GDPR sanctions: how fines are calculated and what other consequences do violations bring?
- 18.03.2026
- Business, Data Privacy
Did you know that the total volume of GDPR fines by 2026 has already exceeded 6.8 billion euros, and the largest single fine amounted to an incredible 1.2 billion? But where do these frightening figures come from?
Let’s examine the “mathematics of punishment”: from the five-stage calculation methodology to the circumstances that make fines more expensive. This article explains how regulators determine the price of business mistakes and what steps will help a company avoid appearing on the list of the loudest and most expensive breaches of the decade.
Table of Contents
An organization has violated compliance rules: what happens next?
Let’s imagine a situation: a company has violated GDPR requirements. This does not mean an automatic fine at the maximum amount. The process of bringing someone to accountability is a complex administrative procedure in which the supervisory authority (Data Protection Authority, DPA) must follow strict rules to ensure the decision is fair.
The supervisory authority doesn’t simply “issue a fine“. First, a process of investigation and selection of response measures is initiated.
Step 1: Investigation
The supervisory authority has broad investigative powers (Art. 58(1) GDPR). It can demand any information from the company, conduct an audit of the personal data protection system, and gain access to premises and equipment.
Step 2: Selection of response measure
A fine is not the only tool. According to Art. 58(2) GDPR, the regulator has a range of corrective powers:
Issued if the infringement is only likely.
A situation where an infringement is “only likely” (likely infringement) means that the company has not yet violated the law, but is planning actions that will inevitably lead to an infringement if carried out.
In this case, the infringement has not yet occurred, and the supervisory authority’s goal is to prevent it.
According to Article 58(2)(a) GDPR, this relates to intended (planned) processing operations. The regulator intervenes at the stage when the company only intends to launch a specific data processing workflow.
In such a situation, the supervisory authority uses a special tool — Warning. This is a signal to the company: “If you do what you’ve planned, you will violate the law“.
Example of a Likely Infringement
A company has developed a new marketing strategy. It plans to purchase a transaction database from a third-party retailer to analyze people’s purchases and predict behavior. The company has already prepared the technical infrastructure and internal orders, but has not yet loaded the data or begun its analysis.
If the supervisory authority learns of this (for example, the company itself sought consultation under Art. 36 GDPR or the plans became known from internal documentation during an inspection), it sees that the intention exists, but the fact of unlawful processing does not yet exist.
Instead of a fine, the authority issues a Warning that these intended actions will violate data processing principles. If the company ignores the warning and launches the process, then stricter sanctions will follow, such as a fine or processing ban.
Reprimand
May be issued instead of a fine if the infringement is minor (minor infringement) or if a fine would be a disproportionate burden for an individual.
A minor infringement is one that does not pose a substantial threat to the rights and freedoms of individuals and does not affect the very essence of data protection obligations.
The regulation text itself does not contain an exhaustive list of “minor” infringements. Assessment is conducted individually in each specific case. According to guidance from the European Data Protection Board (EDPB), an infringement may be recognized as minor if the following conditions are met:
🔹 The infringement does not create a significant threat to the rights and freedoms of individuals.
🔹 The error is more accidental or technical in nature, not undermining fundamental data protection principles.
Important nuance: even if an infringement is recognized as minor, replacing a fine with a reprimand is a right, not an obligation, of the supervisory authority. The regulator can still issue a fine if it deems this necessary to ensure compliance with the law.
Example of a Minor Infringement
A company accidentally sends a newsletter about laundry detergent to an incorrect email address. The letter contains the customer’s name. Why is this a minor infringement? Although a disclosure of personal data (name and fact of purchase) occurred, the risk to the person is minimal. A third party knowing that someone bought laundry detergent will most likely not cause that person moral or material harm and will not violate their fundamental rights.
Order to Bring into Compliance
The regulator provides a clear list of actions and a deadline for correcting errors.
According to Article 58(2)(d) GDPR, the regulator has the right to order a company to change its workflows so they stop violating the law. This is not just a friendly recommendation, but a legally binding document that specifies:
- Specific steps the company must take.
