GDPR breaches led to over €1B in fines in 2025

Last year, companies faced nearly 1.15 billion euros in fines for violating the General Data Protection Regulation (GDPR) — a law recognized globally as a benchmark in privacy and security. In 2025 alone, data protection authorities across Europe issued more than 330 fines, according to the GDPR Enforcement Tracker by CMS.Law, which compiles publicly available fines.

Fines are one of the strongest enforcement tools under GDPR and can reach up to €20 million or 4% of a company’s global annual revenue from the previous year, whichever is higher.¹ However, the impact of these fines can extend beyond financial penalties. When publicly disclosed, they not only cause considerable reputational damage and erode trust in companies but also serve as an alert to people that their personal information is at risk.

Most frequent GDPR violations that resulted in fines

Based on the fines logged in the GDPR Enforcement Tracker by CMS.Law, the most frequently imposed fines last year were related to insufficient technical and organizational measures to ensure information security. These violations made up 29% of all fines imposed in 2025 and often led to successful cyberattacks, unauthorized disclosure of personal data, data leaks or losses, and financial consequences for affected individuals.

Compared to 2024, the number of fines for insufficient technical and organizational measures jumped by over 40%, rising from 69 to 97 cases. While these fines weren't the most frequent in 2024, they had the largest financial impact on companies, adding up to nearly 450 million euros. Notably, 76% of this amount resulted from two fines imposed on Meta, which were 251 million and 91 million euros. They were both issued by Ireland's data protection authority.

In 2025, Romania's data protection authority was notable for its activity in imposing the largest number of fines — 42 in total — on companies for lacking sufficient technical and organizational measures to ensure information security. Spain follows with half that number, at 22 cases, while the UK holds the third position with 7 cases.

However, when it comes to the financial impact, the UK's data protection authority hit companies hardest with its penalties. They led by imposing fines for insufficient technical and organizational measures, which added up to the highest amount, reaching 23.7 million euros. Following the UK, Spain's authority issued fines amounting to nearly 9.6 million euros. Together, these two authorities accounted for over 80% of the total fines in euros for this type of violation. Although fines due to insufficient technical and organizational measures amounted to over 40 million euros in 2025, they were not the most costly overall.

Most costly GDPR violations for companies

GDPR violations related to an insufficient legal basis for data processing caused the highest costs for companies in 2025. These cases accounted for 90% of total fines, or €1.03 billion in monetary terms.This was primarily due to the four largest penalties imposed: TikTok faced a fine of 530 million euros; Google received fines of 200 million and 125 million euros; and SHEIN was fined 150 million euros.

Ireland's data protection authority imposed the fine on TikTok, while France's data protection authority issued the next three largest financial penalties. This leads to these two authorities being responsible for 98% of the total fines in euros related to this issue.

When examining the number of fines for GDPR violations related to an insufficient legal basis for data processing, Italy's data protection authority imposed the largest number, with 28 cases in 2025. Spain followed with 25 cases, and Romania rounded out the top three with 10 cases. This type of violation was the third most common reason for fines in 2025, accounting for a total of 90 cases.

Most-affected sectors

An analysis of fines issued in 2025 for insufficient legal basis for data processing indicates that the public sector and education were the most frequently impacted, representing 18 out of 90 cases. The industry and commerce sector followed with 14 fines, while the finance, insurance, and consulting sector and the employment sector each faced 13 cases.

However, the media, telecoms, and broadcasting sector experienced the greatest financial impact, comprising over 80% of the total fines in euros. TikTok received the sector's largest GDPR fine in 2025, amounting to 530 million euros. The decision concludes that TikTok did not comply with GDPR when transferring personal data of users in the EEA to China, as it did not ensure a level of protection equivalent to EU standards.³ With approximately 200 million European users⁴, this fine translates to approximately 2.65 euros per affected user.

Regarding fines for insufficient technical and organizational measures, the industry and commerce sector was hit most often, with nearly a third of the fines (31 out of 97) directed at them. The finance, insurance, and consulting sector followed with 21 fines, while healthcare faced 14 fines, rounding out the top three sectors. These findings underscore the critical need for enhanced security measures across these industries to ensure compliance and, especially, to protect the sensitive data they handle.

Assessing the financial impact, the industry and commerce sector was the most affected. This sector accounted for more than 60% of the total fines issued, measured in euros. In 2025, the UK's data protection authority imposed the highest fines in this sector — exceeding 16 million euros — on Capita, following a cyberattack that compromised the personal data of 6.6 million people.² Breaking it down, Capita faced expenses of approximately 2.43 euros per affected person, excluding additional financial costs not directly related to the fine.

European personal data on the dark web

The circulation of data on the dark web further illustrates that no company is entirely secure when it comes to protecting personal data. Data breach monitoring indicates that countries, which are covered by GDPR, have experienced over 3.2 billion data breaches since 2004.

