Overview —
Understanding GDPR Fines and Penalties
GDPR fines can reach €20M or 4% of global revenue; strong compliance programs help reduce legal and financial risk.
Share this article
GDPR Fines and Penalties: What They Actually Look Like
The Meta headline — €1.2 billion — is the number everyone remembers. It's also wildly unrepresentative. The average GDPR fine sits around €2.3 million, nowhere near the legal maximum. Understanding the real range, and what actually pushes a fine toward either end of it, matters more than memorizing the one record-breaking case.
The Two Tiers, Precisely
Lower tier — up to €10 million or 2% of global annual turnover, whichever is higher. This applies to violations of organizational obligations: failing to maintain proper records, not appointing a required DPO, missing breach notification deadlines, weak vendor agreements.
Upper tier — up to €20 million or 4% of global annual turnover, whichever is higher. This applies to violations of GDPR's core principles: processing without a lawful basis, ignoring data subject rights, violating the fundamental data protection principles in Article 5.
The "whichever is higher" part matters enormously for large companies. A €20 million cap means nothing to a company with €50 billion in global revenue — 4% of that is €2 billion, which is exactly why the biggest fines on record have run into the hundreds of millions and beyond, calculated as a percentage of revenue rather than against the flat euro figure.
What Actually Decides Where a Fine Lands
Article 83 lists specific factors regulators weigh, and they matter more than the violation category alone:
Nature, gravity, and duration — a brief, contained slip is treated very differently from a systemic practice that ran for years
Intent versus negligence — deliberate violations are penalized more heavily than honest mistakes
What you did about it — mitigation efforts taken after discovering the issue genuinely move the needle
History — repeat violations escalate the penalty; this is exactly why Google's cookie-consent fines from the CNIL climbed from €100 million in 2020 to €150 million in 2021 to €325 million in 2025 — the same underlying issue, penalized more severely each time it recurred
Cooperation with the DPA — how forthcoming you are during the investigation itself factors into the final number
What the Biggest Fines Actually Looked Like
Real cases make the abstract factors concrete:
Meta — €1.2 billion (2023). The largest GDPR fine on record, for unlawfully transferring EU user data to the United States without adequate safeguards. This is the case everyone cites, but it's also the extreme outlier — a company of Meta's scale, found to have a systemic, long-running transfer practice with no adequate legal basis.
TikTok — €530 million (2025). For transferring EU user data to China without ensuring protections equivalent to EU standards. Investigators specifically found that engineers in China could routinely access sensitive EU user data, and that TikTok hadn't adequately assessed the risk posed by Chinese surveillance law. A separate, earlier TikTok fine of €345 million (2023) covered different ground entirely — child safety failures, including default-public settings for minors' accounts and inadequate age verification.
Google — €325 million combined (2025). Two separate violations from the CNIL: inserting ads disguised as emails into Gmail inboxes without valid consent, and failing to properly inform users about advertising cookies during account setup.
Clearview AI — €30.5 million (2024). For unlawfully collecting facial recognition data — notable because it's one of the cases where a regulator explicitly considered whether to pursue personal liability against company leadership, not just the corporate entity.
The Pattern Underneath the Headlines
Looking past the largest individual numbers, the most common violation category isn't a dramatic data breach — it's an insufficient legal basis for processing, most often around consent for behavioral advertising. That's a mundane, fixable problem, not an exotic one. The fines that grab headlines tend to be massive companies caught in systemic, long-running practices; the much larger number of smaller fines hitting the average €2.3 million range tend to be more ordinary compliance gaps.
Why "We're Not Meta" Doesn't Mean "We're Fine"
It's tempting to read the headline fines and conclude this only applies to tech giants. The data says otherwise — fines have hit financial services, healthcare, energy, and plenty of small and mid-sized companies, often for the same root causes (no real legal basis for processing, missed data subject rights deadlines, weak documentation) that show up in the billion-euro cases, just at a scale proportional to the smaller company's revenue.
Reducing Real Exposure
Given how heavily Article 83's factors weigh history, intent, and cooperation, the practical takeaway isn't "avoid every possible violation forever" — it's building a program that can show good-faith effort, quick remediation, and genuine cooperation if something does go wrong. Who Enforces GDPR? covers the actual DPA process you'd be cooperating with, and how the one-stop-shop mechanism determines who you're dealing with if a cross-border case arises.
Building Resilience Across Frameworks
Programs that already maintain rigorous documentation and risk assessment for ISO 27001, SOC 2, or PCI DSS tend to land in a much better position if a GDPR investigation ever happens — not because those frameworks satisfy GDPR directly, but because the underlying discipline (knowing what you process, having real controls, documenting decisions) is exactly what regulators check for when deciding how severely to penalize a violation.
In the Spotlight

Start your GDPR compliance journey with DSALTA's complete checklist.
The General Data Protection Regulation (GDPR) is Europe’s core privacy law, shaping how organizations collect, process, and protect the personal data of EU residents. Non-compliance can result in heavy fines, reputational damage, and loss of customer trust.
GDPR can feel complicated with its broad scope and strict requirements, but DSALTA® makes it manageable. With automated evidence collection, continuous monitoring, and AI- driven risk insights, you can maintain compliance without drowning in manual work. Use this checklist to guide your GDPR journey.
Read more about GDPR compliance with DSALTA.
Stop losing deals to compliance.
Get compliant. Keep building.
Join 100s of startups who got audit-ready in days, not months.




