The fine caps everyone knows: and why they're not the whole story
Article 83 GDPR sets two headline fine caps:
- Tier 1 (Art. 83(4)): up to €10,000,000 or 2% of global annual turnover, whichever is higher: for violations of processor obligations, DPO requirements, DPIA obligations, and breach notification
- Tier 2 (Art. 83(5)): up to €20,000,000 or 4% of global annual turnover, whichever is higher: for violations of core principles, consent rules, data subject rights, international transfer restrictions, and supervisory authority orders
The "whichever is higher" rule means a large company (annual turnover of €10 billion) could face a Tier 2 fine of up to €400 million: far above the €20M absolute cap.
These caps are maxima, not typical outcomes. The EDPB Guidelines 04/2022 explain exactly how DPAs should move from the maximum down to the actual fine.
The EDPB's five-step methodology
Step 1: Identify all processing operations in violation
Before calculating a fine, the DPA must map out each distinct violation. Processing operations that share a common unlawful purpose may be assessed together; separate unlawful purposes lead to separate fines: subject to the maximum cap per category.
Step 2: Classify the violation and set a starting point
The DPA classifies the violation as:
- Less serious (0–10% of the applicable maximum): minor procedural breach, limited impact, quickly remedied
- Serious (10–30% of maximum): significant breach, medium number of data subjects, sensitive context
- Very serious (30–100% of maximum): systematic violation, large-scale, sensitive data categories
This starting percentage is applied to the maximum fine to get a baseline figure.
Step 3: Apply aggravating and mitigating factors
The EDPB identifies ten categories of factors under Art. 83(2) that DPAs must weigh:
| Factor | Direction |
|---|---|
| Intentional conduct | Aggravating (+) |
| Negligent conduct | Neutral |
| Accidental / technical error | Mitigating (−) |
| Long duration | Aggravating |
| Large number of data subjects | Aggravating |
| Sensitive data categories | Aggravating |
| Full cooperation with DPA | Mitigating |
| Self-reported breach | Mitigating |
| Previously warned / fined | Aggravating |
| Strong preventive measures | Mitigating |
The DPA adjusts the baseline figure up or down based on the cumulative weight of these factors.
Step 4: Ensure effectiveness, proportionality, and dissuasiveness
The resulting figure must be:
- Effective: sufficient to actually deter future violations
- Proportionate: not wildly disproportionate to the undertaking's size and economic position
- Dissuasive: meaningful relative to the benefit the controller gained from the violation
This step can increase a fine for a large profitable company or reduce it for a small controller with no realistic capacity to pay.
Step 5: Check against the legal maximum
The final figure cannot exceed the statutory cap from Art. 83(4) or (5).
Real case patterns
The largest GDPR fines to date have concentrated in Tier 2 violations:
- Meta (2023): €1.2 billion: international transfer violation (data transferred to US without adequate safeguards after Schrems II)
- Amazon (2021): €746 million: unlawful targeted advertising, consent issues
- WhatsApp (2021): €225 million: transparency and information obligations
- Google (France, 2019): €50 million: consent and transparency for Android personalisation
The pattern shows that systematic, large-scale violations with millions of data subjects, combined with an unwillingness to cooperate, drive fines toward the high end of the range.
What reduces GDPR fine exposure?
Based on the EDPB methodology, the highest-impact mitigating actions are:
Use the GDPR Fine Estimator on this site to model your exposure across different scenarios.