Guide to GDPR Fines and Penalties | 20 Biggest Fines So Far [2025]

The General Data Protection Regulation (GDPR) is one of the biggest developments in data laws ever. Since it became effective on May 25, 2018, it has given people more power over their personal data. The law has had a massive impact on the way organizations collect, store and handle data. Other than its robust framework and wide applicability, the GDPR is also known for its eye-watering fines for violating organizations. 

It does not differentiate between the size of the liable organizations if they have breached the law. Many big companies, such as Meta (formerly Facebook), Amazon, and Google have come under the GDPR scanner and have been sanctioned with whopping fines for violating its rules. Ever since the GDPR came into effect, many more organizations could not escape its radar. Some of them are relatively smaller organizations.

In this post, we will discuss the ramifications of failing to comply with GDPR and the severity of GDPR fines. We will also list down the 20 biggest GDPR fines imposed so far.

Under the General Data Protection Regulation (GDPR) [Art. 83], there is a tiered system of fines depending on the nature and severity of the violation.

For tier 1 violations, up to 2% of annual revenue or €10 million, whichever is greater. 

For tier 2 violations, up to 4% of annual revenue or €20 million, whichever is greater. 

The tier 1 fines are applicable for violations related to:

• Collecting personal data of children without parental consent.
• Collecting, storing, or processing additional information of a user.
• Following privacy by design protocols.
• Sharing personal data with other joint organizations (controllers).
• Usage of third-party involvement in privacy policies.
• Records of personal information collected from the users. 
• Notifying the supervisory authority and the users about a data breach.
• Performing a data protection impact assessment.
• Appointing and tasks of a data protection officer.
• Establishing certification mechanisms.

The tier 2 fines are applicable for violations related to:

• Lawful bases of processing personal data, including conditions of consent.
• GDPR rights of EU individuals.
• Cross-border personal data transfer. 
• Law adopted by the Member States.
• Adhering to an order authorized by a GDPR superior authority.

Not all GDPR infringements will result in financial penalties. Depending on the nature of the violation, the GDPR authorities may also decide the course of action against the liable organization. These actions may include a ban on processing activities, an order to delete data and restrictions on cross-border data transfers.

These fines are set to put pressure on businesses to ensure their systems are secure and robust. They are also to encourage organizations not to take risks with the user’s personal data because it could seriously damage their reputation and affect their business.

Individuals’ right to compensation:

According to Art. 82 of GDPR, the affected individuals can claim compensation for the damage suffered from the violation. They can approach the Courts to exercise their right to compensation. The organizations are liable to pay the compensation unless they prove that they are not responsible for the violation.

The GDPR fines are decided on a case-by-case basis and can vary depending upon the circumstances. The GDPR is flexible in that it allows the Member States to decide the level of fine they feel is appropriate for a particular offense.

To decide whether to impose an administrative fine and the amount of the fine on each individual, the following criteria are considered:

• The nature of the violation, the severity of the damage and the number of people affected;
• if the violation was negligent or intentional;
• preventive action or damage control by the organization; 
• technical and organizational measures implemented to secure people’s data;
• previous cases of violations by the organization;
• the degree of cooperation with the supervisory authority to deal with the situation;
• the type of personal data affected;
• whether the organization notified the supervisory authority, and to what extent;
• whether the supervisory authority has taken any action against the organization for the violation;
• the organization follows code and conducts and other certified mechanisms; and
• financial benefits gained by the violating organization from the violation.

The maximum fine for the gravest of violations should not exceed the upper-tier administrative fine limit. The Member States have the right to lay down rules for penalties for violations that are not listed in the GDPR, and they should take all necessary actions to ensure its implementation.

GDPR is a regulatory framework applying to the processing of the personal data of EU citizens and residents. It is designed to give privacy rights to individuals and enforceable rights to organizations, such as privacy by design and protection by default.  Under this regulation, organizations that collect and process the personal data of EU citizens must comply with the provisions. 

