A complete, plain-English guide to the GDPR fine calculation methodology, with the 10 criteria supervisory authorities use, real examples, and a step-by-step walkthrough.
Step 1
Identify Violation
Step 2
Determine Fine Tier
Step 3
Calculate Turnover Cap
Step 4
Apply 10 Criteria
Step 5
Set Fine Amount
Step 6
Consider Mitigations
GDPR establishes two tiers of administrative fines with different maximum amounts. The applicable tier depends on which GDPR article was violated. The supervisory authority applies the higher maximum that corresponds to the specific breach, ensuring proportionality while maintaining deterrent effect. Understanding which tier applies to your situation is the first step in estimating potential fine exposure.
4% of turnover or €20M
The upper tier applies to the most fundamental violations of GDPR — those that directly impact individuals' rights and freedoms. These are the provisions that form the core of the regulation's rights-based framework.
2% of turnover or €10M
The lower tier covers administrative and procedural obligations — important compliance requirements but not directly related to the fundamental processing principles or individual rights.
Once the applicable fine tier is determined, supervisory authorities apply ten criteria specified in Article 83(2)(a)-(k) to calculate the specific fine amount. Each criterion can serve as either a mitigating or aggravating factor, and real enforcement decisions show how these criteria interact in practice.
Supervisory authorities assess the severity of the violation by examining what type of data was affected, how many data subjects were impacted, the level of damage suffered, and how long the infringement lasted. A brief, accidental disclosure of non-sensitive data to a small group will attract a significantly lower fine than a years-long systematic violation affecting millions of individuals' sensitive data.
Real example: Meta's EUR1.2 billion fine (2023) — The DPC considered that Meta had been transferring EU data to the US for years, affecting hundreds of millions of users, involving sensitive profile data, with the violation continuing even after the Schrems II ruling invalidated the Privacy Shield framework.
Whether the violation was deliberate or resulted from negligence significantly affects the fine amount. An intentional breach — where the organisation knowingly processed data without consent or deliberately ignored data subject requests — will result in a higher fine than one caused by an honest oversight or inadequate but well-intentioned systems.
Real example: H&M EUR35.3 million (2020) — The Hamburg DPA found that managers intentionally recorded detailed personal information about employees' health, family situations, and religious beliefs during return-to-work interviews, making this a deliberate rather than negligent violation.
Authorities consider what steps the organisation took after discovering the breach to reduce harm to data subjects. Quick notification, offering credit monitoring, implementing technical fixes, and providing clear guidance to affected individuals all serve as mitigating factors that can reduce the final fine amount.
Real example: British Airways reduction from EUR204M to EUR22M (2020) — The ICO credited BA's significant investment in security improvements following the breach, their cooperation with the investigation, and the economic impact of COVID-19 on the aviation industry when reducing the fine by 89%.
The authority examines what security and privacy measures the organisation had in place at the time of the infringement. Companies that had implemented reasonable data protection by design and by default measures, conducted regular risk assessments, and maintained appropriate technical controls will face lower penalties than those with negligent security postures.
Real example: Marriott EUR20.4M (2020) — While the original proposed fine was EUR110M, the ICO acknowledged that Marriott had acted promptly once the breach was discovered and had reasonable security practices, though they failed to adequately audit Starwood's inherited systems during the 2016 acquisition.
Repeat offenders face significantly higher penalties. Authorities examine whether the organisation has been found in breach of GDPR or predecessor data protection laws before. A clean record serves as a mitigating factor, while previous violations — even in different areas of data protection — can substantially increase the fine.
Real example: Meta has received multiple GDPR fines from the Irish DPC (EUR17M in 2022, EUR265M in 2022, EUR390M in 2023, EUR1.2B in 2023, EUR91M in 2024), with the pattern of repeated violations considered as an aggravating factor in subsequent decisions.
How the organisation responds to the investigation is closely scrutinised. Full cooperation — providing requested information promptly, being transparent about what happened, facilitating access to systems and personnel, and not obstructing the inquiry — is rewarded with lower fines. Obstruction, delays, or incomplete disclosure will increase the penalty.
Real example: British Airways' active cooperation with the ICO's investigation was specifically cited as a mitigating factor in reducing their fine. The airline provided full access to systems, personnel, and documentation without requiring formal enforcement powers.
Fines are higher when the violation involves special categories of data (Article 9 GDPR) such as health data, biometric data, genetic data, political opinions, religious beliefs, sexual orientation, or trade union membership. Financial data, while not technically 'special category,' is also treated as sensitive in enforcement practice.
