GDPR Fines and Enforcement Statistics 2026: The Definitive Data on EU Data Protection
Since enforcement began in May 2018, the General Data Protection Regulation has generated over EUR 4 billion in fines, tens of thousands of enforcement decisions, and more than 130,000 data breach notifications per year. GDPR remains the benchmark for data protection regulation worldwide, and its enforcement data reveals patterns that every organization handling EU personal data should understand.
This page compiles verified statistics on GDPR fines, enforcement actions, country-level breakdowns, data breach notifications, compliance costs, and regulatory activity. Every number is sourced from the European Data Protection Board, national data protection authorities, and verified industry reports.
Total GDPR Fines
| Statistic | Source |
|---|---|
| Total GDPR fines tracked (all time): approximately EUR 4 billion | Privacy Affairs GDPR Fines Tracker |
| Total number of individual fines tracked: 1,701 | Privacy Affairs GDPR Fines Tracker |
| Total fines issued in 2023 alone (EEA DPAs): EUR 1,973,832,107 | EDPB Annual Report 2023, pp. 36-37 |
| Total number of fines issued in 2023: 1,763 | EDPB Annual Report 2023, pp. 36-37 |
| Fines resulting from EDPB binding decisions since 2018: over EUR 2.5 billion | EDPB Annual Report 2023, p. 14 |
| EDPB binding decision fines as share of total: approximately 55% | EDPB Annual Report 2023, p. 14 |
| Smallest GDPR fine ever recorded: EUR 28 (Hungary, November 2020) | Privacy Affairs GDPR Fines Tracker |
20 Largest GDPR Fines Ever Issued
| Rank | Company | Amount (EUR) | Country/DPA | Year | Reason |
|---|---|---|---|---|---|
| 1 | Meta Platforms (Facebook) | 1,200,000,000 | Ireland (DPC) | 2023 | Unlawful transfer of EU user data to US via Standard Contractual Clauses |
| 2 | Amazon Europe | 746,000,000 | Luxembourg (CNPD) | 2021 | Non-compliance with GDPR regarding targeted advertising without proper consent |
| 3 | Meta (Instagram) | 405,000,000 | Ireland (DPC) | 2022 | Processing children's personal data; public-by-default settings for child accounts |
| 4 | Meta (Facebook) | 390,000,000 | Ireland (DPC) | 2023 | Using "contract" as legal basis for behavioral advertising processing |
| 5 | TikTok Technology | 345,000,000 | Ireland (DPC) | 2023 | Unfair design practices targeting children aged 13-17 |
| 6 | Uber | 290,000,000 | Netherlands (AP) | 2024 | Unlawful transfer of European drivers' personal data to the United States |
| 7 | Meta (WhatsApp) | 225,000,000 | Ireland (DPC) | 2021 | Lack of transparency; failure to provide adequate information to users and non-users |
| 8 | France (CNIL) - Google LLC | 50,000,000 | France (CNIL) | 2019 | Insufficient legal basis; lack of transparency and consent for ad personalization |
| 9 | Criteo | 40,000,000 | France (CNIL) | 2023 | Tracking users without valid consent for targeted advertising |
| 10 | H&M | 35,258,708 | Germany (HmbBfDI) | 2020 | Extensive surveillance of employees; recording details of private lives |
| 11 | Enel Energia | 26,500,000 | Italy (Garante) | 2021 | Aggressive telemarketing without consent |
| 12 | British Airways | 22,046,000 | UK (ICO) | 2020 | Insufficient security measures; approximately 500,000 customers affected in data breach |
| 13 | Marriott International | 20,450,000 | UK (ICO) | 2020 | Insufficient security; 30 million EEA records exposed since 2014 |
| 14 | Clearview AI | 20,000,000 | France (CNIL) | 2022 | Unlawful processing of biometric data; scraping facial images without consent |
| 15 | Clearview AI | 20,000,000 | Italy (Garante) | 2022 | Unlawful biometric processing (same practices as France) |
| 16 | Clearview AI | 20,000,000 | Greece (HDPA) | 2022 | Unlawful biometric processing (same practices as France and Italy) |
| 17 | CaixaBank | 6,000,000 | Spain (AEPD) | 2021 | Data processing without valid consent |
| 18 | Spotify | ~5,000,000 | Sweden (IMY) | 2023 | Violating customers' right of access under Article 15 GDPR |
| 19 | Moderna Forsakringar | ~3,000,000 | Sweden (IMY) | 2023 | Failure to ensure appropriate security; 650,000 customer records accessible |
| 20 | OPENBANK | 2,500,000 | Spain (AEPD) | 2023 | Failure to enable secure communication for financial data |
Sources: EDPB Annual Report 2023; Privacy Affairs GDPR Fines Tracker; GDPR Enforcement Tracker (enforcementtracker.com)
GDPR Fines by Country (2023)
The following table shows fine activity for every EEA data protection authority in 2023, based on official data reported to the EDPB.
