How do regulators decide the exact amount of a GDPR fine?

Supervisory authorities follow the EDPB's five-step methodology: identify the infringement, determine a starting amount based on severity and turnover, apply aggravating or mitigating factors, check against the legal maximum, and verify the fine meets the tests of effectiveness, proportionality, and dissuasiveness.

Can a small business receive a GDPR fine?

Yes. The GDPR has no exemption based on company size. Fines are scaled proportionally, but SMEs regularly receive penalties for consent failures, cookie violations, and failure to respond to data subject requests. Spain's DPA alone has issued hundreds of fines to smaller organisations.

Does the GDPR fine apply to the parent company's turnover or the subsidiary's?

The CJEU confirmed in the Deutsche Wohnen ruling (December 2023) and the ILVA case (February 2025) that fine ceilings are calculated against the total worldwide turnover of the entire economic unit - meaning the parent group's revenue, not just the subsidiary that committed the infringement.

What is the largest GDPR fine ever issued?

The largest fine to date is EUR 1.2 billion, imposed on Meta Platforms Ireland Limited by the Irish Data Protection Commission in May 2023 for unlawful transfers of personal data to the United States.

Can cooperating with a data protection authority reduce a GDPR fine?

Yes. Article 83(2)(f) explicitly lists the degree of cooperation with the supervisory authority as a factor in determining the fine amount. Full and prompt cooperation is a recognised mitigating circumstance in the EDPB's calculation methodology.

Are cookie consent violations covered by GDPR fines?

Cookie consent falls primarily under the ePrivacy Directive, but the GDPR governs how consent must be obtained. If cookies process personal data without valid GDPR consent, the infringement can attract fines under Article 83(5). The French CNIL fined Google EUR 150 million and Facebook EUR 60 million in 2022 for cookie consent failures.

GDPR Fines Explained: Article 83 Penalty Calculation (2025)

Q: What is the maximum fine under GDPR Article 83?

The maximum depends on the type of violation. For less severe infringements under Article 83(4), the cap is EUR 10 million or 2% of global annual turnover, whichever is higher. For more serious violations under Article 83(5), it rises to EUR 20 million or 4% of global annual turnover.

The Two-Tier Fine Structure Under Article 83

Article 83 of the GDPR splits administrative fines into two tiers based on the severity of the infringement. The lower tier, set out in Article 83(4), caps penalties at EUR 10 million or 2% of global annual turnover - whichever is higher. The upper tier, under Article 83(5), doubles that ceiling to EUR 20 million or 4% of global annual turnover.

These are maximums, not fixed amounts. A supervisory authority (known as a DPA - data protection authority) has wide discretion to impose any amount up to the relevant cap. A small online retailer that fails to maintain proper processing records might receive a fine of a few thousand euros, while a multinational tech company engaged in systematic unlawful processing could face a penalty in the hundreds of millions.

The distinction between tiers matters because it determines the starting range of any fine calculation.

Lower Tier Violations (Article 83(4))

The lower tier applies to infringements of more procedural or organisational obligations. These include failures related to data protection by design and by default (Article 25), record-keeping obligations (Article 30), breach notification duties (Articles 33-34), data protection impact assessments (Article 35), and the obligations of data protection officers (Articles 37-39). Violations of certification body or monitoring body duties under Articles 41-43 also fall here.

Do not mistake "lower tier" for "low risk." The Irish DPC fined Meta EUR 251 million in December 2024 for a Facebook data breach partly involving failures under Article 33 (breach notification) - obligations that sit within this very tier.

Upper Tier Violations (Article 83(5))

The upper tier targets the core principles of data protection. Infringements of the lawfulness, fairness, and transparency principles under Article 5 fall here, as do violations of the conditions for consent (Article 7), the processing of special categories of data (Article 9), and all data subject rights from Articles 12 to 22. Unlawful international data transfers under Articles 44 to 49 also attract the higher maximum. Non-compliance with a direct order from a supervisory authority under Article 58(2) triggers the upper ceiling as well.

The record-breaking EUR 1.2 billion fine imposed on Meta by the Irish DPC in May 2023 concerned unlawful transfers of personal data to the United States - a clear Article 83(5) infringement. More recently, in May 2025, TikTok received a EUR 530 million fine from the same authority for transferring European users' data to China without adequate safeguards.

The Ten Assessment Criteria in Article 83(2)

Article 83(2) provides a list of ten factors that every supervisory authority must weigh when deciding whether to impose a fine and how large it should be. These criteria are not a simple checklist - they interact with one another, and different authorities may give different weight to each factor depending on the circumstances.