- A strict deadline (usually from several weeks to several months).
- An obligation to report on compliance.
Many companies mistakenly believe that paying a fine closes the matter. In reality, failure to comply with the regulator’s order is the shortest path to maximum sanctions.
What can failure to comply with such an order lead to?
- Increase in fine level. Violation of a supervisory authority’s order automatically falls into the “second tier” (Tier 2) — the most expensive. This means that even if the original infringement was technical and minor, ignoring the regulator’s requirements can raise the fine ceiling to 20 million euros or 4% of turnover.
- Publicity. Regulators often publish information about issued orders. This sends a signal to investors and clients that the company’s infrastructure is unsafe, causing enormous reputational damage.
- Proof of guilt for courts. If the company did not fulfill the order and a repeat breach occurred, this will be considered an intentional infringement, which is a serious aggravating factor when calculating a new fine.
Processing Ban
This is the “ultimate punishment” in the regulator’s arsenal, not directly related to money.
According to Article 58(2)(f) GDPR, supervisory authorities have the right to impose temporary or definitive limitations, including a complete ban on processing. The regulator can prohibit:
🔹 Collection of certain categories of data (e.g., biometrics).
🔹 Use of specific algorithms or AI models trained on unlawfully obtained data.
🔹 Transfer of data to partners or to other countries (e.g., the USA).
The ban can be:
🔹 Temporary: A pause is given so the company can implement technical measures (e.g., encryption or MFA).
🔹 Definitive: If the regulator believes the infringement cannot be corrected within the current business model.
The regulator resorts to this measure in exceptional cases when a monetary fine is insufficient or when continued processing causes irreparable harm to citizens. For example, if a company systematically ignores GDPR requirements or if its business model itself is built on rights violations (e.g., mass collection of data from social networks without consent).
In May 2022, the British regulator (ICO) applied this tool against the American company Clearview AI Inc.
The company collected a database of more than 20 billion faces of internet users (including UK residents) for a facial recognition system without lawful grounds.
In addition to a fine of 7.5 million pounds, the company received an Enforcement Notice.
The regulator officially ordered the company to stop collecting and using data of UK residents available in the public domain, and to delete already accumulated information from its systems. For a service whose value lies precisely in the volume of its database, this was a devastating blow.
Article: Fines for GDPR violations in AI systems and how to avoid them
Violation of an order prohibiting processing is a direct violation of Article 58(2) and, just like in the previous case, is punished at the highest rate (Tier 2): up to 20 million euros or 4% of global turnover.
Step 3: Procedural safeguards
Any decision must be made in compliance with due legal process. The company has the right to be heard and the right to effective judicial protection (appeal of the decision in court).
What does the data protection authority consider during fine calculation?
When an organization violates GDPR, determining the fine amount is not an automatic process. Supervisory authorities (DPAs) follow a clear list of criteria set out in Article 83(2) GDPR to ensure punishment is “effective, proportionate, and dissuasive“.
The main factors the regulator weighs when issuing a verdict:
Nature, gravity, and duration of the infringement
The regulator assesses the scale of the “disaster“: exactly how the infringement occurred, why it became possible, how many people were affected, and what damage they suffered.
Intent or negligence
Was this a conscious choice by management for profit, or an unfortunate employee error? Intentional violations are punished much more severely than those that occurred through negligence.
Measures to mitigate harm to data subjects
How quickly did the company start making positive changes? If the organization took active steps to reduce harm to users, the fine may be reduced.
Degree of responsibility and technical measures
The regulator checks whether the company did everything possible to prevent the incident. This includes assessing the presence of implemented security protocols, use of encryption, and compliance with privacy by design principles.
History of violations
Was this case the first, or is the organization a “repeat offender“? Any similar past violations will serve as an aggravating factor. However, if the company previously had an impeccable reputation, this may become a mitigating circumstance.