By Total Fine Amount (2023)
| Rank | Country | Number of Fines | Total Fine Amount (2023) |
|---|---|---|---|
| 1 | Ireland | 6 | EUR 1,551,782,500 |
| 2 | Netherlands | 8 | EUR 243,160,000 |
| 3 | France | 37 | EUR 79,164,500 |
| 4 | Spain | 367 | EUR 29,817,410 |
| 5 | Italy | 146 | EUR 25,200,000 |
| 6 | Sweden | 11 | EUR 10,780,000 |
| 7 | Germany (all Lander) | 469 | EUR 9,743,930 |
| 8 | Norway | 7 | EUR 8,500,000 |
| 9 | Croatia | 28 | EUR 8,266,350 |
| 10 | Denmark | 5 | EUR 2,100,000 |
| 11 | Hungary | 95 | EUR 1,380,334 |
| 12 | Greece | 12 | EUR 636,000 |
| 13 | Iceland | 12 | EUR 537,000 |
| 14 | Finland | 3 | EUR 464,600 |
| 15 | Romania | 68 | EUR 444,622 |
| 16 | Portugal | 48 | EUR 367,450 |
| 17 | Austria | 55 | EUR 254,075 |
| 18 | Poland | 24 | EUR 213,820 |
| 19 | Estonia | 12 | EUR 213,300 |
| 20 | Bulgaria | 93 | EUR 159,931 |
| 21 | Czech Republic | 23 | EUR 140,000 |
| 22 | Slovakia | 47 | EUR 122,665 |
| 23 | Cyprus | 11 | EUR 120,250 |
| 24 | Belgium | 3 | EUR 80,000 |
| 25 | Lithuania | 13 | EUR 64,060 |
| 26 | Slovenia | 77 | EUR 56,910 |
| 27 | Malta | 3 | EUR 32,500 |
| 28 | Latvia | 3 | EUR 22,900 |
| 29 | Luxembourg | 3 | EUR 6,500 |
| 30 | Liechtenstein | 1 | EUR 500 |
| TOTAL | 1,763 | EUR 1,973,832,107 |
Source: EDPB Annual Report 2023, pp. 36-37
All-Time Rankings by Total Fine Amount
| Rank | Country | Total Fines (All Time) |
|---|---|---|
| 1 | Ireland | EUR 2,510,165,800 |
| 2 | Luxembourg | EUR 746,312,300 |
| 3 | France | EUR 293,594,300 |
| 4 | Italy | EUR 144,195,096 |
| 5 | United Kingdom | EUR 75,452,800 |
Source: Privacy Affairs GDPR Fines Tracker
All-Time Rankings by Number of Fines
| Rank | Country | Total Number of Fines |
|---|---|---|
| 1 | Spain | 594 |
| 2 | Italy | 244 |
| 3 | Romania | 126 |
| 4 | Germany | 122 |
| 5 | Hungary | 66 |
Source: Privacy Affairs GDPR Fines Tracker
Most Violated GDPR Articles
Enforcement data reveals consistent patterns in which GDPR articles are most frequently cited in fines.
| Article | Description | Enforcement Pattern | Source |
|---|---|---|---|
| Art. 5 | Principles of processing (lawfulness, fairness, transparency, purpose limitation, data minimization) | Most frequently cited in fines overall | Privacy Affairs Tracker; EDPB AR 2023 |
| Art. 6 | Lawfulness of processing (legal basis) | Second most common - drives many high-value fines | Privacy Affairs Tracker; enforcementtracker.com |
| Art. 32 | Security of processing | Third most common - frequently cited in breach-related fines | EDPB AR 2023 case digest, p. 34 |
| Art. 13/14 | Information obligations (transparency) | Very common across all DPAs | Privacy Affairs Tracker |
| Art. 15 | Right of access | Common - driven by consumer complaints (e.g., Spotify EUR 5M) | EDPB AR 2023, p. 56 |
| Art. 33/34 | Breach notification obligations | Common in breach-related cases | EDPB AR 2023 case digest, p. 34 |
| Art. 25 | Data protection by design and default | Increasing - cited in TikTok and similar cases | EDPB AR 2023, pp. 17-18 |
| Art. 44-49 | International transfers (Chapter V) | Drives the highest-value fines (Meta EUR 1.2B) | EDPB AR 2023, p. 16 |
Note: DPAs often apply Articles 32, 33, and 34 together in breach-related decisions. The EDPB's 2023 case digest analyzed 90 One-Stop-Shop decisions specifically on security of processing and data breach notification.
