GDPR fines have passed €4.5 billion since enforcement began. The largest ones share a pattern that smaller businesses can learn from and avoid.
How GDPR Fines Are Calculated
GDPR enforcement operates on two tiers, and the difference matters.
Tier 1 — less serious violations: Up to €10 million or 2% of global annual turnover, whichever is higher. This tier covers things like failing to maintain proper records of processing activities, not reporting data breaches to authorities within 72 hours, or inadequate data protection by design.
Tier 2 — most serious violations: Up to €20 million or 4% of global annual turnover, whichever is higher. This tier covers core GDPR principles: processing data without a lawful basis, violating consent rules, ignoring data subject rights, and transferring data internationally without proper safeguards.
When supervisory authorities calculate a specific fine, they weigh several factors:
- Nature and gravity of the violation — was it a technical mistake or a deliberate disregard for the rules?
- Number of people affected — a violation affecting 500 people is treated differently from one affecting 50 million
- Intent — negligence and deliberate non-compliance are treated very differently
- Mitigation steps taken — did you act quickly to fix the problem once it was discovered?
- Prior violations — repeat offenders face significantly higher fines
For most small businesses, the realistic ceiling isn't €20 million — it's a percentage of actual revenue. But that percentage can still be devastating for a small operation.
The Biggest GDPR Fines to Date
These are the headline cases — the ones that demonstrate what happens when large-scale violations meet determined regulators.
| Company | Amount | Year | Authority | Violation |
|---|---|---|---|---|
| Meta | €1.2 billion | 2023 | Irish DPC | US data transfers |
| Amazon | €746 million | 2021 | Luxembourg CNPD | Advertising targeting |
| Meta | €390 million | 2023 | Irish DPC | Behavioral advertising |
| €225 million | 2021 | Irish DPC | Transparency failures | |
| €150 million | 2022 | French CNIL | Cookie rejection friction | |
| H&M | €35 million | 2020 | German DPA | Employee monitoring |
| British Airways | €22 million | 2020 | UK ICO | Security breach |
| Marriott | €18.4 million | 2020 | UK ICO | Acquisition due diligence |
Meta — €1.2 billion (2023, Irish DPC)
The largest GDPR fine ever issued — for transferring EU user data to US servers without adequate legal safeguards after the invalidation of Privacy Shield. The lesson: data transfers to non-EU countries require a valid legal mechanism. Standard contractual clauses aren't enough if the destination country's surveillance laws undermine the protections.
Amazon — €746 million (2021, Luxembourg CNPD)
Amazon's advertising targeting system was found to process personal data without valid consent. The lesson: behavioral advertising that relies on profiling needs explicit, informed consent — not just an opt-out that most users never find.
Meta — €390 million (2023, Irish DPC)
Facebook and Instagram tried to use "contract performance" as the legal basis for behavioral advertising, arguing that personalized ads were part of the service users signed up for. Regulators rejected this. The lesson: you can't relabel behavioral advertising as a contractual necessity to avoid getting consent.
WhatsApp — €225 million (2021, Irish DPC)
WhatsApp's privacy notices didn't adequately explain what data was being processed, why, and who received it. The lesson: transparency isn't a checkbox — users must genuinely understand what happens to their data.
Google — €150 million (2022, French CNIL)
Google's cookie consent interface made rejecting cookies significantly harder than accepting them — more clicks, buried options, confusing language. The lesson: consent mechanisms must be as easy to decline as to accept. Dark patterns are explicitly prohibited.
H&M — €35 million (2020, German DPA)
H&M's service centre collected detailed personal information about employees — health issues, family situations, religious beliefs — and stored it for years without legitimate justification. The lesson: employee data has the same protections as customer data. Excessive collection and retention is a serious violation.
British Airways — €22 million (2020, UK ICO)
A 2018 data breach exposed data of approximately 400,000 customers. The ICO found that BA had inadequate security measures. The lesson: security failures that expose customer data trigger enforcement even if you didn't intentionally violate anything.
Marriott — €18.4 million (2020, UK ICO)
Marriott's 2014 acquisition of Starwood inherited a compromised database that went undetected for four years. The lesson: when you acquire a company, you inherit its data protection obligations — and its vulnerabilities.
What Small Businesses Actually Get Fined For
The big fines above involve platform-scale violations. But the enforcement actions that hit smaller businesses follow a different, more predictable pattern.
Regulators across the EU publish summaries of smaller enforcement actions. The recurring violations are:
No cookie consent or invalid consent mechanisms
Cookies and tracking pixels firing before any user interaction, or consent banners that make rejection difficult or unclear. This is the single most common violation in small business enforcement actions.
Privacy policies that don't reflect actual data practices
A generic template that doesn't mention Google Analytics, HubSpot, or Stripe when those services are actively receiving user data. If your privacy policy says you don't share data with third parties but you're running Facebook Pixel, that's a compliance failure.