Level of cooperation with the regulator
Did the company try to hide the incident, or conversely, actively assist the investigation? Sincere cooperation can help reduce the penalty amount, while attempts to obstruct the investigation will only increase it.
Categories of affected data
A leak of a simple list of names is bad, but a leak of biometric data, health data, or financial information is critical. The more sensitive the data, the higher the risk of violating citizens’ rights and the stricter the punishment will be.
How the regulator learned about the problem
Did the company report the breach itself, or was it written about in the media after customer complaints? GDPR requires reporting serious breaches within 72 hours (Article 33 GDPR). Concealing a violation is a direct path to the largest fines.
Financial benefit
Did the company profit from the violation? For example, if it illegally sold a database for advertising or saved money on security systems. The regulator will try to ensure that the fine not only punishes but also “seizes” any benefit obtained.
What types of GDPR penalties exist?
GDPR divides violations into two categories with different fine “ceilings“. It’s important to note that for companies (enterprises), the concept of “turnover“ is used — meaning total annual worldwide turnover for the previous financial year.
🔹 Tier 1 — less serious violations:
🔹 For example: violation of controller/processor obligations, violation of child consent conditions, absence of Data Protection Officer (DPO), violation of certification rules.
For such violations, the ceiling is €10,000,000 or 2% of worldwide annual turnover (whichever is greater).
đź’ˇ Struggling with GDPR compliance? Don’t hire a full-time DPO — outsource one.
Our certified Data Protection Officers ensure your business meets GDPR requirements, handle violations professionally, and communicate with regulators on your behalf. Get expert compliance support without the overhead costs of an in-house team.
🔹 Tier 2 — serious violations:
🔹 For example: violation of basic processing principles (Article 5), consent conditions, data subject rights (Articles 12–22), rules for cross-border data transfers, failure to comply with supervisory authority orders.
The ceiling is €20,000,000 or 4% of worldwide annual turnover (whichever is greater).
When calculating fines for groups of companies, the turnover of the entire group (as an economic unit) may be considered, not just the specific subsidiary entity that committed the violation. This is derived from EU competition law (Articles 101)Â and 102 TFEU.
How does this work for the public sector?
For government bodies, the rules may differ. For example, in Ireland, fines for government bodies are capped at €1 million, unless they engage in commercial activities.
How GDPR fines are calculated: a step by step procedure
The European Data Protection Board (EDPB) developed a step-by-step calculation methodology and outlined it in Guidelines 04/2022 of the European Data Protection Board (EDPB). This document harmonized regulators’ approach to calculating amounts so they wouldn’t be arbitrary.
1. Determination of processing.
First, they determine whether it’s a single violation or several related operations (Article 83(3) GDPR). If there are multiple violations within one operation, the fine does not exceed the amount for the most serious one.
2. Determination of starting amount
The classification of the violation is considered (see fine tiers), the severity of the violation, and the company’s turnover.
The regulator determines the violation category (Tier 1 or Tier 2) and assesses its severity level: low, medium, or high.
-
- Low severity: Starting amount is 0–10% of the maximum possible fine.
- Medium severity: 10–20% of the maximum.
- High severity: 20–100% of the maximum.
3. Adjustment
The amount is increased or decreased taking into account the size of the organization and aggravating and mitigating circumstances(Article 83(2) GDPR).
The fine should be “painful” but not kill the business. To ensure punishment is fair for everyone — from startups to giants — reduction coefficients are applied based on turnover.
🔹 For micro-enterprises (turnover up to €2 million), the starting amount may be reduced to 0.2%–0.4% of the base rate.
🔹 For giants (turnover over €500 million), such discounts are not applied, as their scale is already accounted for in the 4% turnover limit.
The regulator also looks at what makes the violation worse. Each such circumstance increases the final bill. These circumstances may include:
-
- Intent: If management knew about the risks but ignored them for profit (for example, selling a database without consent).
- Duration: The longer the company concealed or failed to notice the problem, the higher the fine.
- Data sensitivity: If not just names were leaked, but biometrics, health data, or financial information, the severity increases sharply.