You need to be GDPR compliant if you would like your company not to be fined or suffer other sanctions for violating GDPR requirements. 

The key points an organization must follow to avoid GDPR fines and penalties are:

1. Understand the personal data you require. This is an important step to prepare the kind of protection and security you should provide depending on the sensitiveness of the data, how much you require them, how will you use it, where will you store it and for how long, where and whom you will share the data with and what happens after you utilize the data for your intended purpose.
2. Assess the purpose and the lawful basis for collecting the personal data. You cannot collect or process personal data without one of the lawful bases: explicit consent, legal obligation, contractual obligation,  in the public interest, vital interests, or legitimate interest.
3. Adopt and maintain Privacy by Design and by Default standards.
4. Get valid consent from users to collect their personal data, and parental consent in case of minors (under all circumstances). Valid consent must be freely given, informed, specific, unambiguous, revocable and provable. 
5. Do not collect data more than what is required and use it for anything else other purposes other than the intended purpose.
6. Update privacy policy to inform users about how you will use their data and with whom the data will be shared.
7. Allow users to exercise their rights and respond to such requests in due time.
8. Delete or remove personal data as soon as you have fulfilled its purpose.
9. Ensure third parties you share data with are GDPR compliant.
10. Ensure proper data protection protocols in cross-border data transfers. The recipient country must have a data protection regime that is equivalent to GDPR.
11. Ensure adequate data protection and security measures to protect against data breaches and other threats. You must notify affected parties within 72 hours of becoming aware in case of a data breach. The breach notification must include all details about the type of personal data affected, the risks involved, the likely consequences and the remedial measures you have taken and the measures that affected individuals can take to avoid further damage or risks.
12. Document the data processing procedures for further assessment and improvement.
13. Train your team or employees about GDPR and its requirements.
14. Appoint a data protection officer (DPO) if your organization processes sensitive personal data or a large volume of personal data.

GDPR fines and penalties can be pretty demanding. The best way to avoid facing any kind of penalty is to thoroughly educate yourself about the Regulation and then execute it.

When an organization violates GDPR, the data protection authority (DPA) of the concerned Member State issues an investigation. The investigations are either based on user complaints, self-referrals, allegations made in the press, or reports by other EU DPAs. The data protection authority sets the priority of the case and conducts an online or offline (or both) investigation. The hearings ensue and requisite documents are collected.

The DPAs assess the matter based on the criteria we’ve discussed earlier to decide whether the violation is of lower-tier or upper-tier. Some violations may not result in monetary sanctions, In such cases, the DPA sends out warning letters and a deadline for the violating organization to fix its mistake. Some cases are graver and may result in monetary penalties. The DPA along with the concerned committee decides the fine and whether to make it public or not, based on the severity of the infringement.

CNIL, the France data protection authority processes the infringement and imposes its sanctions as shown:

A company’s GDPR violation can be brought to light by inspections conducted by the DPAs, complaints by an employee, a whistleblower, or affected customers, through the company’s self-denunciation, or by the press.

The Enforcement Tracker documents all the reported fines and penalties imposed on violating organizations or companies so far.

Here are the biggest GDPR fines (2018-2021) imposed on companies by the EU DPAs.

#1 Meta (Facebook) — €1.2 billion ($1.3 billion)

On May 22, 2023, the Irish Data Protection Commission (DPC) fined Meta a record €1.2 billion for transferring Facebook user data from the EU to the US without adequate safeguards. The investigation followed a legal challenge by privacy advocate Max Schrems, raising concerns about US surveillance access to EU data.

The DPC ruled that Meta’s use of standard contractual clauses (SCCs) did not meet the GDPR’s data protection requirements. Meta was ordered to suspend data transfers within five months and delete previously transferred data from US servers within six months.

The ruling applies only to Facebook and does not apply to Meta’s other services, such as Instagram or WhatsApp. Meta plans to appeal the decision.

