GDPR’s fine structure was designed to be large enough to deter non-compliance from organisations of any size. Before GDPR, maximum fines under the EU data protection directive were typically measured in hundreds of thousands of euros at most — amounts that were economically irrelevant to large technology companies. GDPR’s upper tier of €20 million or 4% of global annual turnover changed the economics of non-compliance fundamentally.
Understanding how fines are calculated — the factors that DPAs weigh, the precedents set by major enforcement actions, and the behaviours that aggravate versus mitigate fine levels — is not just academic. It is the basis of a defensible compliance strategy that prioritises the right controls and maintains the right evidence. Compliance investment should be proportionate to enforcement risk, and enforcement risk is substantially shaped by documented programme quality and cooperative engagement.
The Two-Tier Fine Structure
GDPR ADMINISTRATIVE FINE TIERS
| Tier | Maximum Amount | Infringements Covered | Examples |
|---|---|---|---|
| Lower tier | €10 million or 2% of global annual turnover (whichever is higher) | Obligations of controllers and processors (Art. 8, 11, 25-39, 42, 43); obligations of certification bodies; obligations of monitoring bodies | Failure to implement Privacy by Design; missing DPA; inadequate security measures; DPO obligations breached; breach notification failures |
| Upper tier | €20 million or 4% of global annual turnover (whichever is higher) | Basic principles (Art. 5, 6, 7, 9); data subjects’ rights (Art. 12-22); international transfer rules (Art. 44-49); national law obligations under Art. 85-91 | Processing without lawful basis; unlawful special category processing; ignoring data subject rights; unlawful international transfers; principle violations |
It is important to note that the maximum fine figures are just that — maximums. DPAs have wide discretion in fine-setting within these ceilings. The vast majority of GDPR enforcement actions result in fines substantially below the maximum, particularly for first-time violations by organisations with genuine compliance programmes that have remediated the issue. The maximum figures represent the regulatory ceiling, not the expected outcome.
Fine-Setting Factors Under Article 83(2)
Article 83(2) specifies the factors DPAs must take into account when deciding whether to impose a fine and determining its amount. These factors apply equally as mitigating and aggravating considerations. An organisation that scores well on cooperation, responsiveness, and remediation while scoring poorly on technical safeguards presents a very different profile to one that scored poorly on all dimensions.
ARTICLE 83(2) FINE-SETTING FACTORS
| Factor | Aggravating | Mitigating |
|---|---|---|
| Nature, gravity, duration | Systemic, large-scale violation sustained over a long period; high-value personal data (financial, health, children) | Single incident; limited duration; low sensitivity data; prompt containment |
| Intentional or negligent character | Deliberate violation; conscious decision to process without lawful basis; willful disregard of rights | Genuine accident; negligence rather than intent; process failure rather than deliberate choice |
| Actions to mitigate damage | No steps taken to reduce harm to data subjects; delays in remediation; harm not addressed | Prompt remediation; proactive data subject support; credit monitoring offered; legal claims supported |
| Degree of responsibility (technical/organisational measures) | No security measures; no policies; no training; no DPO where required; obvious technical failures | Strong security programme; ISO 27001; documented TOMs; proportionate measures in place; gap was isolated |
| Prior infringements | Previous enforcement actions; repeated non-compliance in same area; DPA warnings ignored | No prior infringements; strong compliance history; proactive engagement with DPA before incident |
| Cooperation with DPA | Non-responsive; legal challenges to DPA jurisdiction; delayed production of evidence; obstructive behaviour | Prompt and transparent engagement; evidence provided voluntarily; remediation communicated proactively |
| Categories of data involved | Special category data (health, biometric, racial origin); financial data; children’s data; data enabling identity fraud | Non-sensitive contact data; data with limited harm potential |
| Notification by controller (self-reporting) | DPA discovered violation independently; controller concealed breach; late notification | Controller proactively notified DPA; transparency about the incident; voluntary disclosure of related issues |
| Certification / codes of conduct adherence | No certification; no adherence to any sector code; baseline compliance only | DPA-approved certification held; adherence to approved code of conduct; independent audit evidence |
Significant Enforcement Actions: Lessons Since 2018
The major enforcement actions since GDPR came into force in May 2018 reveal consistent patterns in what triggers large fines and what DPAs find most egregious. The following cases are selected not for their fine amounts alone, but for the compliance lessons they illustrate.