- Absence of EU Representative: The representative serves as a local contact point for citizens and regulators. When absent, EU citizens are deprived of the ability to easily protect their rights (for example, to request data deletion), and it’s harder for regulators to conduct investigations. Therefore, if a company “forgot” about the EU Representative, the supervisory authority may view this as negligence or even intent, which automatically moves the fine from the lower range to a higher one.
At the same time, a company can receive some “discount” if it shows itself to be a responsible player, for example, by cooperating with the supervisory authority and promptly addressing consequences.
Several examples of how different circumstances can reduce or increase the fine amount:
The company experienced a data breach affecting 339 million guests due to a vulnerability in the systems of the acquired Starwood network. Initially, the British regulator (ICO) planned to impose a fine of ÂŁ99 million. However, the following factors led to a reduction:
-
- Security investments: Marriott proved it had invested huge sums in IT even before learning about the attack.
- Active “firefighting“: The company created a special website in different languages, opened a call center, and provided affected individuals with data monitoring services.
- Cooperation: Full and unconditional assistance to the investigation.
As a result — the fine was reduced by 20% to £22.4 million, and then again due to pandemic impact. The final figure was £18.4 million — more than 5 times less than the initial amount.
Example 2 — Maynooth University
Hackers compromised employee accounts, leading to financial fraud.
The initial fine for lack of multi-factor authentication (MFA) and poor spam settings (Articles 5(1)(f) and 32(1)) was €25,000. However, because the university delayed notifying the regulator about the breach for more than 72 hours (Article 33(1)), an additional €15,000 was added.
Total result — a fine of €40,000.
Example 3 — Locatefamily.com
Here, the regulator applied harsh tactics due to the absence of a mandatory EU Representative.
The platform did not appoint a representative in the EU (Article 27), preventing Europeans from requesting deletion of their data. For this, the company received a fine of €525,000.
padding-left: 40px;Additionally, the regulator added a condition: if a representative is not appointed on time, the company will pay an additional €20,000 every two weeks of delay (up to a limit of €120,000).
4. Limit verification
The final amount cannot exceed the statutory maximum. If the same action led to violation of several GDPR articles, the fine does not accumulate infinitely. According to Article 83(3), the total amount cannot exceed the limit for the most serious violation committed.
5. Effectiveness Test
The regulator verifies whether the fine achieves the goals of punishment and deterrence without being excessive. If the fine appears too small for a huge corporation, it may be increased using a “deterrence coefficient” to ensure the company is not tempted to simply “build the fine into the cost of doing business“.
Conclusion
GDPR fines are not a lottery or random figures, but the result of a finely-tuned mechanism. Regulators use a five-stage methodology to ensure penalties are “effective, proportionate, and dissuasive” and take into account the maximum number of factors, so even the smallest effort on behalf of the customer or a momentary turning of a blind eye to problems within the company can also have an impact.
At the same time, financial sanctions are just the tip of the iceberg; corrective orders or a complete processing ban can paralyze a business faster than any multi-million check.
Remember: in the world of personal data protection, being proactive is always cheaper than reacting to a crisis.
Personal Data Protection Help and Support under GDPR and National Laws
We help establish systematic personal data protection practices through training and consulting services.
Consulting services on data privacy according to GDPR, ISO 27701 and other international standards.
EU Representative Services under GDPR is a pay-as-you-go service where representation is free during periods without data subject requests or communication with supervisory authorities. The service remains free if the company has not significantly altered its data processing practices since its onboarding process.
A fundamental course that covers all aspects of GDPR and teaches how to apply them in practice.
Privacy training programs for teams both in live online and e-learning formats with diverse level of depth. Customizable and interactive solution for fair price.
Reach Data Privacy & AI Compliance
Fill in the form and get a free consultation.
- Implementation of 7+ legal frameworks.
- Individual and corporate training on the GDPR, and international standards.
- Development of personal data protection systems within organizations.
- Custom services upon request.
