GDPR fines run from a EUR 0 reprimand to EUR 1.2 billion. Where you land depends on a handful of factors. Here is the real range and how the number is built.
The two caps (Art. 83)
- Tier 1: up to EUR 10M or 2% of global annual turnover
- Tier 2: up to EUR 20M or 4% of global annual turnover
Whichever is higher applies, so for large companies the percentage, not the fixed cap, sets the ceiling.
The biggest fines on record
| Company | Fine | Year | Issue |
|---|---|---|---|
| Meta (Ireland) | EUR 1.2B | 2023 | Unlawful EU-US data transfers |
| Amazon (Luxembourg) | EUR 746M | 2021 | Advertising consent |
| Instagram (Meta) | EUR 405M | 2022 | Children's data |
| TikTok | EUR 345M | 2023 | Children's data |
| Google (CNIL) | EUR 150M | 2022 | Cookie consent |
What actually drives the number (EDPB Guidelines 04/2022)
What lowers it
- Self-report breaches within 72 hours
- Cooperate fully with the supervisory authority
- Documented privacy-by-design measures
- Valid transfer safeguards (SCCs plus a transfer impact assessment)
Estimate your own exposure
-> Free GDPR Fine Calculator - model your range by violation type, turnover, and mitigating factors.
Source
Regulation (EU) 2016/679 (GDPR)
Last verified: 21 June 2026.