Contact us: +45 32 67 26 26
English
Back to blog
14 min read

The Biggest GDPR Fines of 2024 and Previous Years

Sarah Hofmann
By: Sarah Hofmann Compliance | 20 March

Although companies have been adapting to the GDPR for years now, the enforcement of GDPR violations is still relatively new to regulatory bodies. The novelty of the GDPR leaves regulators with little precedent to refer to and many supervisory authorities are still working out the best way to enforce the GDPR. In this post, we break down the rules you need to know about how GDPR violations are fined. We also spotlight some of the biggest GDPR fines from 2024 back to 2020.

To learn more about how you can avoid GDPR violations, and train your team in the importance of secure data handling, we offer a course on taking responsibility for personal data.

Improve your cyber security 30 days of FREE security awareness training   Sign up now and get instant access to all our courses and tools. In just a few minutes, you can start training your entire team - without needing to pull out your credit card..   Whats not to like?  

Table of contents 

Rules for GDPR Fines

Fines for GDPR violations are administered by each country’s supervisory authority. Supervisory authorities are responsible for investigating GDPR compliance within their borders and imposing fines for GDPR violations. All supervisory authorities enforce the GDPR, but there is some variation in how different supervisory authorities prioritize which GDPR violations to penalize.  

Even though each supervisory authority determines how they enforce the GDPR, they all abide by the same rules governing fines. These rules state that less severe violations can cost an organization up to €10 million or 2% of annual revenue and the maximum GDPR fine for more severe breaches can cost up to €20 million or 4% of annual revenue.  

Interpretations vary among supervisory authorities

Though bound by the same principles in the GDPR, these supervisory authorities don’t always enforce the GDPR consistently. This is why it’s important that you get to know how your supervisory authority tends to implement fines – for example, the GDPR breaches that are fined most often and the types of businesses penalized. Each supervisory authority has a limited number of resources to investigate compliance and administer fines. Some supervisory authorities may use these resources to compile large cases against big companies, resulting in fewer but higher fines. Other supervisory authorities may prioritize investigating violations on a smaller scale, resulting in more fines of lesser amounts that are usually directed at smaller companies. 
 
For example, supervisory authorities in the UK, Ireland, and Luxembourg make the news by issuing large, high-profile fines. On the other hand, authorities in Italy and Spain impose a greater number of fines but for smaller amounts. A good starting place is to see how your supervisory authority acts.

The size of your business matters

All organizations are required to comply with the GDPR, but the size of fines for GDPR breaches varies according to company size. Since the language only lists maximum GDPR fines for severe and less severe violations, it allows a great amount of flexibility for fine amounts. In addition to the severity of the violation, the supervisory authority considers a company’s size and revenue when deciding the penalty. 
 
The flexibility in fine amounts means that many companies can negotiate reduced GDPR penalties. This flexibility also helps ensure that a minor infraction won’t put a company out of business, but you should still avoid fines since a company’s history of GDPR violations can affect the severity of the fine. We have a guide on how you can make sure that your organization is GDPR compliant.

Level up your cyber security  Get all the best templates we've created over the years   Every good IT security setup needs risk assessments, an IT security policy, and specific guidelines for the organisation.   We've got templates for everything to help you build a strong foundation for your team.  

GDPR penalties come in two tiers

So, how are fines determined? Now, we’ll cover the legal guidelines that supervisory authorities use when evaluating GDPR violations and giving out fines. 
 
The main guideline is that all GDPR violations are evaluated and fined in two different categories, depending on their severity. Of course, the more severe infringements come with a higher penalty. The maximum GDPR fine for less severe violations is €10 million or 2% of revenue, while fines for more severe violations cannot exceed €20 million or 4% of revenue. 
 
Let’s get into these categories further with a few details about the kinds of GDPR violations associated with each tier.

Maximum GDPR fine for minor breaches: up to €10 million or 2% of global annual revenue for the previous year – whichever is higher

Less severe GDPR violations fall under these categories, which are primarily related to data processing and lawful basis:

  • Children’s consent (Article 8).