Source: EDPB Annual Report 2023; Privacy Affairs Tracker
GDPR Enforcement Actions and Complaints
National DPA Activity (2023)
| Country | Complaints Received | Investigations | Sanctions |
|---|---|---|---|
| Spain | 18,879 | 291 | 367 fines + 266 compliance orders |
| Sweden | 3,553 | 210 | 11 fines |
| Austria | 1,732 | 536 | 55 sanctions |
| Bulgaria | 1,497 | 890 | 93 sanctions |
| Cyprus | 437 | 14 (+11 on-site) | 54 decisions (11 fines) |
| Croatia | 279 | 447 | 28 sanctions |
Source: EDPB Annual Report 2023, Section 3.4, pp. 38-56
Cross-Border Cooperation (2023)
| Metric | Value |
|---|---|
| Cross-border cases created in 2023 | 366 |
| Total One-Stop-Shop procedures (all time to 2023) | 1,023 |
| OSS Final Decisions (all time to 2023) | 442 |
| Percentage of OSS decisions going to EDPB dispute resolution | ~1% |
| Total EDPB binding decisions issued (all time) | 11 (including 2 urgent Article 66 decisions) |
| Binding decisions adopted in 2023 | 3 |
| Total consistency opinions adopted (all time to 2023) | 182 |
| IMI system procedures facilitated in 2023 | 4,580+ |
Source: EDPB Annual Report 2023, pp. 14, 16, 19-20, 33
Data Breach Notifications
| Statistic | Source |
|---|---|
| Over 130,000 data breach notifications in 2023 | DLA Piper GDPR Fines and Data Breach Survey (January 2024), widely cited |
| Approximately 120,000 breach notifications in 2022 | DLA Piper (January 2023) |
| Breach notification numbers have increased each year since GDPR enforcement began in May 2018 | DLA Piper annual surveys |
Note: EU-wide aggregate data breach notification totals are not published by the EDPB. The DLA Piper annual survey is the primary source for cross-DPA breach notification data.
Data Breach Costs
IBM Cost of a Data Breach Report 2025
| Statistic | Source |
|---|---|
| Global average cost of a data breach: $4.4 million USD | IBM Cost of a Data Breach Report 2025 |
| Year-over-year change: 9% decrease (driven by faster identification and containment) | IBM 2025 |
| Cost savings from AI security tools: $1.9 million USD per breach vs organizations without AI | IBM 2025 |
| Organizations with AI-related security incidents but lacking AI access controls: 97% | IBM 2025 |
| Organizations lacking AI governance policies: 63% | IBM 2025 |
IBM Cost of a Data Breach Report 2024
| Statistic | Source |
|---|---|
| Global average cost of a data breach: $4.88 million USD | IBM Cost of a Data Breach Report 2024 |
| Average time to identify a breach: 194 days | IBM 2024 |
| Average breach lifecycle (identify + contain): 292 days | IBM 2024 |
GDPR Fines by Sector
Enforcement patterns show that technology companies account for the overwhelming majority of total fine value, while certain national DPAs focus on specific sectors.
| Sector | Notable Fines | Key Issues |
|---|---|---|
| Technology/Big Tech | Meta (EUR 1.2B + EUR 405M + EUR 390M + EUR 225M), TikTok (EUR 345M), Google (EUR 50M), Amazon (EUR 746M), Uber (EUR 290M), Criteo (EUR 40M) | Data transfers, consent, transparency, children's data, behavioral advertising |
| Telecommunications | Multiple fines across Spain, Italy | Unsolicited marketing, data breaches |
| Financial Services | CaixaBank (EUR 6M), OPENBANK (EUR 2.5M) | Consent violations, security failures |
| Retail | H&M (EUR 35.3M) | Employee surveillance |
| Energy | Enel Energia (EUR 26.5M) | Aggressive telemarketing |
| Public Sector | Various municipalities and government entities | Video surveillance, data retention, transparency |
| Healthcare | Various hospitals (Netherlands, Portugal) | Patient record access, security |
Meta alone accounts for over EUR 2.2 billion in cumulative GDPR fines - more than half of the total ever issued.
Spain's AEPD, the most active DPA by volume (367 fines in 2023), primarily targets telecommunications, financial services, and small businesses for direct marketing violations.