#2 Amazon — €746 million ($781 million)

On July 16, 2021, the Luxembourg data protection authority, CNPD hit Amazon with a massive €746 million GDPR fine, the largest to date. The CNDP conducted its investigation following accusations about Amazon’s targeted advertisements. Amazon failed to get “freely given” consent from its users to store advertisement cookies. In 2020, France’s data protection authority, CNIL fined Amazon €35 million for the same reason under the ePrivacy Directive framework.

Amazon responded that it will appeal the fine as it has not breached GDPR and that no user data has been shared with third parties.

#3 Meta (Instagram) —   €405 million ($427 million)

In September 2022, the Irish Data Protection Commission (DPC) fined Instagram €405 million for breaching GDPR in relation to the handling of children’s data. The investigation focused on two issues: the use of “business accounts” by teenage users, which resulted in the publication of their email addresses and phone numbers, and the default setting of all accounts, including those of teenage users, to “public”. The GDPR requires privacy by design and default, and the DPC’s guidance emphasizes the importance of applying strict privacy settings by default to protect children. The fine is the largest ever imposed by the DPC.

#4 Meta (Facebook & Instagram) — €390 million ($413 million)

On December 31, 2022, the Irish DPC fined Meta Ireland €210 million for Facebook and €180 million for Instagram over GDPR breaches related to how the company handled user data for personalised advertising.

The investigation revealed that Meta changed its legal basis from “consent” to “contract” for processing user data just before GDPR took effect. Users had to accept the updated Terms of Service to continue using the platforms, effectively making access conditional on data processing.

The DPC ruled that Meta failed to clearly inform users about how their data would be used and could not rely on the “contract” legal basis for behavioural advertising. Meta was also found in breach of GDPR’s transparency and fairness principles. The company has been ordered to bring its processing practices into compliance within three months.

#5 TikTok — €345 million ($374 million)

On September 1, 2023, the Irish DPC fined TikTok €345 million for GDPR violations concerning the processing of children’s personal data.

The investigation looked into default settings that made child accounts public, issues with the “Family Pairing” feature, and inadequate age verification during registration. The DPC also found TikTok failed to clearly inform children about how their data was used.

The final decision cited violations of multiple GDPR articles, including fairness, data minimization, and privacy by design. TikTok received a reprimand, was ordered to fix the issues within three months, and was fined for non-compliance.

#6 LinkedIn — €310 million ($336 million)

On October 22, 2024, the Irish DPC fined LinkedIn €310 million for unlawful processing of user data for behavioural analysis and targeted advertising.

The investigation found LinkedIn did not have a valid legal basis—such as consent, legitimate interest, or contractual necessity—for processing both first-party and third-party data. It also failed to provide users with clear and sufficient information about how their data was being used.

The DPC ruled that LinkedIn’s practices breached the GDPR’s principles of lawfulness, fairness, and transparency. Along with the fine, LinkedIn received a reprimand and was ordered to bring its data processing into compliance.

#7 Uber — €290 million ($316 million)

In 2024, the Dutch DPA fined Uber €290 million for transferring sensitive driver data from the EU to the US without adequate safeguards.

The investigation, launched after complaints from over 170 French drivers, revealed that Uber retained data such as license details, payment info, location data, and even medical and criminal records on US servers without using valid transfer tools. The company stopped using Standard Contractual Clauses in 2021, leaving EU drivers’ data exposed.

The DPA ruled that Uber violated cross-border data transfer rules and failed to ensure sufficient protection, resulting in one of the largest GDPR fines to date.

 #8 Facebook —  €265 million ($275 million)

In 2022, Irish regulators fined Facebook’s parent company, Meta €265 million for violating GDPR, which mandates that organizations put in place technical and organizational measures to protect user data. The company had been investigated after data on more than 533 million users was discovered on a website for hackers, including users’ names, Facebook IDs, phone numbers, locations, birthdates, and email addresses from over 100 countries. 

Meta claimed that the data was scraped from Facebook using tools designed to help users find their friends via phone numbers. The investigation looked into scraping conducted between May 2018 and September 2019. Meta has said it cooperated fully with the Irish watchdog.

