GDPR Fines in Numbers: Enforcement Statistics Through July 2026
European data protection authorities have issued roughly €6.31 billion in GDPR fines across 3,195 enforcement actions in 32 countries since May 2018, per the CMS GDPR Enforcement Tracker as of July 4, 2026. The largest fine remains Meta’s €1.2 billion (Irish DPC, 2023), 2025 added about €1.2 billion more, and the most common grounds are insufficient legal basis (Art. 6), violations of the core processing principles (Art. 5) and insufficient security measures (Art. 32) — failures of exactly the program-and-documentation layer small businesses most often skip.
Headline enforcement numbers
The figures below come from the two most-cited GDPR enforcement datasets: the CMS GDPR Enforcement Tracker (enforcementtracker.com), a continuously updated public database of published fines, and DLA Piper’s annual GDPR fines survey, which also counts non-public authority totals. They use different methodologies, so each figure is labelled with its source and as-of date.
| Metric | Figure | Source, as of |
|---|---|---|
| Cumulative fines since May 2018 | ≈ €6.31 billion | CMS Enforcement Tracker, July 4, 2026 |
| Tracked enforcement actions | 3,195 across 32 countries | CMS Enforcement Tracker, July 4, 2026 |
| Cumulative fines (survey basis, incl. non-public totals) | ≈ €7.1 billion | DLA Piper survey, January 2026 |
| Fines issued in 2025 (12 months to Jan 27, 2026) | ≈ €1.2 billion | DLA Piper survey, January 2026 |
| Average fine (all published fines) | €2,277,122 | CMS Enforcement Tracker Report 2026 (cut-off March 1, 2026) |
| Personal-data breach notifications | 443 per day on average, up 22% year over year | DLA Piper survey, January 2026 |
| Ireland alone, cumulative | ≈ €4.04 billion | DLA Piper survey, January 2026 |
Sources: CMS GDPR Enforcement Tracker (enforcementtracker.com), retrieved July 4, 2026; DLA Piper GDPR Fines and Data Breach Survey, January 2026 (dlapiper.com). The average is heavily skewed by a handful of Big Tech mega-fines — the typical published fine is far smaller.
The largest GDPR fines on record
All of the largest fines were issued against large technology platforms, and the two biggest both punish unlawful international data transfers (Art. 46). One long-standing entry has dropped off this list: Amazon’s €746 million fine (Luxembourg, 2021) was annulled by Luxembourg’s Administrative Court on March 12, 2026 on procedural grounds and referred back to the regulator — many older articles still cite it as the second-largest GDPR fine, but as of July 2026 it no longer stands.
| Rank | Company | Fine | Authority, year |
|---|---|---|---|
| 1 | Meta Platforms Ireland (Facebook) | €1,200,000,000 | Ireland, 2023 |
| 2 | TikTok Technology Ltd | €530,000,000 | Ireland, 2025 |
| 3 | Meta Platforms (Instagram) | €405,000,000 | Ireland, 2022 |
| 4 | Meta Platforms Ireland | €390,000,000 | Ireland, 2023 |
| 5 | TikTok Ltd | €345,000,000 | Ireland, 2023 |
| 6 | LinkedIn Ireland | €310,000,000 | Ireland, 2024 |
| 7 | Uber B.V. | €290,000,000 | Netherlands, 2024 |
Source: CMS GDPR Enforcement Tracker (enforcementtracker.com), retrieved July 4, 2026; Irish Data Protection Commission decision announcements (dataprotection.ie).
What organizations actually get fined for
Ranked by number of fines across the whole tracker (CMS Enforcement Tracker Report 2026, cut-off March 1, 2026), the most common grounds are: insufficient legal basis for processing (Art. 6) first, non-compliance with the general data-processing principles (Art. 5) second, and insufficient technical and organisational security measures (Art. 32) third.
