Comprehensive enforcement statistics visualised: fines by year, country, violation type, and industry sector. Data updated April 2026.
€4.8B
Total Fines
2,245+
Actions
€83.4M
Average
€8.2M
Median
€1.2B
Largest
Total fine amounts imposed per calendar year since GDPR enforcement began in 2018.
Note: 2023 and 2024 represent peak enforcement years driven by Meta, TikTok, Uber, and LinkedIn fines.
How enforcement actions break down by the type of GDPR violation. Cross-border transfers generate the highest individual fines, while consent violations are most common.
Ireland leads by total amount due to Big Tech headquarters, while Spain leads by volume.
Technology companies dominate GDPR fines by total amount, accounting for over 70% of all fines by value.
€3.8B
Largest: Meta Platforms (Facebook) (€1.2B)
€791.7M
Largest: Amazon Europe Core (€746M)
€59.3M
Largest: TIM (Telecom Italia) (€27.8M)
€43.6M
Largest: Enel Energia (€26.5M)
€40M
Largest: Criteo (€40M)
€22.6M
Largest: British Airways (€22.0M)
€20.9M
Largest: Marriott International (€20.4M)
€19.6M
Largest: ID Finance Spain (€6.1M)
€14.9M
Largest: Deutsche Wohnen SE (€14.5M)
€2.9M
Largest: National Revenue Agency (Bulgaria) (€2.6M)
€1.8M
Largest: Type 1 Diabetes Foundation (€1.1M)
€900K
Largest: Interseroh (€900K)
Eight years of GDPR enforcement have revealed clear acceleration in both the frequency and severity of fines. The early years (2018-2019) were characterised by supervisory authorities establishing processes and building capacity, with relatively few fines and modest amounts. Google's EUR50 million CNIL fine in January 2019 was the first major enforcement action and set the tone for what was to come.
The inflection point came in 2020-2021 when supervisory authorities began issuing fines in the hundreds of millions. Amazon's EUR746 million fine from Luxembourg's CNPD in July 2021 shattered records and demonstrated that the upper tier penalties were not merely theoretical. The European Data Protection Board's dispute resolution mechanism proved influential in pushing fine amounts upward, particularly in the WhatsApp case where the EDPB directed the Irish DPC to significantly increase the proposed fine.
By 2023-2024, enforcement had matured into a consistent, high-impact programme. Meta's EUR1.2 billion fine for cross-border data transfers in May 2023 demonstrated that individual fines could reach the billion-euro mark. The subsequent fines against TikTok (EUR530 million), LinkedIn (EUR310 million), and Uber (EUR290 million) confirmed that large-scale enforcement had become the norm rather than the exception.
Several structural trends are shaping enforcement going forward. First, the focus has shifted from data breach penalties toward consent and cross-border transfer violations, reflecting evolving regulatory priorities. Second, enforcement is expanding beyond Big Tech to sectors including energy, healthcare, finance, and the public sector. Third, supervisory authority capacity continues to grow, with the EDPB coordinating increasingly sophisticated cross-border investigations. Fourth, the interplay between GDPR and the new EU AI Act will create additional enforcement vectors for automated processing and AI-related violations.
For compliance professionals, the data is clear: GDPR enforcement is not slowing down. The average fine amount continues to increase year-over-year, and the probability of enforcement action has risen as supervisory authorities expand their investigations beyond high-profile targets to include mid-market companies and public sector organisations. Investment in compliance is not merely a regulatory obligation but a financial imperative, as our compliance cost analysis demonstrates.
As of April 2026, European supervisory authorities have imposed GDPR fines totalling over EUR7.1 billion across more than 2,245 individual enforcement actions since May 2018. However, the total amount actually paid is lower because many large fines are still under appeal. Meta's record EUR1.2 billion fine from 2023 is under appeal, as is Amazon's EUR746 million fine from 2021 and TikTok's EUR530 million fine from 2025. Additionally, several high-profile fines have been significantly reduced on appeal, such as British Airways (reduced from EUR204 million to EUR22 million) and Marriott (reduced from EUR110 million to EUR20.4 million). Industry analysts estimate that approximately 60-70% of imposed fines have been collected to date.
GDPR enforcement has accelerated substantially since 2018. The first full year of enforcement (2019) saw total fines of approximately EUR400 million, dominated by Google's EUR50 million CNIL fine. By 2021, annual fines exceeded EUR1 billion for the first time with Amazon's EUR746 million fine. The years 2023 and 2024 represent the peak of enforcement activity, with combined fines exceeding EUR3 billion. Key trends include: increasing fine amounts for Big Tech companies, expansion of enforcement to new sectors like energy and healthcare, growing use of the EDPB dispute resolution mechanism to push fines upward, and a shift from data breach penalties to consent and cross-border transfer violations as the primary enforcement focus.
The average GDPR fine across all enforcement actions is approximately €83.4M, but this figure is heavily skewed by a small number of very large fines against Big Tech companies. The median fine — a more representative measure of what most organisations can expect — is approximately €8.2M. For small and medium-sized businesses, the average fine is typically between EUR5,000 and EUR50,000, while enterprises with over EUR1 billion in turnover face average fines in the millions. The wide range reflects the proportionality principle built into Article 83, which requires fines to be effective, proportionate, and dissuasive for the specific organisation.
Cross-border data transfer violations have attracted the highest individual fines, including Meta's EUR1.2 billion (2023), TikTok's EUR530 million (2025), and Uber's EUR290 million (2024). However, consent violations are the most common violation type overall and account for a significant share of total fine volume. Inadequate security measures (data breach-related) consistently generate moderate fines across all company sizes and sectors. The distinction matters for risk assessment: cross-border transfer violations produce the largest individual fines but are concentrated among major tech companies, while consent violations affect organisations of all sizes across all sectors.