#9 Meta — €251 million ($267 million)

In 2024, Meta was fined €251 million by the Irish DPC over a 2018 data breach that affected 29 million Facebook users globally, including 3 million in the EU/EEA.

The breach exposed sensitive data such as email addresses, phone numbers, dates of birth, religious views, and group memberships due to exploited user tokens. The DPC found Meta failed to implement privacy by design and default, did not fully document the breach, and submitted incomplete notifications.

The DPC issued multiple reprimands and imposed fines for violations of GDPR Articles 25 and 33.

#10 WhatsApp — €225 million ($247 million) 

Meta’s WhatsApp has been in limelight for some time now, unfortunately, for the wrong reasons. Its last privacy policy update has attracted criticism from many countries for being vague about user data sharing with third parties. 

On September 2, 2021, the Irish DPA announced that it has fined the messaging service the second largest GDPR fine of €225 million for not meeting the GDPR requirements in its privacy policies. The investigation revealed that WhatsApp failed to properly explain its data processing activities and provide specific information about its legal basis and purpose for processing personal data in a concise and transparent form in its privacy notice. 

Read in detail why WhatsApp came under fire for its updated privacy policy and how to avoid them here. 

#11 Google —  €150 million ($165 million)

On December 31, 2021, the French Data Protection Authority, CNIL, fined Google a total of €150 million for making it difficult for users of google.fr and youtube.com to refuse or accept cookies. In June 2021, the CNIL investigated the sites and found that the refusal mechanism was more complex than accepting cookies. The Restricted Committee judged that this discouraged users from refusing cookies and infringed on Article 82 of the French Data Protection Act. Google LLC and Google Ireland Limited were fined €90 million and €60 million, respectively. 

The CNIL also issued an injunction requiring that the companies provide a means of refusing cookies as simple as accepting them within three months to guarantee freedom of consent. The use of cookies was carried out within the establishment of Google LLC and Google Ireland Limited on French territory, making the CNIL territorially competent.

Google complied by adding a “Only allow essential cookies” button next to the accept button within the deadline. Consequently, the CNIL closed this particular case on July 13, 2023.

#12 Meta — €91 million ($100 million)

In September 2024, the Irish DPC fined Meta €91 million after it was found to have stored user passwords in plaintext without encryption on internal systems.

The inquiry revealed Meta failed to notify the DPC of the breach, didn’t document it properly, and lacked adequate security measures to protect user passwords. These actions violated GDPR’s principles of confidentiality, integrity, and data security.

The DPC issued a reprimand and fined Meta for breaches of Articles 5(1)(f), 32(1), 33(1), and 33(5) of the GDPR.

#13 Enel Energia —   €79 million ($86 million)

Enel Energia has been fined over €79 million by the Italian data protection authority, the Garante Privacy, for unlawfully processing customers’ personal data for telemarketing purposes without their consent. The company must also take measures to comply with national and European data protection regulations, in addition to paying the fine. The investigation followed hundreds of complaints from customers who received unwanted promotional calls on behalf of Enel Energia. The company was found to have engaged in intense and increasingly invasive telemarketing activities, in addition to failing to respond in a timely manner to requests for access to personal data or opposition to data processing for marketing purposes. 

The Garante Privacy ordered Enel Energia to adapt all data processing activities carried out by its sales network to appropriate methods and measures. The company must also provide feedback to interested parties on the exercise of their rights, particularly the right to object to promotional activities, within 30 days of receiving a request. 

#14 Facebook —   €60 million ($66 million)

On December 31, 2021, CNIL fined Facebook Ireland Limited €60 million for violating the French Data Protection Act. The committee found that Facebook’s website does not offer an equivalent solution for users to refuse cookies as easily as they can accept them. The committee noted that the process of refusing cookies is more complex, which discourages users from doing so and affects their freedom of consent. Additionally, the information given to users was not clear, which generates confusion and gives the impression that it is not possible to refuse cookies. 