SIGNIFICANT GDPR ENFORCEMENT CASES — KEY LESSONS
| Case | Fine | Core Violation | Key Compliance Lesson |
|---|---|---|---|
| Meta (Facebook) — Irish DPC, 2023 | €1.2 billion | Unlawful transfers of EU user data to the United States via SCCs post-Schrems II without adequate safeguards; US surveillance law prevents SCCs from protecting data in practice | SCCs alone are insufficient for US transfers where surveillance law creates conflicts; TIA must be completed and supplementary measures implemented or transfers must cease |
| Amazon — Luxembourg DPA, 2021 | €746 million | Cookie-based advertising processing without valid consent; consent mechanisms did not meet GDPR standard | Pre-ticked boxes and bundled consent for advertising do not satisfy Art. 7; consent for advertising must be freely given, specific, and unambiguous |
| WhatsApp — Irish DPC, 2021 | €225 million | Transparency failures: insufficient disclosure to users and non-users about how data was processed; inadequate privacy notice | Privacy notice must clearly explain who controls data, what is processed, and why; insufficient transparency is an upper-tier violation |
| Google (France) — CNIL, 2019 | €50 million | Lack of transparency; inadequate consent for personalised advertising; information spread across multiple documents making it inaccessible | Consent for advertising must be specific to each purpose; privacy notice must be accessible and complete on the first interaction |
| British Airways — ICO, 2020 | €22 million (reduced) | Data breach: attackers harvested personal and payment data of 400,000 customers through a skimming attack on the website | Technical security measures must be proportionate; security not reviewed after subcontractor changes; penetration testing could have detected the attack earlier |
| H&M — Hamburg DPA, 2020 | €35.3 million | Extensive illegal surveillance of employees: detailed personal and health data collected; supervisors had broad access; data retained for years | Employee monitoring must have a lawful basis; special category employee data requires explicit consent or employment law basis; access to sensitive HR data must be limited |
| Clearview AI — multiple DPAs, 2022–23 | €5–20 million per DPA | Scraping publicly available facial images; processing biometric data without lawful basis; no legitimate interest sufficient; no transparency to data subjects | Biometric data processing requires explicit consent or specific exemption; ‘public availability’ is not a lawful basis; scraping does not override Art. 9 |
Reducing Enforcement Risk
The patterns in GDPR enforcement reveal the areas where DPAs consistently find the most serious violations: unlawful or opaque advertising data processing; inadequate consent mechanisms; insufficient transparency; unlawful cross-border transfers; and failure to implement proportionate security measures. Organisations that have genuine controls in these areas, and can demonstrate them through their accountability evidence portfolio, are materially less exposed than those that do not.
ENFORCEMENT RISK REDUCTION — PRIORITY CONTROLS
| Risk Area | Priority Control | Accountability Evidence |
|---|---|---|
| Advertising and consent | Consent mechanism technically compliant with Art. 7; granular, purpose-specific consent; no pre-ticking; dark pattern-free design; regular CMP audit | Consent audit records; CMP configuration documentation; A/B test or UX design records showing non-coercive design |
| International transfers | Transfer mechanism register; TIA for all non-adequate countries; SCCs current version; DPF certification verified for US recipients | Transfer register; executed SCCs; TIA records; DPF verification records |
| Transparency | Layered privacy notice updated whenever processing changes; just-in-time notices at collection points; notice version history maintained | Notice version archive; update log; record of notice in effect at each date |
| Security | ISO 27001 or equivalent security programme; penetration testing at least annually; vulnerability management; access controls reviewed regularly | ISO 27001 certificate; pen test reports; vulnerability management records; access review records |
| Data subject rights | Rights request procedure with 30-day deadline met; log of all requests and outcomes; exemption decisions documented | Rights request log; SAR response times; exemption decision records |
| Breach response | Incident response procedure with 72-hour notification path; breach register maintained; post-incident reviews conducted | Breach register; notification records; post-incident review reports |
| BITLION INSIGHT | DPA enforcement priorities shift over time as guidance matures, technology evolves, and political attention focuses on particular sectors or practices. Organisations that invest in continuous monitoring of DPA guidance, EDPB opinions, and enforcement announcements maintain a better picture of where enforcement risk is concentrating than those that treat compliance as a one-time exercise. The most effective compliance programmes treat DPA enforcement intelligence as an input to risk prioritisation — not just as interesting news. |