  • Processing that does not require identification (Article 11).

  • Obligations of data processors and controllers (Articles 25-39).

  • Responsibilities of monitoring bodies (Article 41) and certification bodies (Articles 42-43) to follow transparent and unbiased evaluation processes.

For example, in 2020 the Hungarian data protection authority issued a €55,000 fine to a travel agency (Robinson-Tours) for failing to have appropriate measures in place to ensure data protection. The lack of appropriate protection measures resulted in their data subjects’ personal data being exposed online for several months. Robinson-Tours' data processor was partially at fault for the exposure of personal information and they also received a fine, although in a smaller amount. This case exemplifies why it is important for data controllers to ensure that their data processors have sufficient security measures in place. 

Knowing the legal requirements for processing personal data can help you educate your staff on how to safely and legally process personal data.

Maximum GDPR fine for severe violations: up to €20 million or 4% of global annual revenue for the previous year – whichever is higher

Severe violations are a result of actions that go against the right to privacy that is central to the GDPR. Infringements that can result in these higher fines are related to violations of:

  • GDPR’s basic processing principles – processing personal data, lawfulness, and special categories of personal data (Articles 5, 6, and 9).

  • Conditions for consent (Article 7).

  • Data subjects’ rights (Articles 12-22).

  • Transfer of data to an international organization or a recipient in a third country (Articles 44-49).

  • Violation of individual member state data protection laws.

  • Failure to comply with orders issued by a supervisory authority.

For example, a violation that falls into the more severe category is WhatsApp’s lack of transparency in data processing. WhatsApp was issued a fine of €225 million in 2021 for making their handling of user data unclear and difficult to understand. Since this violation goes against one of the seven principles of the GDPR, it qualifies as a severe breach and resulted in a massive fine.

Criteria that impact fines for GDPR breaches

As mentioned already, the GDPR leaves a lot of room for flexibility by only listing the maximum fines that can be administered. Once supervisory authorities have determined which tier the breach falls into, they have to decide how big the fine should be. But the fine could be anywhere between €0-10 million or €0-20 million (or between 0% to 4% of a company’s annual revenue). It’s quite a wide range! So, how do they decide how big a fine should be? 
 
To guide supervisory authorities, the GDPR lists the following criteria to consider when determining penalties for GDPR violations:

  • Gravity and nature: What happened and how? How many people were impacted and how much damage did they suffer? How long did it take to resolve?

  • Intention: Was it intentional or the result of negligence?

  • Mitigation: Attempts by the firm to reduce the harm done to the data subjects.

  • Precautionary measures: Security measures the firm had in place.

  • History: Previous breaches of the GDPR and Data Protection Directive.

  • Cooperation: Degree of cooperation with the supervisory authority to identify and rectify the violation.

  • Data category: Type of personal data impacted.

  • Notification: Did the firm proactively notify the supervisory authority of the violation?

  • Certification: Was the firm certified or abiding by codes of conduct?

  • Aggravating/mitigatory factors: Further issues that arose from the infringement, e.g., if the firm experienced financial benefit from the violation.

If an organization has several related GDPR violations, the company will be penalized for the most severe of those breaches. However, if the violations are not related to the same processing activity, they could be fined separately. 

When evaluating these criteria, the supervisory authority will favor a larger fine if the company shows poor results in several of the categories. On the other hand, if the company made a strong effort to comply with the GDPR, a lesser fine will be favored. 

Looking at IBM’s 2023 Cost of a Data Breach report makes it possible to estimate the cost of some common data breaches while considering factors such as company size

Other considerations for GDPR fines

As you’ve now read, there are a lot of things that affect how big a GDPR fine could be. Here are some other things to consider. 

Data controllers are responsible for ensuring that their data processors are compliant

It’s important to note that data controllers are responsible for the data processors that they use. You should always work with data processors that have strong security measures and comply with the GDPR, since data controllers can be penalized for violations caused by their processors. Verifying the compliance of your data processors can save your company a lot of money in fines, especially in cases where a data breach may occur. Having a data processing agreement is one of the first steps in this relationship.