On average, each account compromised with additional 2.5 data types beyond email addresses, such as passwords, location information, and other personal details. When combined, this information can form a detailed profile that could be effectively exploited for various cybercrimes, ranging from phishing to identity theft.

GDPR: future perspectives and current practices

The scope of data protection authorities could change if the GDPR undergoes reforms. The draft of the so-called Digital Omnibus, which also addresses GDPR, suggests a shift from a strong focus on data protection to potentially weakening it to ease compliance for companies. These changes could primarily benefit companies involved in AI training by allowing them to use AI on personal data, qualifying it as a “legitimate interest,” but potentially undermining individuals’ privacy rights and data security.⁵ As a direct consequence related to GDPR fines, it seems that data protection authorities might issue even fewer fines.

Furthermore, publicly available fines offer only a limited perspective on the true state of personal data protection issues. This is not only because data protection authorities have a range of other enforcement tools beyond fines to address GDPR non-compliance, but also because many of them apparently lack transparency in disclosing information about these fines. A research article published in 2025 by Baquero, P. M. et al., offers a categorized list of data protection authorities based on the level and quality of their GDPR fine disclosures. The study evaluated 23 authorities, ranking them from those with comprehensive transparency to those with selective and infrequent disclosures. According to their findings, Cyprus, Finland, Greece, Ireland, the Netherlands, and Spain lead in transparency, while Germany, Slovakia, and Austria rank at the bottom.⁶ Some data protection authorities, such as Slovenia’s, have never imposed any fines.

In this context, companies might prioritize profit over user privacy and security, whether intentionally or inadvertently. Moreover, individuals shouldn't rely solely on laws, which can change, or on regulatory bodies, whose effectiveness can differ. These factors underscore systemic limitations and highlight the critical role individuals must play in safeguarding their own data.

Methodology and sources

Based on data from the GDPR Enforcement Tracker by CMS.Law, sourced on January 5, 2026, this study identifies the most frequent and most costly types of GDPR violations in 2025. Fines were attributed to 2025 based on the decision date. The analysis breaks down the data by the number of fines and their total cost in euros, while also highlighting the key enforcing authorities and most affected sectors.

Furthermore, the study includes an overview of data breaches since 2004, ranking the top EU countries — along with the UK, due to its GDPR-equivalent laws — by the total number of compromised accounts. A data breach occurs when an unauthorized party copies and exposes user information, including names, surnames, email addresses, passwords, and more. Each compromised email address is counted as one breached user or account.

Note: GDPR Enforcement Tracker by CMS.Law monitors only publicly available fines, suggesting that the database may not be entirely comprehensive. This introduces certain limitations and narrows the scope of the analysis.

For the complete research material behind this study, visit here.

Data was collected from:

CMS.Law (2026). GDPR Enforcement Tracker;Surfshark (2026). Global data breach statistics.

References:

¹ EUR-Lex (2026). General Data Protection Regulation;² BBC (2025). Outsourcing firm Capita fined £14m after millions had data stolen;³ Data Protection Commission (2025). Irish Data Protection Commission fines TikTok €530 million and orders corrective measures following Inquiry into transfers of EEA User Data to China;⁴ Reuters (2025). TikTok users top 200 million in Europe, firm says;⁵ noyb (2025). EU Commission internal draft would wreck core principles of the GDPR;⁶ Baquero, P. M. et al. (2025). Unveiling transparency in data protection enforcement across the EU: Assessing the level and quality of disclosure of GDPR fines by data protection authorities.

FAQ

The largest GDPR fine ever issued was €1.2 billion, imposed on Meta in 2023. The fine was issued by Ireland’s Data Protection Commission for unlawfully transferring EU user data to the United States without sufficient data protection safeguards. It remains the highest penalty under the GDPR to date.

In most cases, GDPR fines are issued to organizations, not private individuals. The regulation primarily applies to companies, public authorities, and other entities that process personal data. However, individuals can be fined if they act as a data controller or processor, such as a sole trader, freelancer, or self-employed person handling personal data for business purposes. Purely personal or household activities are generally exempt from GDPR enforcement.

Yes, the GDPR applies to US companies if they process personal data of people located in the European Union. This includes companies that offer goods or services to EU residents or monitor their behavior online, such as through tracking or targeted advertising.

The GDPR establishes two main tiers of fines based on the seriousness of the violation. Less severe breaches can result in penalties of up to €10 million or 2% of a company’s total global annual turnover from the previous year, whichever is higher. More serious infringements — such as violating core data protection principles or processing data without a lawful basis — can lead to fines of up to €20 million or 4% of global annual turnover. Regulators determine the final amount by considering factors like intent, negligence, cooperation, and the impact on individuals’ rights.

The team behind this research:About us