In 2025 specifically, analyses of the tracker data count 97 fines for insufficient security measures (Art. 32) — about 29% of the year’s fines and up roughly 40% from 2024 — while legal-basis violations, though fewer in number, accounted for roughly 90% of 2025’s fine value because they included the year’s mega-fines.
Enforcement is not only a Big Tech story. By sector, the tracker’s report counts 588 fines against industry and commerce (≈ €394 million, average ≈ €670,000), 327 against the public sector and education, and 257 against finance, insurance and consulting — a long tail of ordinary organizations fined for ordinary failures: no lawful basis, missing records, weak security.
Maximum penalties under Article 83
The GDPR sets two tiers of maximum administrative fines, and for corporate groups the percentage applies to total worldwide annual turnover — whichever amount is higher.
| Tier | Covers (examples) | Maximum |
|---|---|---|
| Higher tier — Art. 83(5)–(6) | Processing principles (Art. 5), legal basis (Art. 6), data-subject rights, unlawful transfers (Arts. 44–49) | €20 million or 4% of total worldwide annual turnover, whichever is higher |
| Lower tier — Art. 83(4) | Controller/processor duties incl. security (Art. 32), records of processing (Art. 30), breach notification (Arts. 33–34) | €10 million or 2% of total worldwide annual turnover, whichever is higher |
Source: Regulation (EU) 2016/679, Article 83 (official consolidated text, e.g. gdpr-info.eu/art-83-gdpr).
What the numbers mean for the documentation layer
The three most-fined grounds — legal basis, the Art. 5 principles (including the Art. 5(2) accountability duty to be able to demonstrate compliance), and Art. 32 security measures — are all failures a documented, operated privacy program addresses. Records of Processing Activities (Art. 30), a lawful-basis register, security policies and a breach-response procedure are the artifacts regulators ask for first. Documentation alone does not make an organization GDPR compliant — compliance comes from actually operating those controls — but under the accountability principle, being unable to show the documents is itself a violation.
Frequently asked questions
- How much have GDPR fines totaled since 2018?
- About €6.31 billion across 3,195 published enforcement actions in 32 countries as of July 4, 2026, per the CMS GDPR Enforcement Tracker. DLA Piper’s January 2026 survey, which also counts non-public authority totals, puts the cumulative figure at roughly €7.1 billion.
- What is the largest GDPR fine ever?
- The €1.2 billion fine the Irish Data Protection Commission issued against Meta Platforms Ireland in May 2023 for unlawful EU–US data transfers (Art. 46). The second-largest standing fine is TikTok’s €530 million (Ireland, 2025). Amazon’s €746 million fine, long cited as number two, was annulled by Luxembourg’s Administrative Court in March 2026.
- How much were GDPR fines in 2025?
- Roughly €1.2 billion in the twelve months to January 27, 2026, per DLA Piper’s annual survey — broadly matching 2024. The largest single 2025 fine was TikTok’s €530 million from the Irish DPC. Analyses of the Enforcement Tracker data count over 330 individual fines in calendar 2025.
- What are the maximum GDPR fines?
- Up to €20 million or 4% of total worldwide annual turnover (whichever is higher) for violations of the processing principles, legal basis, data-subject rights or transfer rules; up to €10 million or 2% for duties such as security measures, records of processing and breach notification (Art. 83).
- Which GDPR violations are fined most often?
- By count, across all published fines: insufficient legal basis for processing (Art. 6) first, violations of the general processing principles (Art. 5) second, and insufficient technical and organisational security measures (Art. 32) third, per the CMS Enforcement Tracker Report 2026. In 2025, Art. 32 security failures were the single most frequent ground, with 97 fines.
Related guides: GDPR
Toolkits that help
GDPR Compliance Pack for Small Business
14 editable GDPR documents — privacy notices, DSAR procedure, DPIA, breach response, processor DPA checklist — plus a pre-filled Records of Processing Activities (Art. 30) workbook and evidence checklist.
