GDPR Fines by Violation Type

Consent violations are the most common type of GDPR enforcement action. They occur when organisations process personal data without obtaining valid, freely given, specific, informed, and unambiguous consent from data subjects. Common scenarios include pre-ticked consent boxes, bundling consent with terms of service, making consent a precondition for service access, and failing to provide a clear mechanism to withdraw consent. The EUR746 million Amazon fine and EUR390 million Meta fine both centred on consent failures for advertising-related data processing. Cookie consent violations, enforced primarily by France's CNIL under the ePrivacy Directive, have become a major enforcement category with fines against Google (EUR150 million), Facebook (EUR60 million), and Microsoft (EUR60 million) for making cookie refusal harder than acceptance.

Data breach notification failures encompass two distinct obligations: notifying the supervisory authority within 72 hours of becoming aware of a breach (Article 33), and notifying affected individuals without undue delay when the breach poses a high risk to their rights and freedoms (Article 34). Fines in this category cover both the failure to notify in time and the failure to prevent the breach through adequate data protection by design measures. Meta's EUR265 million fine for the Facebook data scraping incident and Booking.com's EUR475,000 fine for delayed breach notification illustrate different aspects of these obligations. Many breach notification fines are relatively modest compared to other violation types, but they frequently accompany more serious underlying violations.

Cross-border data transfer violations have generated the largest GDPR fines in history. These violations occur when organisations transfer personal data to countries outside the EU/EEA that do not have an adequacy decision, without implementing appropriate safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other approved transfer mechanisms. The Schrems II ruling in July 2020, which invalidated the EU-US Privacy Shield, created a seismic shift in enforcement. Meta's EUR1.2 billion fine (2023) for US data transfers, TikTok's EUR530 million fine (2025) for transfers to China, and Uber's EUR290 million fine (2024) for similar violations demonstrate that supervisory authorities treat inadequate transfer mechanisms as among the most serious GDPR infringements.

Inadequate security measures fines are imposed when organisations fail to implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. This category covers everything from basic failures like storing passwords in plaintext (Meta's EUR91 million fine) to sophisticated attacks where organisations had insufficient defences (British Airways' EUR22 million fine for Magecart skimming). The GDPR does not prescribe specific security measures but requires controllers to implement protections appropriate to the risk, considering the state of the art, implementation costs, and the nature and severity of the risks. Supervisory authorities assess security based on what was reasonable at the time of the breach, not with hindsight.

Unlawful processing violations occur when organisations process personal data without any valid legal basis under Article 6 GDPR, or when processing exceeds the scope of the stated legal basis. This category includes employee surveillance (H&M's EUR35.3 million fine for profiling employees), facial recognition technology (Clearview AI fined EUR20 million by multiple DPAs for scraping facial images), and systematic profiling without justification. Unlike consent violations, unlawful processing cases often involve processing that the organisation believed was legitimate but which the supervisory authority determined lacked any valid basis. The distinction matters because organisations cannot simply 'fix' consent if their processing has no lawful basis at all.

Failure to appoint a Data Protection Officer is a lower-tier violation under Article 83(4), but it signals broader compliance failures that supervisory authorities take seriously. Organisations must appoint a DPO if they are a public authority, if their core activities require regular and systematic monitoring of data subjects on a large scale, or if they process special categories of data on a large scale. Beyond mere appointment, the DPO must have sufficient resources, independence, and access to senior management. Fines in this category are generally lower than other violation types but often accompany findings of broader compliance deficiencies. Interseroh's EUR900,000 fine and Delivery Hero's EUR195,000 fine both involved DPO failings alongside other violations.