Real example: Grindr EUR6.5M (2021) — Norway's Datatilsynet emphasised that Grindr shared data revealing users' sexual orientation (the fact they used an LGBTQ+ dating app) with advertising partners, which constitutes special category data under Article 9.
Organisations that self-report violations through mandatory breach notification or voluntary disclosure generally receive lower fines than those whose violations are discovered through complaints, media reports, or supervisory authority investigations. Proactive reporting demonstrates accountability and good faith compliance.
Real example: Meta's EUR91M fine (2024) for storing passwords in plaintext was discovered after Meta voluntarily notified the DPC of the issue in 2019. While the fine was still significant, Meta's self-reporting was considered a mitigating factor.
If the supervisory authority had previously ordered corrective measures — such as requiring changes to processing operations, ordering data deletion, or imposing processing bans — the authority assesses whether the organisation complied with those orders. Non-compliance with previous orders is treated as a serious aggravating factor.
Real example: WhatsApp's EUR225M fine (2021) was followed by orders to bring processing into compliance. The EDPB's intervention to increase the fine amount reflected concerns about the adequacy of WhatsApp's transparency practices despite previous regulatory engagement.
Organisations that have adopted approved codes of conduct under Article 40 or obtained certification under Article 42 demonstrate proactive compliance efforts. While approved codes of conduct are still relatively rare, their adoption serves as a mitigating factor. Conversely, claiming compliance with a code while violating its provisions could serve as an aggravating factor.
Real example: As of 2026, the European Data Protection Board has approved a limited number of codes of conduct, including the EU Cloud Code of Conduct. Companies adhering to approved codes receive favourable consideration in enforcement proceedings, though this factor has been less prominent in major fine decisions to date.
The British Airways case provides the most transparent example of how the fine calculation process works in practice, as the ICO publicly disclosed its reasoning for both the initial and final fine amounts.
Initial Proposed Fine
€204M
July 2019
Final Fine Amount
€22M
October 2020 — 89% reduction
In September 2018, attackers injected malicious code (Magecart skimming) into the British Airways website and mobile app, intercepting payment card details and personal information of approximately 429,612 customers and staff over a two-week period. The attackers exploited vulnerabilities in BA's payment processing infrastructure that allowed JavaScript injection on the checkout pages.
Key takeaway: British Airways' final fine was 89% lower than initially proposed, demonstrating that mitigating factors — particularly cooperation, remedial action, and economic circumstances — can significantly reduce the penalty. However, even the reduced EUR22 million fine represents a substantial deterrent for inadequate security measures.
Based on analysis of published enforcement decisions, the following factors consistently lead to fine reductions. While no factor guarantees a specific reduction percentage, the observed ranges below reflect real outcomes across multiple cases.
Notifying the supervisory authority within 72 hours and affected individuals without undue delay
Providing full access to systems, personnel, and documentation during investigation
Taking swift corrective measures before the enforcement decision
Having a properly resourced and independent Data Protection Officer
No previous data protection enforcement actions against the organisation
Discovering and reporting the violation proactively rather than it being reported by third parties
Demonstrating genuine efforts to embed data protection into systems and processes
Adhering to approved codes of conduct or maintaining relevant certification
Use our free calculator to estimate your GDPR fine risk based on these Article 83 criteria.
Open Fine CalculatorIn theory, the 4% turnover or EUR20 million cap applies per infringement. However, a single investigation can identify multiple separate infringements, each carrying its own fine. In practice, supervisory authorities typically consolidate related violations into a single enforcement action, but there is no legal barrier to imposing multiple fines for distinct violations. Additionally, EU member states may impose additional penalties under national implementing legislation, and some countries allow for criminal sanctions for the most serious violations alongside administrative fines.
GDPR fines are calculated based on the total worldwide annual turnover of the entire undertaking in the preceding business year, not just EU revenue. This is a critical distinction that significantly increases the exposure of multinational companies. The concept of 'undertaking' follows EU competition law and can extend to the entire corporate group. For example, when fining WhatsApp, the DPC considered the turnover of Meta Platforms as the parent undertaking. This means a subsidiary's fine can be based on the global revenue of the entire corporate group.
Beyond financial fines, GDPR Article 58(2) grants supervisory authorities a range of corrective powers that can have even greater operational impact. These include: ordering the controller to bring processing into compliance; imposing a temporary or permanent ban on processing; ordering the suspension of data flows to a third country; ordering rectification or erasure of data; and withdrawing certification. Meta was ordered to suspend transatlantic data transfers within five months of the EUR1.2B fine, which would have forced fundamental changes to its service architecture. In many cases, the operational requirements imposed alongside or instead of fines carry greater business impact than the monetary penalty itself.