GDPR is well-known for its costly violation penalties. Amazon was famously fined $880+ million in 2021 for tracking user data without appropriate consent, and more recently, Meta Platforms Ireland Ltd. received a record-breaking fine of €1.2 billion for transferring European Facebook user data to the United States without adequate safeguards.
Learn more about GDPR fines and penalties below. 

Tiers of GDPR fines and penalties

There are two tiers of penalties, depending on the severity of the violation. Less severe violations can result in fines of up to 10 million euros, or 2% of the company’s global annual revenue from the previous financial year, whichever is higher. 

The second tier of penalties are for violating the core principles of GDPR, including the right to consent, data subjects rights, and the principles of data processing. These violations can result in fines of up to 20 million euros, or 4% of the company’s global annual revenue from the previous financial year, whichever is higher. Plus, those affected by the breach have the right to seek compensation for damages.

How much is a GDPR fine?

That depends. Under GDPR, fines are administered by the data protection regulator in each EU member state. The data protection regulator will determine two things: first, whether an infringement has occurred and second, the severity of the penalty.

If an investigation reveals multiple GDPR violations, the organization will only be penalized for the most severe one (as long as all the violations are part of the same processing operation).

How are GDPR fines calculated?

To determine whether a fine will be issue and in what amount, the data protection regulator uses the following 10 criteria:

• Gravity and nature: What happened? How did it happen and why? How many people were affected and what was the damage? How long did it take to resolve?
• Intention: Was the infringement intentional or the result of negligence?
• Mitigation: Did the organization try to mitigate the damage suffered by those affected by the infringement?
• Precautionary measures: How much technical and organizational preparation did the organization implement to be GDPR compliant before the infringement?
• History: Were there any previous infringements?
• Cooperation: Did the organization cooperate with the supervisory authority to discover and remedy the infringement?
• Data category: What type of personal data did the infringement affect?
• Notification: Did the organization proactively report the infringement to the supervisory authority?
• Certification: Was the organization previously certified? If not, did it follow the approved codes of conduct?
• Aggravating/mitigating factors: Were there any financial benefits gained or losses avoided as a result of the infringement?

GDPR violation examples

Since GDPR came into effect in 2018, there have been several newsworthy examples of violations, most notably Meta’s, Amazon’s, and Google’s GDPR fines.

Below are 20 GDPR violation cases with the largest fines imposed and what you can learn from each.

1. Meta - €1.2 Billion

• Year Issued: 2023
• Penalty type: Insufficient legal basis for data processing

In May 2023, the Irish Data Protection Commission (DPC) fined Meta Platforms Ireland Limited (Meta Ireland) €1.2 billion for continuing to transfer European Facebook user data to the United States even after the delivery of the Court of Justice of the European Union’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.

Since Meta had been transferring millions of European users’ data in a systemic, continuous, and repetitive manner since 2020, this infringement on Article 46(1) GDPR was considered very serious and resulted in the largest GDPR fine to date. 

Lessons to Learn:

• Implement comprehensive data transfer mechanisms that comply with GDPR requirements.
• Regularly review and update data protection practices to align with evolving rulings and regulations.

2. Amazon - €746M

Year issued: 2021

Penalty type: Non-compliance with general data processing principles

In 2021, the Luxembourg National Commission for Data Protection (CNDP) fined Amazon Europe Core S.a.r.l. €746 million for non-compliance with general data processing principles. Before the fine imposed on Meta IE, this was the largest fine imposed by a European data protection authority since the GDPR came into effect in 2018.

Although there are limited details available to the public, the fine is most likely the result of infringements regarding Amazons’ advertising targeting system.

Lessons to learn:  

• Obtain consumer consent by using clear, plain language and explaining how data is going to be used, for what purpose, and by whom.

3. Meta (Instagram) - €405M

Year issued: 2022

Penalty type: Non-compliance with general data processing principles

In 2022, the Irish Data Protection Authority issued a record GDPR fine of €405 million to Meta for its treatment of children’s data on Instagram. More specifically, it made the accounts of children aged 13 to 17 set to public by default, and allowed teenagers with business accounts on Instagram to make their email addresses and phone numbers public.

Lessons to learn: 

• The legal basis for collecting and processing personal data must be valid — for example, you must prove that processing data is necessary for the performance of a contract.

4. Meta (Facebook and Instagram) – €390 million

• Year issued: 2023
• Penalty type: Non-compliance with general data processing principles

In January 2023, the DPC fined Meta Ireland €390 million for GDPR breaches related to its personal advertising services, with €210 million for breaches of the GDPR relating to its Facebook service and €180 million for breaches relating to its Instagram service.  The DPC’s investigation held that the company’s practices breached Article 5(1)(a), which requires personal data to be processed lawfully, fairly, and in a transparent manner and that, in particular, Meta’s Terms of Use did not clearly disclose the company’s data processing activities or the purposes and legal basis for the processing.