Criterion	What It Covers	Practical Impact
Nature, gravity and duration	Article 83(2)(a) - the type of infringement, how many data subjects were affected, and the level of damage	A breach affecting millions of users over several years will attract a higher fine than a one-off incident affecting a handful of people
Intentional or negligent character	Article 83(2)(b) - whether the infringement was deliberate or the result of carelessness	Deliberate non-compliance is treated far more severely; authorities look at whether the organisation knew its actions were unlawful
Mitigation measures	Article 83(2)(c) - steps taken to reduce harm to affected individuals	Prompt action to contain a breach or compensate data subjects can reduce the fine
Degree of responsibility	Article 83(2)(d) - technical and organisational measures in place under Articles 25 and 32	Having strong security measures and privacy-by-design processes demonstrates responsible data handling
Previous infringements	Article 83(2)(e) - any prior violations by the same controller or processor	Repeat offenders face escalating penalties; the EDPB has noted that the absence of prior fines is not itself a mitigating factor
Cooperation with the authority	Article 83(2)(f) - how well the organisation worked with the DPA to fix the issue	Full cooperation can reduce the final amount; obstruction or delay will increase it
Categories of personal data	Article 83(2)(g) - whether sensitive data (health, biometrics, race, political opinions) was involved	Infringements involving special category data under Article 9 are treated more seriously
How the authority found out	Article 83(2)(h) - whether the organisation self-reported or the DPA learned through a complaint or investigation	Self-reporting can be a mitigating factor; being caught by a third-party complaint tends not to help
Compliance with prior measures	Article 83(2)(i) - whether the organisation followed any previously ordered corrective measures	Ignoring a prior warning or order from a DPA is a strong aggravating factor
Codes of conduct or certification	Article 83(2)(j) - adherence to approved codes or certification mechanisms	Holding an approved certification may help demonstrate good faith, though it does not guarantee immunity

Article 83(2)(k) adds a catch-all provision, allowing authorities to consider any other relevant circumstance. Recital 150 of the GDPR clarifies that for non-undertakings (natural persons), the general income level of the Member State and the economic situation of the individual should also be factored in.

The EDPB's Five-Step Calculation Methodology

Until 2023, each national DPA calculated fines using its own internal methodology. This led to wildly inconsistent outcomes - a violation that attracted a six-figure fine in France might result in a formal warning in another Member State. To address this, the European Data Protection Board (EDPB) adopted Guidelines 04/2022 in their final form in May 2023, establishing a harmonised five-step methodology for calculating administrative fines.

The EDPB was clear that this methodology is not a mathematical formula. Human assessment of the specific facts must always take place. But it gives DPAs a common framework and, for the first time, makes the calculation process somewhat predictable for organisations.

Step 1: Identify the Processing Operations and Concurrent Infringements

The DPA first identifies which processing activities led to the infringement and checks whether multiple GDPR provisions were violated by the same or linked operations. Article 83(3) provides that where a single processing operation breaches several GDPR provisions, the total fine cannot exceed the maximum applicable to the gravest infringement. A website that deploys tracking cookies without consent might simultaneously violate the lawfulness principle (Article 5), the consent conditions (Article 7), and transparency obligations (Article 13) - but the DPA would apply the single highest ceiling, not stack them.

Step 2: Determine the Starting Point

This is where the fine begins to take shape. The DPA evaluates three factors: the tier classification of the infringement (Article 83(4) or 83(5)), the seriousness of the infringement based on the criteria in Article 83(2)(a), (b), and (g), and the global annual turnover of the undertaking.

The EDPB categorises seriousness into three bands. Low seriousness produces a starting amount between 0% and 10% of the applicable legal maximum. Medium seriousness falls between 10% and 20%. High seriousness ranges from 20% to 100% of the maximum.

For a company with EUR 500 million in annual turnover facing an upper-tier violation, the legal maximum under Article 83(5) would be 4% of turnover, or EUR 20 million - whichever is higher. That is EUR 20 million. A "medium" seriousness assessment would place the starting point between EUR 2 million and EUR 4 million. A "high" assessment could start anywhere from EUR 4 million to EUR 20 million.

The guidelines include specific adjustments for micro, small, and medium-sized enterprises, potentially reducing the starting amount for businesses with lower turnover. Larger organisations with turnover above EUR 500 million receive no such discount.

Step 3: Evaluate Aggravating and Mitigating Factors

The DPA now reviews the remaining Article 83(2) criteria not already considered in Step 2. These operate as aggravating or mitigating circumstances that push the fine up or down from the starting point.

Aggravating factors include previous infringements, failure to cooperate with the authority, failure to mitigate damage suffered by data subjects, and financial benefits gained from the violation. Mitigating factors include voluntary corrective action, proactive cooperation with the DPA, and demonstrated low culpability.

One point the EDPB emphasises: the absence of previous infringements is not a mitigating factor. Compliance with the GDPR is the expected baseline. You do not get credit for simply not having been fined before.

Step 4: Apply the Legal Maximum

The DPA cross-checks the running total against the statutory ceiling. No fine - regardless of how many aggravating factors apply - can exceed the maximum set out in Article 83(4), (5), or (6). For undertakings, the dynamic cap (percentage of turnover) applies if it produces a higher figure than the static cap (EUR 10 or 20 million).

A critical question is what counts as the "undertaking" for turnover purposes. The CJEU addressed this directly in the Deutsche Wohnen case (C-807/21) in December 2023, confirming that the GDPR borrows the competition law definition: an undertaking is any entity engaged in economic activity, regardless of its legal form, and can include an entire corporate group. This means a subsidiary's fine ceiling is calculated against the parent group's total worldwide turnover, not the subsidiary's own revenue.