DPA Resources and Budgets
The EDPB's 2023 survey of Data Protection Authorities reveals a significant gap between regulatory ambition and enforcement resources.
| Statistic | Source |
|---|---|
| DPAs stating their budget is NOT sufficient: 75% (21 of 28 DPAs) | EDPB Annual Report 2023, p. 57 |
| DPAs stating their staffing is NOT sufficient: 89% (25 of 28 DPAs) | EDPB Annual Report 2023, p. 57 |
| DPAs with same staff levels as 2022 despite increasing workload: 7 DPAs | EDPB Annual Report 2023, p. 57 |
| EDPB budget (2023): EUR 7.67 million | EDPB Annual Report 2023, p. 10 |
| EDPB Secretariat staff: 46 | EDPB Annual Report 2023, p. 9 |
| EDPB Support Pool of Experts: approximately 500 on reserve list | EDPB Annual Report 2023, p. 31 |
DPO (Data Protection Officer) Activity
The EDPB's 2023 Coordinated Enforcement Action focused specifically on Data Protection Officers, producing the largest cross-EU DPO survey to date.
| Statistic | Source |
|---|---|
| DPAs participating in the DPO enforcement action: 25 across the EEA | EDPB Annual Report 2023, p. 30 |
| Replies received from DPOs and organizations: more than 17,000 | EDPB Annual Report 2023, p. 30 |
| EDPB HUB user base: over 1,400 members | EDPB Annual Report 2023, p. 11 |
GDPR Penalty Framework
| Tier | Maximum Fine | Applies To |
|---|---|---|
| Upper tier | EUR 20,000,000 or 4% of global annual turnover (whichever is higher) | Violations of data processing principles, conditions for consent, data subject rights, international transfers |
| Lower tier | EUR 10,000,000 or 2% of global annual turnover (whichever is higher) | Violations of controller/processor obligations, certification body obligations, monitoring body obligations |
Source: GDPR Articles 83(4) and 83(5)
Key GDPR Dates and Timeline
| Date | Event |
|---|---|
| April 14, 2016 | European Parliament adopted GDPR |
| May 4, 2016 | GDPR published in Official Journal |
| May 25, 2018 | GDPR became applicable (enforcement began) |
| January 2020 | First major fines wave (Google EUR 50M in 2019, H&M EUR 35M in 2020) |
| July 2021 | Amazon EUR 746M fine (largest until Meta 2023) |
| May 2023 | Meta EUR 1.2B fine (largest GDPR fine ever) |
| July 2023 | EU-US Data Privacy Framework adequacy decision adopted |
| 2023 | Record year: EUR 1.97 billion in fines, 1,763 individual fines |
Frequently Asked Questions
Q: How much money has been collected in GDPR fines?
A: As of early 2026, approximately EUR 4 billion in GDPR fines have been imposed since enforcement began in May 2018. In 2023 alone, EEA data protection authorities issued EUR 1.97 billion in fines across 1,763 individual decisions. However, it is important to note that "imposed" does not always mean "collected" - many large fines are subject to ongoing legal appeals.
Q: What is the largest GDPR fine ever issued?
A: The largest GDPR fine is EUR 1.2 billion, issued to Meta Platforms (Facebook) by the Irish Data Protection Commission in May 2023 for unlawful transfer of EU user data to the United States. This fine exceeded the previous record of EUR 746 million against Amazon by Luxembourg in 2021.
Q: Which country issues the most GDPR fines?
A: By number of fines, Spain is the most active enforcer with 594 total fines (367 in 2023 alone), followed by Italy (244), Romania (126), Germany (122), and Hungary (66). However, by total fine value, Ireland leads at EUR 2.51 billion due to large fines against Big Tech companies headquartered there, followed by Luxembourg (EUR 746M) and France (EUR 294M).
Q: How many data breach notifications are there per year?
A: According to DLA Piper's annual survey, over 130,000 data breach notifications were filed across the EU/EEA in 2023, up from approximately 120,000 in 2022. The number has increased each year since GDPR enforcement began.
Q: What does a data breach cost on average?
A: According to IBM's 2025 Cost of a Data Breach Report, the global average cost of a data breach is $4.4 million USD. Organizations using AI security tools save approximately $1.9 million per breach compared to those without AI. The average time to identify a breach is 194 days, with a total lifecycle of 292 days.
Q: Which GDPR articles are violated most often?
A: Article 5 (processing principles) is the most frequently cited article in GDPR fines, followed by Article 6 (lawfulness of processing) and Article 32 (security of processing). The highest-value fines tend to involve Article 44-49 violations related to international data transfers.
Q: Are DPA budgets sufficient for enforcement?
A: No. According to the EDPB's 2023 survey, 75% of data protection authorities say their budget is insufficient, and 89% say their staffing is insufficient. Seven DPAs had the same staff levels as the prior year despite increasing workloads.
All statistics on this page are sourced from official EU data protection bodies and verified industry reports. Primary sources include the EDPB Annual Report 2023, Privacy Affairs GDPR Fines Tracker, GDPR Enforcement Tracker (enforcementtracker.com), IBM Cost of a Data Breach Reports (2024, 2025), DLA Piper GDPR Fines and Data Breach Surveys, and national DPA annual reports. This page is updated regularly as new enforcement data becomes available.
Last updated: March 2026