Lessons to learn: 

• Use clear and transparent information when discussing data collection and processing practices.

5. TikTok - €345 Million

• Year issued: 2024
• Penalty type: Non-compliance with general data processing principles

In September 2024, the Irish DPC fined TikTok Technology Limited €345 million for failing to protect children's data privacy adequately, including issues with age verification, default account settings that made children's accounts public, and a lack of transparency in the privacy notice. 

Lessons to learn:

• Implement the principles of privacy by design and default, especially for accounts likely to belong to children.
• Be as clear and succinct as possible about processing activities, especially when collecting and processing child user information.

6. LinkedIn - €310 Million

• Year issued: 2024
• Penalty type: Insufficient legal basis for data processing

In October 2024, the Irish DPC fined LinkedIn Ireland Unlimited Company €310 million for processing users' personal data for behavioral analysis and targeted advertising without a valid legal basis, violating principles of lawfulness, fairness, and transparency.

Lessons to learn:

• Ensure that all data processing activities have a valid legal basis under the GDPR.
• Provide users with clear options to consent to or opt out of data processing for advertising purposes.

7.  Uber - €290 Million

• Year issued: 2024
• Penalty type: Non-compliance with general data processing principles

In August 2024, the Dutch Data Protection Authority fined Uber Technologies, Inc. €290 million for unlawfully transferring European drivers' personal data to the United States for over two years without appropriate safeguards. More specifically, Uber collected sensitive information from drivers in Europe and transferred that data to Uber's headquarters without using a transfer tool.

Lessons to learn:

• Establish adequate safeguards for international intra-group personal data transfers.
• Conduct regular assessments of cross-border data flows to ensure compliance.

8. Meta Platforms - €251 Million

• Year issued: 2024
• Penalty type: Data Breach

In December 2024, the Irish DPC fined Meta Ireland €251 million for a 2018 security breach that exposed personal data of approximately 29 million Facebook users, including names, contact details, and other sensitive information.

Lessons to Learn:

• Implement robust security measures to protect user data from unauthorized access.
• Promptly address vulnerabilities and notify affected individuals and authorities in the event of a breach.

9. WhatsApp - €225M

Year issued: 2021

Penalty type: Insufficient fulfillment of information obligations

In 2021, the Irish Data Protection Authority fined WhatsApp €225 million. At the time, it was the largest GDPR fine imposed by the Irish DPA. In its decision, the regulator stated that WhatsApp had not provided enough information about how data was collected "in a concise, transparent, intelligible and easily accessible form, using clear and plain language,”

Lessons to learn: 

• Write clear and comprehensive privacy policies so users understand how their data is processed.

10. Google LLC and Ireland- €150M

Year issued: 2021

Penalty type: Insufficient legal basis for data processing

The French Data Protection Authority (CNIL) issued a fine of €150 million against Google (€90 million for Google LLC and €60 million for Google Ireland) for non-compliance with local (and pan-EU) cookie consent rules. More specifically, it does not make it as easy to refuse all cookies as it does to accept them all on google.fr and youtube.com. 

Lessons to learn:

• Present option for users to reject non-essential cookies as easily as option to accept all tracking.

11. Enel Energia- €79M

Year issued: 2024

Penalty type: Insufficient technical and organisational measures to ensure information security

The Italian data protection authority (Garante) issued a €79 million fine to Enel Energia for multiple data privacy violations, including making unsolicited promotional calls without the required consent of users. Enel Energia was also penalized for not having sufficiently cooperated with the Garante during the course of the investigation. This is the largest fine ever issued by the Garante.

Lessons to learn:

• Cooperate with the data protection authority during any investigation into possible GDPR infringements. 

12. Facebook - €60M

Year issued: 2021

Penalty type: Insufficient legal basis for data processing

In 2021, the CNIL also fined Facebook Ireland Ltd. €60 million for failing to provide users easy methods to refuse cookies when using the website.

Lessons to learn:

• Provide a clear way for users to opt out of cookies.

13. Google LLC - €50M

Year issued: 2019

Penalty type: Insufficient legal basis for data processing

In 2019, the French Data Protection Authority (CNIL) fined Google €50 million for unclear privacy consent agreements that failed to obtain freely given consumer consent for ad targeting. In its investigation, the CNIL found that Google had failed to act transparently and provide information in a way that was easily accessible to its users, and did not have any legal basis for processing its users’ data in order to provide personalized ads.

