption for personal data
Lower-Risk Violations (Warning–€10K)
- Outdated privacy policy: Policy doesn't reflect current processing activities
- Missing cookie categorization: Not properly categorizing cookies as essential/analytics/marketing
- No consent records: Unable to prove when and how consent was obtained
Check Your Website's GDPR Risk: Free Assessment
PrivacyChecker scans your website in under 60 seconds and identifies the most common GDPR violations automatically:
| Check | What We Scan | Risk If Failing |
|---|---|---|
| Cookie consent | Pre-consent cookie loading, banner presence | High |
| Privacy policy | Required disclosures, accessibility, completeness | High |
| Third-party trackers | Analytics, ads, social media scripts | Medium-High |
| Security headers | HTTPS, HSTS, CSP, X-Frame-Options | Medium |
| Data transfers | Connections to non-EU servers | High |
| AI crawler policy | robots.txt configuration for AI bots | Low-Medium |
How to Reduce Your GDPR Fine Risk
1. Implement a Proper Cookie Consent Banner
The banner must block all non-essential cookies until the user explicitly consents. Pre-checked boxes are illegal. "Accept All" and "Reject All" must be equally prominent. See our Cookie Consent Banner Guide.
2. Write a Complete Privacy Policy
Your privacy policy must list every category of personal data collected, the legal basis for each, retention periods, third-party recipients, and data subject rights. Use ourGDPR Privacy Policy Template as a starting point.
3. Audit Third-Party Scripts
Every JavaScript snippet on your site that sends data externally is a potential GDPR liability. Audit all tracking pixels, analytics tools, chat widgets, and embedded content. Remove what you don't need.
4. Document Everything
DPAs look favorably on companies that can demonstrate compliance efforts. Maintain records of processing activities (Article 30), data protection impact assessments (Article 35), and consent management procedures.
5. Respond Quickly to Data Breaches
You have 72 hours to report a data breach to your DPA (Article 33). Having adata breach response plan ready reduces both the impact and potential fine.
Frequently Asked Questions
Can small businesses be fined under GDPR?
Yes. While DPAs tend to focus enforcement on larger companies, small businesses have received fines ranging from €500 to €200,000. The most common triggers are customer complaints about marketing emails without consent, failure to respond to data access requests, and data breaches caused by poor security. Read our GDPR for Small Businesses Guide.
How long does a GDPR investigation take?
GDPR investigations typically take 6 to 24 months from complaint to decision. Complex cross-border cases can take 3+ years. During this time, you may be required to cooperate with auditors, provide documentation, and potentially change your practices through corrective orders.
Can I appeal a GDPR fine?
Yes. Companies have the right to judicial remedy against DPA decisions under GDPR Article 78. Many large fines are appealed — Meta successfully reduced several fines through appeals. However, the appeals process is lengthy and expensive, making prevention far more cost-effective.
Does cyber insurance cover GDPR fines?
It depends on your jurisdiction and policy. In most EU countries, regulatory fines are not insurable as a matter of public policy. However, cyber insurance may cover investigation costs, legal defense, breach notification costs, and third-party liability claims. Always check your specific policy.