The General Data Protection Regulation (GDPR) is an EU law that governs the requirements on how organizations collect, process, and transfer the personal data of EU residents.

‍

Compliance is mandatory for all in-scope organizations. Violations attract regulatory scrutiny and can result in severe financial penalties. Many enforcement actions, including fines, are often made public, which may also cause long-term reputational damage.

‍

That’s why accountability and transparency in data governance are business-critical priorities for organizations complying with the GDPR. Let’s explore the regulation’s fines and penalties in detail, including:

‍

• The factors that influence GDPR fines
• Common GDPR violations and case studies
• Tips to avoid non-compliance

‍

Who must comply with the GDPR?

Any organization that processes the personal data of individuals in the EU, whether by offering goods or services or monitoring their behavior, must comply with the GDPR. The regulation applies regardless of the organization’s size or location.

‍

GDPR applicability may vary depending on whether your organization assumes a controller or a processor role. Controllers process personal data as part of their operations and define the purposes and means of processing. Processors, on the other hand, handle data on behalf of the controller. All in-scope controllers and processors must comply with GDPR provisions proportionate to their processing activities and risks. Certain obligations include limited exemptions, such as Article 30(5) in small organizations, but these depend on risk and processing frequency.

‍

If you offer goods or services to people in the EU or monitor their behavior, you’re generally in scope for GDPR, even if you’re located outside the EU. If you truly process no personal data of EU residents (including online identifiers or cookies), GDPR wouldn’t apply—but that’s uncommon.

‍

{{cta_withimage14="/cta-blocks"}} | GDPR compliance checklist

‍

Who enforces the GDPR?

The European Data Protection Board (EDPB) is the primary body that provides guidance and ensures consistent GDPR application across the EU. However, the primary enforcers at the national level are the data protection authorities (DPAs), with each member state having its own. Examples include:

‍

• Österreichische Datenschutzbehörde for Austria
• Data Protection Commissioner for Ireland
• Commission Nationale pour la Protection des Données for Luxembourg
• Autoriteit Persoonsgegevens for the Netherlands

‍

DPAs have a dual role under the GDPR:

‍

1. Investigation: They’re in charge of investigations to ensure organizations meet the data handling standards
2. Enforcement: They impose corrective measures if they identify violations

‍

DPAs also facilitate international collaboration. For cross-border incidents, DPAs are expected to cooperate closely under the EDPB to streamline investigations and ensure consistent enforcement across EU Member States.

‍

What are the fines and penalties for GDPR non-compliance?

When a DPA investigates an organization and detects a GDPR violation, it can decide on two courses of action: financial fines and corrective measures.

‍

1. Financial fines

GDPR non-compliance penalties are split into two tiers depending on the severity of the violation:

‍

‍

2. Corrective measures

DPAs also have the power to impose corrective measures on organizations, such as:

‍

• Warnings and reprimands
• Banning or limiting data processing
• Suspending international data transfers

‍

Other measures include ordering erasure, granting data subject requests, or bringing processing into compliance within a set timeframe.

‍

Corrective measures and financial fines can be applied together, depending on the findings of DPA investigations. If an organization fails to follow the corrective order, the DPA may issue additional fines independent of the original violation, using the thresholds defined in the previous section.

‍

{{cta_withimage11="/cta-blocks"}}| The US data privacy checklist

‍

How are GDPR fines calculated?

DPAs consider a violation and its severity to determine GDPR fines. They use the following 10 factors to determine the extent of financial penalties:

‍

‍

1. Gravity and nature: General information about the violation, including what happened, why, the number of data subjects impacted, and how long it took to address the violation
2. Intention: Whether the violation was intentional or caused by human error or insufficient safeguards
3. Mitigation: Key measures the organization took to mitigate the impact of the breach on the data subjects
4. Precautionary measures: What existing administrative and technical controls the organization implemented to align with the GDPR
5. History: Patterns of violations (related to GDPR or older frameworks such as the Data Protection Directive), and whether the organization adhered to corrective actions enforced by the DPA
6. Cooperation: The extent to which the organization cooperated with the supervisory authorities to identify and remediate the violations
7. Data category: The types of personal information involved in the breach, including special categories of data
8. Notification: Whether the organization or relevant processor proactively informed supervisory authorities about the violation
9. Certification: Whether the organization has any prior certifications or follows an approved code of conduct
10. Aggravating/mitigating factors: Other factors arising from the violation, such as financial gains or losses

‍

An overview of EDPB’s methodology to calculate GDPR fines

Beyond the factors listed above, the EDPB guidelines propose a five-step methodology for calculating proportional and consistent fines. Here’s what it looks like:

‍

1. Identify the relevant processing operations
2. Determine the starting point for calculating the fine based on factors such as the nature and gravity of the infringement
3. Assess factors that aggravate or mitigate the situation—for example, the past behaviour of the controller or processor
4. Calculate the fine while respecting the legal thresholds
5. Ensure the effectiveness, dissuasiveness, and proportionality of the fine as per Article 83(1) of the GDPR

‍

“

The severity of a GDPR fine can be shaped by weighing the scale of harm, the sensitivity of data, and whether the breach was systemic or due to negligence. Repeated violations, lack of cooperation, or ignoring user rights are all key drivers that can escalate fines to a higher level.”