Lessons to learn:

• Write privacy consent agreements that clearly convey how you’ll be processing personal data, including for ad personalization purposes. 

14. CRITEO - €40 Million

• Year issued: 2023
• Penalty type: Insufficient fulfilment of data subjects rights

In June 2023, the French Data Protection Authority (CNIL) fined ad-tech company Criteo €40 million for failing to properly fulfill data subjects’ rights under the GDPR. The regulator found that Criteo did not provide sufficient mechanisms for users to exercise their right to access, rectify, and erase their personal data. Additionally, Criteo failed to obtain proper consent for targeted advertising and did not adequately inform users about how their data was being processed.

Lessons to learn:

• Companies must ensure users can easily exercise their GDPR rights, including data access, rectification, and deletion.
• Explicit and informed consent is required before processing personal data for targeted advertising.

15. H&M - €35M

Year issued: 2020

Penalty type: Insufficient legal basis for data processing

The Hamburg Data Protection Authority fined H&M €30 million for employee-related offenses. One of the most notable violations was recording and storing recorded one-on-one conversations with employees and using details provided in those conversations to make decisions regarding the employees. It was the largest fine imposed by the Hamburg DPA under the General Data Protection Regulation (GDPR).

Lessons to learn:

• Collecting and storing extensive personal data about your employee’s personal lives is a violation of the GDPR and their civil rights.

16. AMAZON FRANCE LOGISTIQUE - €32M

• Year issued: 2024
• Penalty type: Non-compliance with general data processing principles

In 2024, the French Data Protection Authority (CNIL) fined Amazon France Logistique €32 million for excessive surveillance of warehouse employees. The investigation found that Amazon’s monitoring systems, including scanners and performance tracking tools, were overly intrusive and violated employees’ privacy rights under the GDPR. The CNIL ruled that the level of surveillance was disproportionate and that Amazon had failed to justify the necessity of such data collection.

Lessons to learn:

• Companies should conduct data protection impact assessments (DPIAs) before implementing workplace surveillance tools.
• Workers have the right to privacy, and excessive data collection can lead to significant penalties.

17. Clearview AI Inc. - €30.5M

• Year issued: 2024
• Penalty type: Non-compliance with general data processing principles

In 2024, Clearview AI Inc. was fined €30.5 million by European regulators for unlawfully collecting and processing biometric data. The company scraped billions of facial images from the internet without individuals' consent and used them to build a facial recognition database. Regulators determined that Clearview AI violated GDPR principles, including the requirement for explicit consent and transparency in data processing.

Lessons to learn:

• Companies must obtain explicit consent before collecting and processing biometric data.
• Scraping publicly available images for commercial purposes without user consent can violate GDPR.
• Data processing activities involving sensitive personal data must have a clear legal basis and comply with strict privacy safeguards.

18. TIM- €27.8M

Year issued: 2020

Penalty type: Insufficient legal basis for data processing

In 2020, the Italian data protection authority fined Italian telecommunications operator TIM (formerly known as Telecom Italia) €27.8 million for a series of data collection and processing violations related to marketing campaigns. Violations included sending unsolicited communications and making promotional calls to millions of individuals, including those on non-contact and exclusion lists.

 Lessons to learn:

• Create specific opt-ins for different marketing activities.
• Properly manage and update blocklists. 

19. British Airways - €22M

Year issued: 2020

Penalty type: Insufficient technical and organizational measures to ensure information security

In 2020, British Airways was fined €20 million by the Information Commissioner's Office (ICO) for insufficient technical and organizational measures, which led to a data breach that affected the personal and credit card data of more than 400,000 customers. The fine was significantly reduced from €204.6 million, the amount the ICO originally said it intended to issue in 2019. 

Lessons to learn:

• Put adequate security measures in place to keep customers’ personal data secure. 

20. Marriott International, Inc. - £18.4 Million

• Year issued: 2020
• Penalty type: Insufficient technical and organisational measures to ensure information security

In 2020, the UK’s ICO fined Marriott International £18.4 million for failing to implement adequate security measures, leading to a massive data breach. This is much lower than the original fine of £99 million.

The breach, which affected approximately 339 million guests worldwide, originated from an incident in 2014 but was only discovered in 2018 after Marriott acquired Starwood Hotels. The ICO found that Marriott had failed to conduct proper due diligence when acquiring Starwood and had not taken sufficient steps to secure customer data.

Lessons to learn:

• Organizations must perform thorough security due diligence when acquiring companies with large customer data sets.
• Implementing strong cybersecurity measures, including continuous monitoring and threat detection, is essential.