Data subjects can request compensation  

In addition to the fines that can be levied by data supervisory authorities, the GDPR allows data subjects to seek compensation from organizations when they have experienced harm as a result of that organization's GDPR violation. This condition is outlined in Article 82 of the GDPR. This means that in some cases, the financial impact of a GDPR violation could be larger than the fine imposed if data subjects request compensation as well. Compensation requests from many data subjects can add to the resource and financial burden of GDPR violations, since it takes time to review and potentially appeal the compensation requests.

How GDPR compliance is enforced in practice

Now that we’ve gone through all the rules for how GDPR violations are fined, we’ll cover how the enforcement of these fines is going in practice. We’ll start with an overview of the largest GDPR fines from the past three years and how they could have been avoided. Then, we’ll cover trends in GDPR penalties and what that means for an average company.

Biggest GDPR fines from 2024.

Here we go. Let's have a look at the biggest GDPR fines from last year. Afterwards, we'll dive into 2020-2023 as well. 

This year, the fines were slightly smaller than in 2023. However, we still saw another round of massive GDPR fines, with big tech companies remaining the primary targets. A growing number of fines also hit financial services, energy providers, and healthcare companies, signaling a broader enforcement scope. Below, we outline the biggest GDPR fines of 2024 and key trends that shaped the year’s enforcement actions.

 

1st Place - LinkedIn
Supervisory Authority Irish Data Protection Commission (DPC)
Fine (penalty) €310 million    
Reason Unlawful behavioral tracking and targeted advertising practice.
How the violation and fine could have been avoided They should have made sure, they had a proper consent from users about how they process their data for advertising.
2nd Place - A known ride hailing app
Supervisory Authority Dutch DPA
Fine (penalty) €290 million
Reason

Illegal data transfers for third countries.
How the violation and fine could have been avoided

Good old Schrems. You need to be extremely aware of sending data to third countries and making sure, you are allowed to. Often, you are not.

Keep your data in EU if you want to be safe.
3rd Place - Meta
Supervisory Authority Irish Data Protection Commission (DPC) 
Fine (penalty) €251 million
Reason Fined for a large-scale data breach which affected 3 million EU users. The breach exposed user's personal data due to security vulnerabilities.
How the violation and fine could have been avoided

Well, this one is hard to judge. They need proper security and to avoid breaches. We don't know how it could have been avoided, as we are not in the depth of the case. 

 

Biggest GDPR fines from 2023

The largest GDPR fines from 2023 is, once again for Meta. They received a fine for unlawfully handling personal data as they transfer data from EEA to the US. This is following the judgment from Schrems II. 

The second biggest fine, also went to Meta. The third biggest fine was for a new player, TikTok, who processed children's data improperly. The age verification aspect and the fact the videos got posted automatically and comments were enabled by default violated the rules of the GDPR. 

All 3 fines was imposed  by The Irish Data Protection Commision.

 

 

1st Place - Meta
Supervisory Authority Irish Data Protection Commission (DPC)
Fine (penalty) €1,2 million    
Reason Transfering data from EEA to the US - Unlawful processing of personal data
How the violation and fine could have been avoided Keep the accounts and data of young users private by default.
2nd Place - Meta
Supervisory Authority Irish Data Protection Commission (DPC) 
Fine (penalty) €390 million
Reason A data breach + using "informed constent" to personalized and behavioural ads.
How the violation and fine could have been avoided Protect systems from data breach + get constent from all users to show behavioural ads.
3rd Place - TikTok
Supervisory Authority Irish Data Protection Commission (DPC)
Fine (penalty) €345 million  
Reason TikTok processed children's data improperly.
How the violation and fine could have been avoided Follow guidelines from the GDPR on how to process personal data involving children

Biggest GDPR fines from 2022

The largest GDPR fines from 2022 show us that the Irish Data Protection Commission has been heavy-handed in giving out penalties. All three of the biggest GDPR fines were given out by the Irish data protection authority, and they were all directed at one company – Meta. Meta was fined more than €880 million in 2022 for GDPR breaches within Facebook and Instagram. So, the GDPR penalties from 2022 tell us that big companies like Meta are being used to set an example for other companies that process large amounts of personal data.  