In October 2024, the Irish DPC applied this principle when fining LinkedIn EUR 310 million - using the turnover of its parent company, Microsoft Corporation, rather than LinkedIn's own revenue, to determine the applicable maximum. A February 2025 CJEU ruling in the ILVA case (C-383/23) further confirmed this approach.

Step 5: Test for Effectiveness, Proportionality, and Dissuasiveness

The final check asks whether the calculated fine achieves its three legal objectives under Article 83(1). Is it effective - does it achieve the goal of restoring compliance or punishing unlawful conduct? Is it proportionate - does it reflect the severity of the infringement without being excessive? Is it dissuasive - would it discourage the organisation (and others) from repeating the conduct?

If the fine fails any of these tests, the DPA can adjust it upwards or downwards, provided it stays within the legal maximum. In exceptional cases, a DPA may reduce a fine based on an organisation's inability to pay, considering its economic viability and specific financial circumstances.

The Largest GDPR Fines to Date

By early 2025, cumulative GDPR fines had reached approximately EUR 5.88 billion, according to the CMS Enforcement Tracker, with over 2,245 individual penalties recorded. The average fine across all countries stands at around EUR 2.36 million, though this figure is heavily skewed by a handful of massive penalties against technology companies.

Organisation	Fine (EUR)	Year	DPA	Primary Violation
Meta (Facebook)	1.2 billion	2023	Irish DPC	Unlawful data transfers to the US
Amazon	746 million	2021	Luxembourg CNPD	Targeted advertising without valid consent
TikTok	530 million	2025	Irish DPC	Data transfers to China without adequate safeguards
Instagram (Meta)	405 million	2022	Irish DPC	Mishandling children's personal data
TikTok	345 million	2023	Irish DPC	Children's data protection failures
LinkedIn (Microsoft)	310 million	2024	Irish DPC	Behavioural analysis without proper consent
Uber	290 million	2024	Dutch DPA	Improper transfer of drivers' data to the US
Meta (Facebook)	251 million	2024	Irish DPC	2018 data breach affecting 29 million users

These headline figures paint only part of the picture. Spain's AEPD has issued over 930 fines - more than any other DPA - many of them targeting smaller businesses with penalties ranging from a few hundred to tens of thousands of euros. Italy, Romania, and Germany are also prolific enforcers. The pattern is clear: enforcement is not limited to Big Tech.

The Deutsche Wohnen Ruling and Its Impact on Fine Calculation

The CJEU's December 2023 judgment in the Deutsche Wohnen case (C-807/21) resolved two questions that had paralysed enforcement in Germany and Austria for years. The German real estate company had been fined EUR 14.5 million by the Berlin Data Protection Commissioner for retaining tenant data beyond its lawful storage period. Deutsche Wohnen challenged the fine on procedural grounds, and the case was ultimately referred to the CJEU.

The court ruled on two critical points. First, a fine can be imposed directly on a legal entity (a company) without first identifying and attributing the infringement to a specific natural person such as an employee or director. Second, liability is not strict - the authority must still prove that the infringement was committed intentionally or negligently. But the threshold for negligence is low: the CJEU stated that a controller acts negligently when it "could not be unaware of the infringing nature of its conduct," regardless of whether it specifically knew it was violating the GDPR.

For corporate groups, the ruling confirmed that the total turnover of the entire economic unit - not just the subsidiary that committed the infringement - determines the fine ceiling. This has direct practical consequences. A small subsidiary processing personal data unlawfully could expose its parent company to a fine calculated against the group's worldwide revenue.

What Triggers Enforcement: Common Reasons for Fines

Analysing the enforcement tracker data reveals recurring patterns. Five categories of infringement account for the vast majority of significant fines.

Insufficient legal basis for processing remains the most common trigger. This includes deploying tracking technologies such as cookies and pixels without obtaining valid consent, processing personal data for marketing purposes based on a misapplied legitimate interest claim, and collecting more data than is necessary for the stated purpose. If your website uses _ga, _fbp, or similar analytics and advertising cookies before the visitor has actively opted in, you are exposed to this category of risk.

Failures in international data transfers have produced the three largest fines in GDPR history. The invalidation of Privacy Shield in 2020 (Schrems II) and ongoing regulatory scepticism about Standard Contractual Clauses as a transfer mechanism for data sent to countries without an adequacy decision continue to generate enforcement actions.

Data breach mishandling - delayed notification, incomplete documentation, or inadequate security measures - is another frequent trigger. The GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach (Article 33). DPP Law Ltd in the UK received a GBP 60,000 fine in 2025 simply for delaying breach notification by 43 days.

Violations of data subject rights, particularly the righ

Europe

United States

Brazil

Canada

Asia-Pacific

Middle East & Africa

Categories

Latest Articles

Cookie Consent Laws by Country: A Beginner's World Map

GDPR for Beginners: What Every Website Owner Must Know About Cookies

What Happens When a User Rejects All Cookies on Your Website

GDPR Fines Explained: How Supervisory Authorities Calculate Penalties Under Article 83