GDPR Fines: How They Are Calculated and What to Expect

Article 83: The Two-Tier Fine Structure

Article 83 divides GDPR violations into two categories with different maximum penalties. Tier 1 violations — which attract fines up to €10 million or 2% of total worldwide annual turnover — cover procedural and administrative obligations: failure to implement data protection by design, failure to appoint a DPO where required, inadequate records of processing, and failure to notify breaches within the 72-hour window. These are process failures rather than fundamental rights violations.

Tier 2 violations — the maximum €20 million or 4% of global turnover — cover fundamental breaches of the regulation's core principles: violations of lawful basis, consent, data subject rights, and international transfer rules. Tracking users without valid consent, operating without a lawful basis for processing, sharing data with third parties without authorisation, and unlawfully transferring data to non-adequate countries all fall under Tier 2.

The percentages are calculated on total worldwide annual turnover of the undertaking — not the turnover of a single subsidiary or national entity. For groups of companies, the entire group's revenue may be included in the calculation. This is how Meta's €1.2 billion fine — the largest GDPR penalty ever issued as of 2026 — was possible: the 4% was calculated on Meta Platforms Inc.'s global revenue, not just Facebook Ireland's EU operations.

The Ten Factors That Determine Fine Size

Article 83(2) sets out ten factors that supervisory authorities must consider when setting a fine. These factors can increase or decrease the penalty within the applicable tier ceiling. Regulators are required to document their assessment of each factor and explain how it influenced the final figure. Understanding these factors is essential for any compliance programme — they define what behaviours dramatically increase enforcement risk.

The nature, gravity, and duration of the violation is the first and most heavily weighted factor. A violation that has been ongoing for several years, affects a large number of data subjects, and involves sensitive data categories will attract the highest penalties. A brief technical error that was promptly corrected and affected a small number of users will attract a significantly lower fine.

Intent and negligence are assessed separately. Deliberate violations — where the controller was aware that their processing violated GDPR and continued anyway — are treated far more seriously than negligent failures where the controller had inadequate processes but no malicious intent. However, regulators have found that large organisations with dedicated legal and compliance teams cannot plausibly claim ignorance of fundamental consent requirements that have been publicly debated for years.

• Nature, gravity, and duration of the violation
• Intentional or negligent character of the infringement
• Actions taken to mitigate damage to data subjects
• Degree of responsibility (technical and organisational measures in place)
• Relevant previous infringements by the controller
• Degree of cooperation with the supervisory authority
• Categories of personal data affected
• How the infringement became known (self-reported vs. complaint)
• Compliance with previous corrective measures or orders
• Adherence to approved codes of conduct or certification schemes

Tier 1 Fines: Process and Procedural Violations

Tier 1 violations most commonly arise from failures in the accountability framework: missing DPOs, incomplete records of processing, failure to complete DPIAs where required, inadequate security measures, and breach notification failures. These violations are often discovered during regulatory audits or investigations triggered by a related Tier 2 complaint. A DPA investigating a consent violation may simultaneously identify record-keeping failures and issue separate Tier 1 penalties.

Breach notification failures are a distinct enforcement area. Regulators take the 72-hour notification window seriously — delays are penalised even where the underlying breach itself was not severe. British Airways received a fine (eventually reduced to £20 million under PECR following Covid-related mitigation) that included a component related to the time taken to identify and report the breach. The original proposed fine under GDPR was £183 million — 1.5% of worldwide revenue.

Many organisations underestimate Tier 1 risk because process failures feel less serious than privacy violations. But regulators have consistently issued substantial Tier 1 fines alongside or independently of Tier 2 investigations, because adequate processes are a prerequisite for the accountability principle. A fine for inadequate records of processing is an order of magnitude smaller than a consent fine — but it is still real and publicly disclosed.

Tier 2 Fines: Rights and Principles Violations

Tier 2 violations cover the most fundamental breaches of GDPR: processing without a valid lawful basis, invalid consent, violations of data subject rights, unlawful international transfers, and processing that violates special category data protections. These are the violations that attract the largest fines because they directly impact the rights of data subjects at scale.