1st Place - Meta
Supervisory Authority Irish Data Protection Commission (DPC)
Fine (penalty) €405 million    
Reason Meta was fined for mishandling child users’ data on Instagram.
How the violation and fine could have been avoided Keep the accounts and data of young users private by default.
2nd Place - Meta
Supervisory Authority Irish Data Protection Commission (DPC) 
Fine (penalty) $265 million
Reason A data breach resulted in the personal data of over 500 million Facebook users being published online.
How the violation and fine could have been avoided Protect systems from unauthorized data scraping.
3rd Place - Meta
Supervisory Authority Irish Data Protection Commission (DPC)
Fine (penalty) €210 million  
Reason Meta used forced consent to gain Facebook users’ approval to use their data for the purpose of targeted ads.  

The 4th highest fine (€180 million) was also given to Meta for the same GDPR violation on Instagram.
How the violation and fine could have been avoided Provide sufficient clarity about data processing for behavioral ads and have a legal basis.
Largest GDPR fines 2022

Biggest GDPR fines from 2021

The largest GDPR fine to date was issued in 2021 by the Luxembourg National Commission for Data Protection, which fined the U.S. online retailer Amazon €746 million.

1st Place - Amazon
Supervisory Authority Luxembourg’s data protection supervisory agency, the CNPD
Fine (penalty) €746 million
Reason Amazon was fined for noncompliance related to cookie consent.
How the violation and fine could have been avoided Don’t force users to agree to cookies or make it difficult to opt-out of cookies.
2nd Place - WhatsApp Ireland
Supervisory Authority Irish Data Protection Commission (DPC) 
Fine (penalty) €225 million
Reason WhatsApp Ireland Limited was fined for failing to comply with transparency requirements. WhatsApp has appealed  

Read the full story to learn why the fine against WhatsApp got quadrupled and what your organization can do to avoid making the same mistakes.
How the violation and fine could have been avoided Provide privacy information in a format that is easy to access and in the right language.  

Explain what your legitimate interests are for each data processing operation.
3rd Place - Notebooksbilliger.de (NBB)
Supervisory Authority State Commissioner for Data Protection in Lower Saxony
Fine (penalty) €10.4 million  
Reason A German electronics retailer, notebooksbilliger.de (NBB), was fined for its use of CCTV video surveillance to monitor employees and customers.
How the violation and fine could have been avoided If you use CCTV, make sure that you use it for a legitimate reason with proportionality to a specific problem.

Biggest GDPR fines from 2020 

Prior to 2021, the largest GDPR fine to date was France’s €50 million fine issued to Google. 

1st Place - Google
Supervisory Authority France’s Data protection authority, CNIL 
Fine (penalty) €50 million
Reason Google was fined for failing to adequately explain how they process data and failing to have legal grounds to process data regarding personalized advertising.
How the violation and fine could have been avoided Provide adequate information in your consent policy and give users sufficient control over. how their data is processed. 
2nd Place - H&M
Supervisory Authority The Hamburg Data protection Supervisory Authority
Fine (penalty) €35.26 million 
Reason A global retailer, H&M, was fined for failing to have enough legal support for processing data.
How the violation and fine could have been avoided Practice data minimization. Don’t process personal data unless you need to, especially sensitive data about health or religious beliefs. If you collect this information, you need to have strict access controls and regulations of use.
3rd Place - Telecom
Supervisory Authority Italy’s Data Protection Supervisory Authority, the Garante
Fine (penalty) €27.8 million 
Reason A telecommunications operator was fined for failing to adequately explain how they process data, failing to have legal grounds to process data and more.
How the violation and fine could have been avoided Carefully manage lists of data subjects. Create and abide by marketing opt-ins or opt-outs. 

