Compare GDPR enforcement across European jurisdictions. See which supervisory authorities issue the largest and most frequent fines.
Highest Total by Amount
Ireland
Over EUR2.8B+ due to Big Tech EU headquarters in Dublin. Meta's EUR1.2B fine alone accounts for a significant share.
Most Active by Volume
Spain (AEPD)
932+ individual fines, primarily targeting SMEs for consent violations and unsolicited marketing.
Skewed by Single Fine
Luxembourg
Amazon's EUR746M fine makes Luxembourg's average disproportionately high compared to its fine volume.
Increasingly Aggressive
France (CNIL)
CNIL has become Europe's cookie consent enforcer, targeting major tech platforms with substantial fines.
| Country | DPA | Fines | Total Amount | Average | Largest Fine |
|---|---|---|---|---|---|
| Ireland | Data Protection Commission (DPC) | 9 | €3.0B | €336.5M | €1.2B Meta Platforms (Facebook) |
| Luxembourg | Commission Nationale pour la Protection des Donnees (CNPD) | 1 | €746M | €746M | €746M Amazon Europe Core |
| France | Commission Nationale de l'Informatique et des Libertes (CNIL) | 9 | €475.4M | €52.8M | €150M Google LLC |
| Netherlands | Autoriteit Persoonsgegevens (AP) | 3 | €300.5M | €100.2M | €290M Uber Technologies |
| Italy | Garante per la Protezione dei Dati Personali | 7 | €103.2M | €14.7M | €27.8M TIM (Telecom Italia) |
| Germany | Federal & State Data Protection Authorities | 5 | €61.3M | €12.3M | €35.3M H&M (Hennes & Mauritz) |
| United Kingdom | Information Commissioner's Office (ICO) | 4 | €42.9M | €10.7M | €22.0M British Airways |
| Spain | Agencia Espanola de Proteccion de Datos (AEPD) | 8 | €34.5M | €4.3M | €8.2M Vodafone Espana |
| Greece | Hellenic Data Protection Authority (HDPA) | 2 | €26M | €13M | €20M Clearview AI |
| Norway | Datatilsynet | 1 | €6.5M | €6.5M | €6.5M Grindr LLC |
| Sweden | Integritetsskyddsmyndigheten (IMY) | 1 | €5M | €5M | €5M Spotify AB |
| Poland | Urzad Ochrony Danych Osobowych (UODO) | 1 | €4.9M | €4.9M | €4.9M Fortum Marketing and Sales |
| Bulgaria | Commission for Personal Data Protection (CPDP) | 1 | €2.6M | €2.6M | €2.6M National Revenue Agency (Bulgaria) |
| Hungary | Nemzeti Adatvedelmi es Informacioszabadsag Hatosag (NAIH) | 1 | €350K | €350K | €350K Affidea Healthcare Hungary |
| Romania | Autoritatea Nationala de Supraveghere (ANSPDCP) | 2 | €200K | €100K | €100K Banca Transilvania |
| Finland | Office of the Data Protection Ombudsman | 1 | €150K | €150K | €150K Finnish Customs (Tulli) |
| Austria | Datenschutzbehorde (DSB) | 1 | €80K | €80K | €80K REWE International |
| Croatia | Agencija za zastitu osobnih podataka (AZOP) | 1 | €50K | €50K | €50K Slovenske zeleznice |
Ireland's Data Protection Commission has become the most impactful GDPR enforcer globally, not because of the volume of fines it issues, but because of the sheer scale of the organisations under its jurisdiction. As the lead supervisory authority for US technology giants with EU headquarters in Dublin, the DPC is responsible for enforcing GDPR against Meta (Facebook, Instagram, WhatsApp), Google, Apple, Microsoft, TikTok, LinkedIn, Twitter/X, and many others.
The DPC's enforcement approach has been criticised by other European DPAs as too slow and too lenient, leading the European Data Protection Board to intervene through its dispute resolution mechanism in several high-profile cases. The EDPB directed the DPC to significantly increase proposed fine amounts in the WhatsApp case (2021) and mandated broader findings in the Meta consent cases (2023). Despite these tensions, the DPC has issued cumulative fines exceeding EUR2.8 billion, more than any other European authority by total amount.
The concentration of Big Tech enforcement in Ireland raises questions about regulatory efficiency and the one-stop-shop mechanism. France's CNIL has pursued an alternative approach by using the ePrivacy Directive (rather than GDPR) to fine tech companies for cookie violations, bypassing the cross-border cooperation mechanism entirely. This has allowed France to act more quickly against companies like Google, Facebook, and Microsoft on cookie consent issues.
Ireland has the highest total GDPR fines by monetary amount, with cumulative penalties exceeding EUR2.8 billion. This is primarily because Ireland's Data Protection Commission serves as the lead supervisory authority for major US technology companies — including Meta, Google, Apple, Microsoft, TikTok, and LinkedIn — that have established their European headquarters in Ireland. The DPC's EUR1.2 billion fine against Meta in 2023 for cross-border data transfers is the largest single GDPR fine ever issued. While Ireland issues fewer total fines than countries like Spain, the fines it does issue tend to be orders of magnitude larger due to the scale of the companies under its supervision.
Yes, although the UK left the EU on 31 January 2020, it incorporated GDPR into domestic law as the UK GDPR, enforced by the Information Commissioner's Office (ICO). The UK GDPR is substantively identical to the EU GDPR, with the same fine thresholds, rights, and obligations. The ICO remains an active enforcer, having issued significant fines including the GBP20 million fine against British Airways and GBP18.4 million against Marriott International. The EU has granted the UK an adequacy decision, meaning data can flow freely between the EU and UK without additional safeguards. The UK government has proposed some divergence through its Data Protection and Digital Information Act, but the core GDPR framework remains in force.
Spain's Agencia Espanola de Proteccion de Datos (AEPD) is by far the most active supervisory authority by volume, having issued over 900 individual GDPR fines since 2018. The AEPD's enforcement approach focuses on high-volume processing of complaints, with many fines targeting small and medium-sized businesses for everyday violations such as unsolicited marketing communications, CCTV without proper notices, and failures to respond to data subject access requests. Many AEPD fines are relatively small (EUR1,000 to EUR50,000), but the sheer volume creates a comprehensive enforcement culture. Italy's Garante is the second most active authority by volume, followed by Romania's ANSPDCP.