Complete guide to GDPR fine appeals under Article 78. Understand the process, typical timelines, grounds for appeal, and learn from real outcomes.
Article 78 GDPR guarantees every natural or legal person the right to an effective judicial remedy against a legally binding decision of a supervisory authority. This means any organisation that receives a GDPR fine has the right to challenge it in court. The appeal must be brought before the courts of the EU member state where the supervisory authority is established.
In practice, the appeal process varies significantly across jurisdictions. In the UK, appeals against ICO monetary penalty notices are heard by the First-tier Tribunal (General Regulatory Chamber). In Ireland, decisions of the DPC can be challenged in the Circuit Court or High Court. In Germany, appeals go to the relevant administrative court. In France, CNIL decisions can be appealed to the Conseil d'Etat (Council of State). The procedural requirements, filing deadlines, and hearing processes differ across jurisdictions.
Importantly, the right to appeal extends not only to the fine amount but also to corrective measures ordered alongside the fine. In some cases, the corrective measures (such as orders to cease processing or suspend data transfers) may have greater operational impact than the fine itself, making them a more important focus for appeal.
The supervisory authority issues a formal decision with the fine amount, legal basis, factual findings, and any corrective measures. This triggers the appeal clock.
Legal counsel reviews the decision to identify appealable issues: incorrect tier classification, disproportionate amount, procedural errors, factual mistakes, or mitigating factors not adequately considered. This assessment determines whether an appeal is worthwhile.
Formal appeal filed with the relevant national court or tribunal. Most jurisdictions require filing within 28-42 days of the decision. Missing this deadline forfeits the right to appeal. Some jurisdictions allow interlocutory applications to suspend the fine pending appeal.
Both sides exchange detailed written submissions. The appellant sets out grounds of appeal with supporting evidence. The supervisory authority responds defending its decision. Reply submissions may follow. Expert evidence may be relevant for proportionality and industry practice arguments.
The court may hold case management conferences to narrow issues and set a hearing date. The hearing typically involves legal argument from both sides, with the supervisory authority defending its decision-making process and the appellant challenging specific findings or the proportionality of the fine.
The court issues its decision, which may uphold the fine, reduce it, overturn it entirely, or remit the case back to the supervisory authority for reconsideration. Either party may appeal further to higher courts, though this adds years to the process.
Based on analysis of published GDPR appeal outcomes, the following grounds have proven most effective in achieving fine reductions or overturns. The strongest appeals typically combine multiple grounds rather than relying on a single argument.
The most successful ground. Arguments that the fine is disproportionate to the violation, the organisation's financial capacity, or comparable cases. The principle of proportionality requires fines to be effective but not excessive. British Airways and Marriott both achieved reductions primarily on proportionality grounds.
Challenging whether the correct fine tier (upper vs lower) was applied. If a supervisory authority classifies a violation under Article 83(5) when it should be Article 83(4), the maximum fine doubles. This has significant impact on proportionality calculations.
Challenges to the investigation process: failure to provide adequate opportunity to respond, delays that prejudiced the defence, inadequate consideration of submissions, or failure to follow the authority's own procedures. Procedural grounds are particularly strong in cross-border cases involving the EDPB.
Arguing that the authority failed to give adequate weight to mitigating factors such as cooperation, remedial action, clean record, or self-reporting. British Airways succeeded partly on this ground, as the ICO gave greater weight to cooperation and COVID-19 impacts in its revised decision.
Challenging the authority's factual findings: the number of affected individuals, the duration of the violation, or the characterisation of the processing activity. Factual challenges require strong evidence and are most effective when the authority has made clear errors.
Arguing that the fine would be ruinous or disproportionate given the organisation's current financial position. COVID-19 was a significant factor in the BA and Marriott reductions. This ground is strongest for organisations facing genuine financial distress.
UK (ICO) · 2018-2020
Original
€204M
Final
€22.0M
Change
-89%
Grounds
COVID-19 economic impact, cooperation with investigation, significant remedial security investment post-breach, no previous violations
Outcome
Fine reduced from GBP183M to GBP20M by the ICO before formal appeal. BA's full cooperation and swift remedial action were key factors.
UK (ICO) ·
Original
€110.4M
Final
€20.4M
Change
-81%
Grounds
COVID-19 economic impact on hospitality, breach inherited from Starwood acquisition, cooperation, steps taken to mitigate harm to data subjects
Outcome
Fine reduced from GBP99M to GBP18.4M. The ICO acknowledged that the breach pre-dated Marriott's acquisition of Starwood and Marriott acted promptly once discovered.
Ireland (DPC) + EDPB ·
Original
€28M
Final
€225M
Change
+704%
Grounds
EDPB dispute resolution increased the fine (opposite direction). The DPC's initial proposed fine was overruled by the EDPB, which directed a significant increase and broader findings.
Outcome
This case demonstrates that fines can increase through the EDPB dispute resolution mechanism. WhatsApp's appeal against the final EUR225M fine is ongoing.