Trends in GDPR penalties and compliance

Now, we’ll go over what can be learned from last year’s GDPR fines.

2024 continued the trend of increasing fines for GDPR violations. According to DLA Piper’s survey, there are a few common reasons for GDPR fines in 2024. These reasons could be a priority for you, if you want to make sure, you are safe going forward:

1. Unlawful Data Processing & Lack of Consent

  • Many fines targeted companies for processing personal data without valid consent or using inadequate legal bases.

  • Example: LinkedIn's €310M fine for behavioral tracking and targeted advertising without valid user consent.

2. Inadequate Security Measures & Data Breaches

  1. Multiple companies were fined for failing to implement adequate security measures, leading to data breaches.

  2. Example: Meta’s €251M fine related to a Facebook breach affecting 3 million EU users.

3. Unlawful Data Transfers to Third Countries

  1. Companies were penalized for transferring personal data outside the EU without proper safeguards.

  2. Example: A major ride-hailing app’s €290M fine from the Dutch DPA for improper data transfers to the U.S..

4. Failure to Protect Data Integrity & Transparency Violations

  1. Many fines were linked to violations of GDPR’s transparency principle (Article 5(1)(a)).

  2. Example: Clearview AI’s €30.5M fine for illegally collecting biometric data.

5. Lack of Proper Governance & Oversight

  1. Poor governance structures contributed to several enforcement actions.

  2. Example: The Dutch DPA is considering holding Clearview AI’s directors personally liable—potentially a shift toward executive accountability for GDPR violations.

These trends indicate that regulators are broadening their enforcement scope beyond just Big Tech, reinforcing GDPR compliance requirements across all industries.

Expectations for GDPR penalties in 2025

In their 2024 GDPR Fines and Data Breach report, DLA Piper anticipates which GDPR violations will be prioritized for enforcement in 2025.  

Here’s what DLA Piper expects to see in 2025:

    1. The legality of “consent or pay” models: Large online platforms like Meta and Google face ongoing scrutiny over whether they can require users to pay for an ad-free experience.

    2. More investigations into AI data processing: Regulators will continue assessing whether AI-driven tools comply with GDPR.

    3. Personal liability for company executives: If the Dutch DPA successfully holds Clearview AI’s management personally responsible, we may see similar actions against executives in other industries.

    4. Continued enforcement of data transfer laws: Companies transferring personal data outside the EU will remain a key regulatory focus.

How to avoid receiving a GDPR fine

Well, put simply, the easiest way to avoid receiving a GDPR penalty  is to be compliant. Of course, this is easier said than done and we know that achieving GDPR compliance is no simple task. When your organization experiences a data breach and reports it to the supervisory authority, this triggers an investigation into your company’s data security and compliance, which can result in your company receiving a fine. 
 
So, one way to avoid receiving a GDPR fine is to protect your organization from data breaches and the investigation that follows. In other words, don’t subject yourself to unnecessary investigations. 

We have written a guide with everything you need to know in order to comply with the GDPR, to make sure that you are meeting all the requirements.  
 
Another way to avoid a GDPR fine is to ensure that your data transfers are compliant, since transfers are gaining priority among supervisory authorities. Our recommendations on adapting to the Schrems II ruling can provide some guidance. 

Besides practicing safe data transfers, organizations must have a process for safely deleting data that they no longer need or have the right to process.

Protect your organization from a data breach

As mentioned, preventing data breaches is the best way to avoid GDPR fines. Data breaches are most often caused by human error – for example, when an employee accidentally clicks on a malicious email. For this reason, one of the best strategies to prevent a data breach within your organization is to train your team. And, since training is a requirement for GDPR compliance, training is a win-win. You can strengthen your training efforts by introducing different kinds of training, such as phishing testing, and by focusing on creating a strong security culture within your company.