Consent violations are the most common Tier 2 enforcement category for website operators. The French CNIL fined Google €150 million and Facebook €60 million in January 2022 for making it harder to refuse cookies than to accept them. Both companies offered a single-click accept mechanism but required users to navigate through multiple screens to refuse all cookies. The CNIL found this violated the freely-given requirement under both ePrivacy and GDPR.

International transfer violations have produced the largest individual fines. Meta's €1.2 billion fine from the Irish DPC in May 2023 related to the unlawful transfer of EU users' personal data to the United States in violation of Schrems II. The transfer was found to expose EU users to access by US intelligence agencies under FISA 702, without adequate supplementary measures to compensate for the absence of an adequacy decision.

Notable Enforcement Cases and What They Reveal

Amazon received a €746 million fine from Luxembourg's CNPD in July 2021 — the second largest GDPR fine on record — for advertising targeting practices that the regulator found lacked a valid legal basis. Amazon argued legitimate interests and contractual necessity; the CNPD found that behavioural advertising for the benefit of third-party advertisers cannot be justified on these bases. Amazon contested the fine, and as of 2026 the case remains subject to appeal.

Google has received multiple GDPR and ePrivacy fines across France, Spain, Italy, and Germany totalling over €200 million as of 2026. The consistent finding across these cases is that Google Analytics, Google Ads, and personalisation cookies were placed without valid consent, and that the accept/reject mechanism was not presented with equal ease. The structural finding — that asymmetric consent UI design is a violation regardless of banner presence — has become a DPA standard.

Smaller organisations are not exempt. The Dutch DPA fined a Dutch football club €525,000 for selling ticketing data to commercial partners without valid consent. The Norwegian DPA fined Grindr approximately €6.5 million for sharing location data and sexual orientation with advertising partners. The Irish DPA fined WhatsApp €225 million for failing to transparently disclose data sharing between WhatsApp and Facebook. Pattern: high-risk special category data and covert sharing consistently attract large fines even from smaller organisations.

How Regulators Calculate Fines in Practice

In 2023, the EDPB published Guidelines 04/2022 on the calculation of GDPR fines — the first comprehensive framework describing how DPAs should set penalty amounts. The methodology uses a starting point based on the fine tier and severity (minor, moderate, serious), multiplied by the annual turnover of the undertaking, then adjusted for the ten Article 83(2) factors. The resulting figure must remain below the statutory ceiling.

For turnover-based calculations, the EDPB confirmed that the relevant 'undertaking' means the entire economic entity, including parent companies and subsidiaries. This prevents the common structuring strategy of isolating EU processing in a small subsidiary to limit fine exposure. DPAs are required to obtain worldwide group turnover figures from controllers — failure to provide this information can itself be treated as non-cooperation.

The guidelines also address fine proportionality for micro and small enterprises, where the 2% or 4% caps can still produce fines that are disproportionate to the actual harm caused. DPAs retain discretion to set fines below the calculated amount where the penalty would threaten the financial viability of a small organisation that acted in good faith. However, this discretion is not applied to cases of deliberate or repeat violations.

Estimating Your Organisation's GDPR Fine Exposure

ConsentLens includes a fine risk estimator that uses your compliance score, the severity of detected violations, and your organisation type to produce an indicative fine range. This is not a legal assessment — it is an educational tool based on patterns observed in published enforcement decisions. The estimate uses Tier 2 ceiling percentages where consent violations are present, and Tier 1 percentages where only procedural violations are detected.

The most important factor for estimating your real exposure is the duration and scale of the violation. A website that has been running advertising pixels without consent for three years, across millions of users, faces a materially different risk profile than one that deployed a faulty CMP configuration last month and is taking corrective action. Voluntary self-reporting and proactive cooperation with DPAs consistently reduces final fine amounts by between 20% and 50% based on published decisions.

The best form of fine mitigation is remediation. DPAs are required to consider the actions taken to mitigate the damage and the degree of cooperation as separate factors under Article 83(2)(c) and (f). A controller that identifies a compliance failure, notifies the DPA, implements a technical fix, and provides detailed evidence of the remediation will invariably receive a lower fine than one that resists an investigation.

Frequently Asked Questions

Related guides