Luxembourg (CNPD) ·
Original
€746M
Final
€746M
Change
0%
Grounds
Amazon appealed the fine in Luxembourg courts, challenging both the fine amount and the CNPD's jurisdiction. The case has progressed through multiple court hearings.
Outcome
Appeal ongoing as of 2026. Amazon has challenged both the substantive findings and the fine calculation methodology. No reduction has been achieved to date.
Italy (Garante) ·
Original
€20M
Final
€20M
Change
0%
Grounds
Clearview AI challenged the Italian Garante's jurisdiction, arguing it had no establishment in the EU and did not target EU individuals. The company also challenged the fine amount.
Outcome
Appeal dismissed. The Italian court upheld the Garante's finding that Clearview AI was processing EU residents' data through web scraping, establishing jurisdiction.
Spain (AEPD) ·
Original
€8.2M
Final
€4M
Change
-51%
Grounds
Vodafone argued that the fine was disproportionate given the number of complaints relative to its customer base, and that it had taken significant steps to improve consent management.
Outcome
Partial reduction achieved through administrative proceedings. The AEPD acknowledged improvements but maintained that systematic consent failures warranted substantial penalties.
Germany (Berlin DPA) ·
Original
€14.5M
Final
€14.5M
Change
0%
Grounds
Deutsche Wohnen challenged whether GDPR fines could be imposed on corporations (as opposed to natural persons) under German law. The case went to the CJEU for a preliminary ruling.
Outcome
The CJEU ruled in December 2023 that companies can be directly fined under GDPR without needing to identify a specific individual responsible. The fine was upheld.
Italy (Garante) ·
Original
€16.7M
Final
€16.7M
Change
0%
Grounds
Wind Tre appealed the Italian Garante's fine for aggressive telemarketing, challenging both the factual findings and the proportionality of the fine amount.
Outcome
Appeal largely dismissed. The Italian court found that the systematic nature of the telemarketing practices and the high volume of complaints justified the fine amount.
Based on publicly reported GDPR appeal outcomes, the realistic expectations for organisations considering an appeal are as follows:
30-60%
Typical Reduction
For successful appeals with strong mitigating factors
~40%
Appeals Achieving Reduction
Approximately 4 in 10 appealed fines are reduced
<5%
Full Overturn Rate
Complete overturns remain extremely rare
Appealing a GDPR fine is not always the right decision. Consider these factors before pursuing an appeal:
GDPR fine appeals typically take between 12 and 36 months to resolve, though complex cases can take significantly longer. The timeline depends heavily on the jurisdiction: UK ICO appeals are handled by the First-tier Tribunal and often resolve within 12-18 months. Appeals in Ireland go through the Circuit Court or High Court and typically take 18-24 months. Luxembourg court proceedings for Amazon's appeal have been ongoing since 2021. In Germany, the Deutsche Wohnen case was referred to the CJEU, adding years to the timeline. Many organisations choose to engage in settlement discussions with the supervisory authority before or during formal appeal proceedings, which can sometimes resolve cases more quickly. The appeal process itself includes filing grounds of appeal, written submissions, potential oral hearings, and the court's deliberation period.
Not directly, but CJEU involvement is possible through the preliminary reference procedure. When a national court hearing a GDPR fine appeal encounters a question about the interpretation of EU law, it can (and in some cases must) refer the question to the CJEU for a preliminary ruling. This is what happened in the Deutsche Wohnen case, where the Berlin Regional Court referred questions about corporate liability under GDPR to the CJEU. The CJEU's December 2023 ruling that companies can be directly fined established an important precedent. While this process adds significant time to appeals (typically 12-18 months for the CJEU ruling alone), it can produce authoritative interpretations that benefit the broader compliance community. Direct appeals to the CJEU are limited to challenges against EU institution decisions, not national DPA fines.
Yes, several GDPR fines have been fully overturned on appeal, though this remains relatively rare. Most successful appeals result in fine reductions rather than complete overturn. Full overturn typically occurs when courts find procedural errors in the DPA's investigation, fundamental factual errors, or jurisdictional issues. For example, several smaller fines issued by national DPAs have been overturned on procedural grounds. However, for high-profile cases, full overturn is extremely uncommon. The most significant partial success was British Airways' 89% reduction from EUR204 million to EUR22 million, though this was achieved through the ICO's own review process rather than a court appeal. Organisations considering appeals should realistically expect partial reductions of 30-60% in successful cases, rather than full overturn.
No, British Airways did not pay the original EUR204 million (GBP183 million) fine initially proposed by the ICO in July 2019. The fine was reduced to EUR22 million (GBP20 million) by the ICO itself in October 2020, before any formal court appeal was necessary. The 89% reduction was attributed to several factors: the severe economic impact of COVID-19 on the aviation industry (BA's parent company IAG reported massive losses), BA's full cooperation with the ICO investigation, the significant investment BA made in security improvements following the breach, the absence of any prior data protection enforcement history, and the steps taken to notify and support affected customers. This case is frequently cited as evidence that cooperation and remedial action can dramatically reduce fines, though the COVID-19 factor was unique to the timing of this case.