We at CyberPilot, offer awareness training to help organizations stay compliant with the GDPR and create a stronger resilience against IT threats. We currently have a  free trial of our awarness training program.

Spotlight: Data breach notifications per day

One way to predict GDPR fines for the coming year is to look at the number of data breach notifications supervisory authorities receive daily.

Here, you can see a table that shows the number of per capita breach notifications received by supervisory authorities in a few countries. For easy comparison, the breach notifications are shown per 100,000 people. 

The numbers are decreasing a bit the last couple of years. Maybe the focus on the GDPR is not as big as it was when it just went live.

It's also worth noticing, that a lot of notifications doesn't equal a lot of fines. Denmark has been in top 5 two years in a row when it comes to breach notifications, but they haven't issued a lot of fines.

Country

Per capita breach notifications  

Netherlands

188,33

Lichtenstein

144,98

Finland

137,18

Denmark

119,95

Ireland

109,49

Norway

67,69

Luxembourg

65,43

 

What does this mean for an average company? 

Although the biggest fines for GDPR breaches are what make the news, small and mid-sized companies are also held accountable to the GDPR. While a smaller company is unlikely to receive a massive fine, any fine will undoubtedly affect a company’s profitability and reputation.  

Smaller companies should prioritize compliance in the areas that were prominent causes of fines in recent years. For example, an average company should maintain adequate security measures, abide by the principles of transparency and legal basis, notify the appropriate parties in the event of a breach, and practice secure data minimization. Special attention should be paid to employee training, which reduces the likelihood of a breach, and to international data transfers.  

Even though fines for GDPR violations are increasing, there is no need to panic about GDPR fines. We are all still learning how fines are prioritized, and the supervisory authorities are still establishing their own processes. As long as you keep an eye on fines within your country and avoid the same kind of mistakes, your company should be safe.

Final words 

2024 was another major year for GDPR enforcement, with over €1.2 billion in fines issued. While tech giants remain the biggest targets, other industries—especially financial services and energy—are now facing increased scrutiny. The focus on AI enforcement and personal liability marks a potential shift in GDPR regulation, which may shape future enforcement actions in 2025 and beyond.

With privacy laws evolving rapidly, businesses must stay ahead of GDPR compliance trends to avoid becoming the next headline fine case. Stay tuned for updates as GDPR enforcement continues to develop.

 

People also ask

What is a GDPR breach?

A GDPR breach is any incident in which personal data that is subject to the General Data Protection Regulation (GDPR) is accessed, disclosed, altered, deleted, or otherwise processed in an unauthorised or unlawful manner, potentially resulting in harm to the data subjects.

What is the penalty for not complying with GDPR?

Non-compliance with GDPR can result in fines of up to €20 million or 4% of a company's global annual turnover, whichever is greater. Additionally, data subjects may also have the right to seek compensation for damages suffered as a result of the non-compliance.

How do I report a data breach as an individual?

If you believe your personal data has been compromised, you should notify the organisation responsible for storing the data as soon as possible. You can also report the breach to the Danish Data Protection Agency (Datatilsynet) in Denmark, which is responsible for enforcing data protection laws.
Back to blog
Recent articles
Guides, Compliance Guide: Your Role As A Data Controller And Data Processor

You need to know your role as a data controller and as a data processor as it plays a big part of responsibility when it comes to the GDPR. Here's what you need to know.

Søren Lassen Jensen 8 min read - By Søren Lassen Jensen
Compliance The Most Common GDPR Breaches 2024

The Danish Data Protection Agency has published statistics on GDPR security breaches. Find out the most common security breaches and how to avoid them.

Anders Bryde Thornild 7 min read - By Anders Bryde Thornild
Compliance How To Make Sure That Your Company Is GDPR Compliant

There's a lot of step you need to take to make sure your company is GDPR compliant. We've listed a lot of them in this guide that can start your GDPR-trip.

Anders Bryde Thornild 13 min read - By Anders Bryde Thornild