All articles
GDPR

GDPR Fines: How They're Actually Calculated

The EDPB's 5-step methodology determines your fine. Understanding it tells you exactly where to reduce exposure.

·KomplyEU

The caps

  • Tier 1 (Art. 83(4)): up to €10M or 2% of global turnover
  • Tier 2 (Art. 83(5)): up to €20M or 4% of global turnover

"Whichever is higher" — so a €10B company faces up to €400M.

The EDPB 5-step method (Guidelines 04/2022)

  • Map the violations — each distinct violation can be fined separately
  • Classify severity — less serious (0–10% of max), serious (10–30%), very serious (30–100%)
  • Adjust for factors — intentional conduct, duration, number of data subjects, cooperation, self-reporting, preventive measures
  • Check proportionality — must be effective, proportionate, and dissuasive
  • Cap check — cannot exceed Art. 83 maximum

    • What actually reduces fines

    • Self-report breaches within 72 hours
    • Full cooperation with the DPA
    • Documented privacy-by-design measures
    • Valid transfer safeguards (SCCs + TIA)

    Estimate your exposure

    → [GDPR Fine Calculator](/tools/gdpr-fines) — model your fine range based on violation type, turnover, and mitigating factors.

    Source

    [EDPB Guidelines 04/2022](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042022-calculation-administrative-fines-under_en)