Faisal Khan

GRC Solutions Expert, Vanta

|

LinkedIn

‍

5 most common GDPR violations [With case studies]

Although the GDPR outlines a broad range of requirements, most violations actually stem from a handful of recurring issues, such as:

‍

1. Non-compliance with general data processing principles

Seven GDPR data protection principles form the basis of the regulation and shape the intent of most of its requirements. These principles include data minimization, accountability, transparency, and integrity and confidentiality. It’s common to see organizations violating GDPR’s key principles despite their foundational nature.

‍

Case study: In 2024, the French supervisory authority fined Amazon’s warehouse groups €32 million for violating several data principles, including data minimization and lawful processing.

‍

2. Not meeting data subject rights

The GDPR emphasizes eight key data subject rights that grant individuals greater control over how their data is stored, used, and transferred. Consent plays a significant role here. It must be freely given, informed via a privacy notice, and unambiguous.

‍

In practice, this means that there shouldn’t be an incentive or coercive condition for users to agree to their data being processed. 

‍

Case study: Meta’s changes to personalized ads across its services were a notable violation of this principle. Users were given the option of agreeing to their data being used for targeted advertising or paying a monthly subscription fee. EU regulators found this model incompatible with the GDPR’s free consent requirements.

‍

3. Not meeting legal requirements for data processing

Before starting any processing activity, organizations must establish a lawful basis that aligns with their processing purpose. The GDPR defines six lawful bases for collecting and handling personal information.

‍

Case study: The Hamburg Commissioner issued a €35.3 million fine to H&M for collecting large amounts of information about their employees’ private lives without a clear lawful basis, which violated their data subject rights. This issue came to light following a 2019 data breach, which made internal records accessible across the entire company.

‍

4. Lack of cooperation with supervisory bodies

Failing to follow up on a supervisory body’s order can incur additional fines to those related to the original GDPR violations.

‍

Case study: In 2020, Sweden’s DPA ordered Google to remediate issues related to data subjects’ right to be forgotten. Despite the order to remove the information according to a 2017 request, Google only partially complied. In one case, the company had delayed its activities past the time window outlined by the GDPR. Google also notified website owners of delisting requests, which discouraged people from pursuing their rights. The Swedish DPA issued a €7 million fine for this violation.

‍

5. Insufficient data protection and privacy measures

In-scope organizations must document their activities and safeguards to demonstrate compliance to auditors. A lack of appropriate measures or insufficient documentation can be considered a breach of the GDPR.

‍

Case study: In mid-2025, the Irish Data Protection Commission fined TikTok after determining the company could not demonstrate adequate safeguards for EU resident data stored on servers in China, increasing the risk of unauthorized access and data leaks.

‍

{{cta_withimage14="/cta-blocks"}} | GDPR compliance checklist

‍

How to avoid GDPR non-compliance

Follow these practices to minimize the risk of violating the GDPR:

‍

• Implement strong data protection measures: Establish comprehensive safeguards for protecting personal data and mitigating third-party risks to minimize the likelihood of breaches
• Establish lawful bases for all data processing: Determine a justifiable lawful basis for each processing activity, document it, and inform your data subjects
• Train staff regularly: Establish a regular training cadence so your staff members are aware of their responsibilities under the GDPR and stay current with regulatory updates
• Perform risk assessments: Conduct data protection impact assessments (DPIAs) and other internal reviews regularly and after any changes to your processing activities to identify and mitigate potential risks to personal data
• Continuously monitor implementation: Track and test the strength of your controls and safeguards to ensure they remain effective over time
• Keep records of processing activities (RoPA) current and accessible: Regularly review and keep your RoPA mapped to current activities, intents, and lawful bases

‍

The GDPR requires continuous compliance and multiple oversight workflows, which can overburden teams that rely on manual compliance processes. Overlooking any routine obligation, such as missing a data subject request, can trigger investigations and leave you vulnerable to corrections and penalties.

‍

If compliance tasks block significant resources for your team or create operational bottlenecks, consider compliance automation solutions like Vanta.

‍

Streamline, monitor, and prove GDPR compliance with Vanta

The GDPR is broad and complex, which makes compliance processes tedious, especially for small and medium-sized enterprises. Vanta is a trust management platform that helps organizations achieve and maintain GDPR compliance through:

‍

• Step-by-step guidance to operationalize GDPR’s compliance activities for both controllers and processors
• Automation to support many key workflows
• A gap assessment for GDPR-specific controls
• A streamlined dashboard for everything GDPR-related
• Personnel security and privacy training materials
• Pre-built and customizable policy templates

‍

Vanta’s GDPR solution is powered by more than 400 integrations to help you automate evidence collection. Its built-in guidance is aligned with GDPR’s chapters and articles, which saves you time-consuming research and consultations.

‍

Schedule a custom demo and see how Vanta can fast-track your GDPR workflows.

‍

{{cta_simple19="/cta-blocks"}} | GDPR product page

‍

‍A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.