GDPR Fines in Numbers: Enforcement Statistics Through July 2026

European data protection authorities have issued roughly €6.31 billion in GDPR fines across 3,195 enforcement actions in 32 countries since May 2018, per the CMS GDPR Enforcement Tracker as of July 4, 2026. The largest fine remains Meta’s €1.2 billion (Irish DPC, 2023), 2025 added about €1.2 billion more, and the most common grounds are insufficient legal basis (Art. 6), violations of the core processing principles (Art. 5) and insufficient security measures (Art. 32) — failures of exactly the program-and-documentation layer small businesses most often skip.

Headline enforcement numbers

The figures below come from the two most-cited GDPR enforcement datasets: the CMS GDPR Enforcement Tracker (enforcementtracker.com), a continuously updated public database of published fines, and DLA Piper’s annual GDPR fines survey, which also counts non-public authority totals. They use different methodologies, so each figure is labelled with its source and as-of date.

MetricFigureSource, as of
Cumulative fines since May 2018≈ €6.31 billionCMS Enforcement Tracker, July 4, 2026
Tracked enforcement actions3,195 across 32 countriesCMS Enforcement Tracker, July 4, 2026
Cumulative fines (survey basis, incl. non-public totals)≈ €7.1 billionDLA Piper survey, January 2026
Fines issued in 2025 (12 months to Jan 27, 2026)≈ €1.2 billionDLA Piper survey, January 2026
Average fine (all published fines)€2,277,122CMS Enforcement Tracker Report 2026 (cut-off March 1, 2026)
Personal-data breach notifications443 per day on average, up 22% year over yearDLA Piper survey, January 2026
Ireland alone, cumulative≈ €4.04 billionDLA Piper survey, January 2026

Sources: CMS GDPR Enforcement Tracker (enforcementtracker.com), retrieved July 4, 2026; DLA Piper GDPR Fines and Data Breach Survey, January 2026 (dlapiper.com). The average is heavily skewed by a handful of Big Tech mega-fines — the typical published fine is far smaller.

The largest GDPR fines on record

All of the largest fines were issued against large technology platforms, and the two biggest both punish unlawful international data transfers (Art. 46). One long-standing entry has dropped off this list: Amazon’s €746 million fine (Luxembourg, 2021) was annulled by Luxembourg’s Administrative Court on March 12, 2026 on procedural grounds and referred back to the regulator — many older articles still cite it as the second-largest GDPR fine, but as of July 2026 it no longer stands.

RankCompanyFineAuthority, year
1Meta Platforms Ireland (Facebook)€1,200,000,000Ireland, 2023
2TikTok Technology Ltd€530,000,000Ireland, 2025
3Meta Platforms (Instagram)€405,000,000Ireland, 2022
4Meta Platforms Ireland€390,000,000Ireland, 2023
5TikTok Ltd€345,000,000Ireland, 2023
6LinkedIn Ireland€310,000,000Ireland, 2024
7Uber B.V.€290,000,000Netherlands, 2024

Source: CMS GDPR Enforcement Tracker (enforcementtracker.com), retrieved July 4, 2026; Irish Data Protection Commission decision announcements (dataprotection.ie).

What organizations actually get fined for

Ranked by number of fines across the whole tracker (CMS Enforcement Tracker Report 2026, cut-off March 1, 2026), the most common grounds are: insufficient legal basis for processing (Art. 6) first, non-compliance with the general data-processing principles (Art. 5) second, and insufficient technical and organisational security measures (Art. 32) third.

In 2025 specifically, analyses of the tracker data count 97 fines for insufficient security measures (Art. 32) — about 29% of the year’s fines and up roughly 40% from 2024 — while legal-basis violations, though fewer in number, accounted for roughly 90% of 2025’s fine value because they included the year’s mega-fines.

Enforcement is not only a Big Tech story. By sector, the tracker’s report counts 588 fines against industry and commerce (≈ €394 million, average ≈ €670,000), 327 against the public sector and education, and 257 against finance, insurance and consulting — a long tail of ordinary organizations fined for ordinary failures: no lawful basis, missing records, weak security.

Maximum penalties under Article 83

The GDPR sets two tiers of maximum administrative fines, and for corporate groups the percentage applies to total worldwide annual turnover — whichever amount is higher.

TierCovers (examples)Maximum
Higher tier — Art. 83(5)–(6)Processing principles (Art. 5), legal basis (Art. 6), data-subject rights, unlawful transfers (Arts. 44–49)€20 million or 4% of total worldwide annual turnover, whichever is higher
Lower tier — Art. 83(4)Controller/processor duties incl. security (Art. 32), records of processing (Art. 30), breach notification (Arts. 33–34)€10 million or 2% of total worldwide annual turnover, whichever is higher

Source: Regulation (EU) 2016/679, Article 83 (official consolidated text, e.g. gdpr-info.eu/art-83-gdpr).

What the numbers mean for the documentation layer

The three most-fined grounds — legal basis, the Art. 5 principles (including the Art. 5(2) accountability duty to be able to demonstrate compliance), and Art. 32 security measures — are all failures a documented, operated privacy program addresses. Records of Processing Activities (Art. 30), a lawful-basis register, security policies and a breach-response procedure are the artifacts regulators ask for first. Documentation alone does not make an organization GDPR compliant — compliance comes from actually operating those controls — but under the accountability principle, being unable to show the documents is itself a violation.

Frequently asked questions

How much have GDPR fines totaled since 2018?
About €6.31 billion across 3,195 published enforcement actions in 32 countries as of July 4, 2026, per the CMS GDPR Enforcement Tracker. DLA Piper’s January 2026 survey, which also counts non-public authority totals, puts the cumulative figure at roughly €7.1 billion.
What is the largest GDPR fine ever?
The €1.2 billion fine the Irish Data Protection Commission issued against Meta Platforms Ireland in May 2023 for unlawful EU–US data transfers (Art. 46). The second-largest standing fine is TikTok’s €530 million (Ireland, 2025). Amazon’s €746 million fine, long cited as number two, was annulled by Luxembourg’s Administrative Court in March 2026.
How much were GDPR fines in 2025?
Roughly €1.2 billion in the twelve months to January 27, 2026, per DLA Piper’s annual survey — broadly matching 2024. The largest single 2025 fine was TikTok’s €530 million from the Irish DPC. Analyses of the Enforcement Tracker data count over 330 individual fines in calendar 2025.
What are the maximum GDPR fines?
Up to €20 million or 4% of total worldwide annual turnover (whichever is higher) for violations of the processing principles, legal basis, data-subject rights or transfer rules; up to €10 million or 2% for duties such as security measures, records of processing and breach notification (Art. 83).
Which GDPR violations are fined most often?
By count, across all published fines: insufficient legal basis for processing (Art. 6) first, violations of the general processing principles (Art. 5) second, and insufficient technical and organisational security measures (Art. 32) third, per the CMS Enforcement Tracker Report 2026. In 2025, Art. 32 security failures were the single most frequent ground, with 97 fines.

Related guides: GDPR

Toolkits that help

EU GDPR

GDPR Compliance Pack for Small Business

14 editable GDPR documents — privacy notices, DSAR procedure, DPIA, breach response, processor DPA checklist — plus a pre-filled Records of Processing Activities (Art. 30) workbook and evidence checklist.

$7930% off · auto-appliedView toolkit

Related articles

← All articles

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.