How we source GDPR fine and enforcement data
Data on this site has multiple authoritative sources, and we use each one for the slice it is authoritative on. This page describes the sources, the refresh discipline, and what we do not publish.
Sources, by data slice
- Aggregated fine databases. CMS GDPR Enforcement Tracker and GDPRhub published case databases. Both are public, both list source decision references, and both are widely referenced in DPA and academic publications.
- Data Protection Authority published decisions. Direct-source decisions from the UK ICO, Irish DPC, French CNIL, German BfDI and Land DPAs, Italian Garante, Spanish AEPD and others where decisions are published. We use the original-source decision when our case-summary text references a specific fine; aggregator entries are the index, not the source of truth.
- EDPB and statutory text. European Data Protection Board guidelines and statistics, Regulation (EU) 2016/679 statutory text, UK GDPR statutory text, Data (Use and Access) Act 2025 implementation guidance.
What we deliberately do not publish
- Specific data-subject identity in case summaries. Where a published decision names a data subject, the case summary on this site uses the published decision text but does not promote the personal information beyond the source publication.
- Likely-fine numbers as legal advice. The likely-fine model on this site is a budgeting tool. It is not a legal opinion. For a legal opinion on a specific situation, consult a qualified data protection lawyer.
- Predictions of future enforcement priorities. Enforcement priorities are set by DPAs in their published annual plans. We summarise published priorities; we do not predict beyond them.
Update cadence
Site values update only when the underlying reality changes. Triggers:
- Each new published fine added to the CMS Enforcement Tracker or GDPRhub (continuous)
- Major DPA decision that changes likely-fine modelling for a specific infringement type
- Regulatory framework change (Data (Use and Access) Act 2025 implementation, EDPB guideline updates)
- EU member state adopts a national-implementation rule that materially shifts national fine bands
Cosmetic date bumps are not made.
Editorial position
This site is operated by Digital Signet, an independent AI-development studio. Digital Signet does not sell GDPR consultancy, does not run a DPO-as-a-service practice, does not represent any data subject in a GDPR claim, and does not accept paid placements from any vendor in the privacy or compliance space. See /about for the operator and the wider network.
Editorial direction is set by Oliver Wakefield-Smith. Drafts are produced via Digital Signet's autonomous AI development methodology and reviewed against the editorial framework before publication.
Contact
For methodology questions, corrections, or scenarios that don't fit cleanly: [email protected].