Estimate your potential GDPR fine based on violation type, company revenue, and aggravating/mitigating factors. Uses real enforcement data and Article 83 guidelines.
How GDPR Fines Are Calculated
GDPR Article 83 establishes two tiers of administrative fines. Tier 1 (up to €10M or 2% of global annual revenue) applies to violations of technical and organizational measures, record-keeping, and breach notification. Tier 2 (up to €20M or 4% of global annual revenue) covers violations of data processing principles, consent requirements, and data subject rights.
Data Protection Authorities (DPAs) consider factors such as the nature and severity of the violation, number of affected individuals, degree of cooperation, whether the violation was intentional, and any previous infractions.
Largest GDPR Fines to Date
Since GDPR enforcement began in May 2018, regulators have issued billions in fines. The largest include Amazon (€746M, Luxembourg), Meta/Instagram (€405M, Ireland), and TikTok (€345M, Ireland). Cookie consent violations have also drawn significant fines: Google was fined €150M and Microsoft €60M by France’s CNIL for cookie tracking without proper consent.
Common Violations That Lead to Fines
- Consent violations — processing data without valid consent, especially for cookies and ad tracking
- Transparency failures — incomplete or unclear privacy notices
- Data breaches — inadequate security measures leading to unauthorized access
- Data subject rights — failing to respond to access, deletion, or portability requests
- Excessive data collection — collecting more data than necessary (violating minimization principle)
- Children’s data — insufficient protections for minors’ personal data