No legal basis for marketing emails
Adding people to marketing lists without clear opt-in consent, or using pre-checked boxes, or conflating newsletter consent with account creation. Under GDPR, marketing emails require explicit, specific consent.
Not responding to DSARs within 30 days
Any EU resident can request all the data you hold about them. You have 30 days to respond. Ignoring or missing this deadline is a direct GDPR violation that regulators take seriously.
Inadequate data security
Storing customer data in unencrypted files, using weak passwords on systems containing personal data, failing to patch known vulnerabilities. Security requirements are proportionate to risk, but ignoring basic hygiene isn't defensible.
International data transfers without safeguards
Using US-based SaaS tools (email platforms, CRMs, analytics) without checking whether the vendor has appropriate data transfer mechanisms in place. Most major vendors do — but you're responsible for verifying it.
How Small Business Fines Actually Work
Regulators don't wake up looking for small businesses to target. But the enforcement mechanism creates real exposure regardless.
Complaints from individuals are the main trigger. The vast majority of enforcement actions start with a complaint from a data subject — someone who felt their data was mishandled, who received unsolicited marketing, or who submitted a DSAR and got ignored. Any disgruntled customer, competitor, or privacy activist can file a complaint with their national supervisory authority. The cost to them: zero. The cost to you: an investigation.
Fines are proportional — but not trivial. A €50,000 fine for a small business is very different from a €50,000 fine for a multinational. For a company doing €500,000 in annual revenue, that's 10% of turnover. It can close a business. And fines in that range are issued regularly in Germany, France, and Spain for smaller operators.
Enforcement is increasing, not decreasing. Supervisory authorities have hired more investigators, streamlined complaint handling, and coordinated more cross-border enforcement since 2022. The likelihood of a complaint leading to an investigation is higher now than it was in 2018 when GDPR took effect.
The 5 Violations Most Likely to Get You Fined
Based on actual enforcement patterns across EU supervisory authorities, these are the violations that generate the most complaints and result in fines for non-enterprise businesses.
1. Cookie Consent Without Script Blocking
The most cited violation. Your banner shows up, the user hasn't clicked anything, and Google Analytics is already running. Valid consent under GDPR requires that non-essential scripts don't load until the user actively agrees. A banner that doesn't block scripts is a compliance theater — it looks like consent but isn't.
2. Invalid Marketing Consent
Buying email lists, adding contacts from business card exchanges to your newsletter, using pre-checked consent boxes, or bundling newsletter consent with account creation all constitute invalid consent under GDPR. Every marketing email to an EU address needs a clear, specific, documented opt-in.
3. DSARs Not Handled
If you've never received a DSAR, that doesn't mean you won't. When one arrives, you need to know where all personal data about that individual lives across your systems — email, CRM, analytics, payment records, support tickets — and deliver it within 30 days. Businesses that don't have a process for this routinely miss the deadline, which converts a manageable request into a regulatory complaint.
4. Inadequate Privacy Policy
Your privacy policy must describe your actual data practices. If it doesn't name the third parties receiving user data (analytics, payment processors, email platforms, CRM tools), list the legal basis for each type of processing, or explain what happens to data when a user deletes their account — it's incomplete. Regulators increasingly check privacy policies as part of complaint investigations.
5. No Data Processing Agreement with Processors
When you share personal data with a third-party service that processes it on your behalf — your email platform, your analytics provider, your cloud hosting — GDPR requires a written data processing agreement (DPA). Most major vendors offer these, but you need to have signed them. Regulators finding no DPA in place treat it as a significant failure.
How to Check If You're at Risk
The most reliable way to find compliance gaps is to scan your website the same way a regulator would — automatically, without relying on what you think is running versus what's actually running.
Custodia's free scanner checks for active trackers, cookie consent implementation, privacy policy coverage, and data transfer risks in about 60 seconds.
Start with app.custodia-privacy.com/scan.
The scan surfaces the violations most likely to generate complaints. If any of the five categories above show up in your results, you have a concrete priority list.
Building a Defense
If you're ever investigated, the outcome isn't just determined by whether you violated GDPR — it's shaped by what you did about it.
Supervisory authorities across the EU have published guidance making clear that demonstrating a good-faith compliance effort significantly influences fine calculations. A business that has documented consent records, a privacy policy that reflects its actual practices, and a functioning DSAR process is in a fundamentally different position than one that has done nothing.
Regulators are looking for willful disregard, not imperfection. If you can show:
- Consent records proving users opted in to specific processing
- A privacy policy that names your actual data processors
- Evidence that DSARs were handled within the required timeframe
- A documented effort to identify and address compliance gaps
...your exposure to maximum fines decreases substantially. Not because the violation didn't happen, but because the regulatory framework explicitly rewards remediation effort.
The practical upshot: compliance documentation isn't just about passing an audit. It's evidence that matters if things go wrong.
The first step is knowing what's on your site. app.custodia-privacy.com/scan gives you that in 60 seconds, for free.
Last updated: March 2026
Top comments (0)