Research · EU GDPR enforcement

GDPR fines and enforcement in the EU

Updated April 2026EU GDPR Article 83EDPB & national DPAs

EU GDPR enforcement has produced some of the largest data protection penalties in history — from nine-figure fines against major technology companies to four-figure penalties against small businesses for SAR failures. Understanding the enforcement architecture, the penalty tiers, and what triggers investigations is directly relevant to building a compliant programme, because the enforcement pattern reveals what national DPAs treat as serious and what evidence they expect.

How to read this guide. This guide explains requirements and expectations derived from EU GDPR 2016/679 and EDPB published guidance. Where we write “EU GDPR requires” we cite the regulation. Where we write “EDPB guidance indicates” we cite regulatory guidance, which is not identical to a statutory obligation. Application of GDPR obligations may vary depending on member state law and supervisory authority interpretation — consult a qualified data protection practitioner familiar with the relevant jurisdiction.

ℹ Research note

This page is derived from publicly available enforcement decisions published by national data protection authorities and the EDPB, and from aggregated enforcement databases as at April 2026. The EU GDPR enforcement landscape changes continuously — verify current decisions and amounts at the relevant national DPA websites and the EDPB enforcement tracker.

The two penalty tiers

Article 83 provides two tiers of administrative fine. The higher tier — for the most serious infringements of core GDPR obligations including the basic principles, consent conditions, and data subject rights — allows fines of up to €20 million or 4% of total annual worldwide turnover, whichever is higher. The lower tier — for less severe infringements including failure to implement appropriate security measures and breach notification failures — allows fines of up to €10 million or 2% of worldwide turnover.

Source: EU GDPR Articles 83(4) and 83(5)

Major enforcement actions

The largest GDPR fines have been imposed by the Irish Data Protection Commission under the one-stop-shop mechanism, which acts as lead supervisory authority for many major technology companies with their EU main establishment in Ireland. Meta has received multiple fines exceeding €1 billion in aggregate for violations across its platforms. Amazon received a €746 million fine from the Luxembourg CNPD. Google has been fined by the French CNIL, the Spanish AEPD, and other national DPAs. These large-scale fines reflect findings of systematic GDPR violations by organisations processing data at scale.

SME enforcement

GDPR enforcement is not limited to large technology companies. National DPAs across the EU actively investigate complaints and impose fines on small and medium-sized organisations. The most common SME violations are: failure to respond to subject access requests within one month; inadequate security measures leading to breaches; marketing without valid consent; and unlawful sharing of personal data with third parties. Fines against SMEs typically range from hundreds to tens of thousands of euros, calibrated to the organisation’s financial position.

Factors affecting penalty level

Article 83(2) requires DPAs to take into account: the nature, gravity, and duration of the infringement; the intentional or negligent character; steps taken to mitigate damage; the degree of cooperation; the categories of personal data involved; how the DPA became aware of the infringement; prior enforcement action; approved codes of conduct or certification; and any other applicable aggravating or mitigating factor. Proactive self-reporting, prompt cooperation, and demonstrable remedial action consistently produce better outcomes across EU jurisdictions.

One-stop-shop and cross-border cases

Organisations with establishments in multiple EU member states have a single lead supervisory authority — the DPA of the member state where the main establishment is located. Other concerned DPAs can participate in investigations and object to draft decisions. The consistency mechanism under Article 65 allows the EDPB to resolve disagreements between DPAs, ensuring consistent application across the EU. Organisations cannot choose their lead DPA solely by locating a small office in a member state with a permissive DPA — the main establishment criterion looks at where key decisions about processing are made.

Source: EU GDPR Articles 56, 60, 65; EDPB Guidelines 01/2022 on the lead supervisory authority

Beyond fines

DPAs have enforcement tools beyond financial penalties: reprimands (published); warnings; orders to bring processing into compliance; temporary or permanent bans on processing; orders to delete data; and orders to communicate a breach to the data subject. Published reprimands carry significant reputational risk, particularly for organisations whose clients include other data controllers who will conduct due diligence on their processors’ compliance records.

Record this. The GDPR enforcement record consistently shows that organisations with a documented compliance programme, a complete evidence record, and a history of self-reporting and cooperation receive materially better outcomes than those who cannot produce documentation. Compliance is not just a legal obligation — it is the primary enforcement defence.

Note: application of EU GDPR obligations may vary under member state law. Confirm with a practitioner familiar with the relevant jurisdiction.

Not legal advice. This guide is derived from EU GDPR (Regulation (EU) 2016/679), EDPB published guidelines, and national supervisory authority guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.