The CNIL judged that the methods of collecting consent and the lack of clarity of information provided to users constitute violations of Article 82 of the French Data Protection Act. The sanctions also included a periodic penalty payment, requiring Facebook to provide users with a means of refusing cookies that is as simple as the existing means of accepting them. 

#15 Google — €50 million ($55 million)

On January 21, 2019, France’s CNIL fined the search giant €50 million (the highest at that time) for targeted advertisements without valid consent. The data regulator also found fault with the lack of transparency in informing users about data processing and concluded that the company failed to properly specify the lawful basis for data processing.

Google continues to find trouble with the French DPA. On January 6, 2022, CNIL imposed Google €150 million for breaching French laws, along with Facebook (€60 million). They were fined under the ePrivacy Directive. The penalty came after the tech giants were found to be using misleading cookie consent dark patterns. The CNIL said that the tech giants’ websites (facebook.com, google.fr and youtube.com) failed to make rejecting non-essential cookies as easy it is to accept them. 

The CNIL closed this case on July 13, 2023, following Google’s compliance.

#16 CRITEO — €40 million ($44 million)

On June 15, 2023, France’s CNIL fined advertising tech company CRITEO €40 million for processing user data without valid consent and breaching multiple GDPR requirements.

CRITEO’s tracker cookie collected browsing data across partner websites to deliver personalised ads. However, the company failed to verify if users had given consent and lacked clear privacy notices. The investigation also found issues with access rights, data deletion, and insufficient transparency in joint controller agreements.

The fine reflects the large scale of data processed—linked to around 370 million identifiers—and CRITEO’s business model heavily reliant on behavioural targeting.

#17 H&M — €35 million ($41 million)

On October 1, 2020, the DPA of Hamburg, Germany sanctioned H&M €35 million for violating the data privacy rights of its employees.

The Swedish clothing company recorded and stored details about their private lives through one-on-one conversations with employees. The details were accessible to multiple managers and were used for profiling for employment-related decision-making. 

#18 Amazon France Logistique — €32 million ($35 million)

On December 27, 2023, France’s CNIL fined Amazon France Logistique €32 million for excessively intrusive employee monitoring and insufficient data security measures.

Warehouse employees were closely tracked using scanners, which recorded productivity, idle time, and task speed down to the second. The CNIL found this level of surveillance disproportionate and said it created undue pressure on workers. Additionally, data was retained longer than necessary and used for employee evaluations, scheduling, and training.

The company also failed to properly inform workers and visitors about video surveillance, and lacked strong access controls for surveillance software. These practices violated multiple GDPR provisions, including data minimisation, lawful processing, transparency, and security.

#19 Clearview AI — €30.5 million ($33 million)

On September 3, 2024, the Dutch DPA fined Clearview AI €30.5 million for building an illegal facial recognition database using billions of images scraped from the internet without users’ consent.

The regulator found that Clearview failed to inform individuals about the use of their data, didn’t offer access or deletion rights, and continued processing data despite ongoing investigations. Dutch companies are now banned from using Clearview’s services.

Clearview faces an additional €5.1 million fine if it doesn’t stop the violations. Authorities are also considering personal liability for the company’s management.

#20 TIM —  €27.8 million ($30 million)

On February 1, 2020, the Italian telecom company was struck with a €27.8 million fine by the Italy DPA for violating GDPR requirements for its marketing activities. 

Read how to comply with Italy DPA’s cookie guidelines.

The DPA, Garante started investigating following the complaints from users about unwanted marketing calls, despite obtaining consent or opting out.  The Garante found that TIM violated several clauses of the GDPR by mismanaging call centers hired to make marketing calls, failing to update the list of users who had opted out of marketing communications, and allowing discounts and participation in sweepstakes only on condition of consent to marketing communications.

In addition to the fine, the Garante also penalized TIM with several corrective measures including objecting to the use of data collected via their apps.