The past few years have seen massive GDPR fines handed out to firms. Here's a breakdown of the top 20 penalties from 2018 to 2025 thus far.
Following the introduction of GDPR in May 2018, initial reports showed that data breach complaints increased by 160%. This alarming rate indicates how critical it is to ensure staff receive comprehensive GDPR training and understand the key aspects of GDPR fines.
The past few years have seen massive GDPR fines handed out to firms. Here's a breakdown of the top penalties from 2018 to 2025.
Find more GDPR and data protection courses in our Essentials library
In 2023, approximately €2.1 billion in fines were imposed in the EU due to violations of GDPR, which was record-breaking. The biggest 20 GDPR fines from the past five years reveal some key takeaways.
Firstly, 2021 recorded two heavyweights in terms of penalty amounts. The fines dished out to Amazon Europe and WhatsApp Ireland are in a league of their own, at least for their time.
It appears that either fines are getting steeper or the breaches are becoming more serious with time. After a year of relatively low fines in 2019, the following two years saw some hefty penalties.
In recent times, 2022 and 2023 have a near-even split, although 2023 has seen the largest GDPR fine ever issued and has three of the top five all-time fines. LinkedIn's €310m fine and Uber's €290m penalty in 2024 sit just outside of the top five all-time biggest penalties. This indicates that although we have seen a decline in penalty amounts in 2024, there is still cause for concern. TikTok's €530m fine in 2025 is proof of this, as it stands as the third largest GDPR penalty to date.
We continuously track the largest GDPR penalties each year. If you're interested in the full details, have a look at the all-time biggest ICO fines below the most recent fines in 2026.
GDPR breaches - Art. 46 (1)
Ireland's Data Protection Commission (DPC) found Meta to be in violation of GDPR international transfer guidelines. The record-breaking fine of €1.2bn was issued to Facebook's parent company after it mishandled personal data when transferring it between Europe and the United States (US).
At the heart of the breach is Meta's transfer of data to the US on the basis of standard contractual clauses since 2020. This is the only valid way to transfer data between the EU and the US, provided there is an adequate level of data protection, which Meta failed to provide.
In addition to the fine, Meta has been ordered to bring its data transfers into compliance with the GDPR. Meta has stated that it will appeal this decision.
GDPR breaches - Non-compliance with general data processing principles
In 2021, Luxembourg's National Commission for Data Protection (CNPD) fined Amazon Europe a record-breaking €746 million in respect of how it uses customer data for targeted advertising purposes.
In 2018, the French privacy rights group La Quadrature du Net submitted a complaint.
The complaint - which also targeted Apple, Facebook, Google and LinkedIn - was filed on behalf of more than 10,000 customers. It alleged that Amazon had manipulated customers for commercial means by choosing what advertising and information they received.
The CNPD ruled that Amazon must commit to changing its business practices.
GDPR breaches - Art. 13 (1) f), Art. 46 (1)
Ireland’s Data Protection Commission (DPC) has fined TikTok €530 million ($601 million) for breaching the EU's General Data Protection Regulation. In a ruling issued, the Irish regulator found that TikTok, owned by China's ByteDance, transferred European users' personal data to servers in China without ensuring protections equivalent to those required under EU law.
The investigation revealed that engineers in China were routinely able to access sensitive information belonging to people in the European Economic Area (EEA), and that TikTok failed to carry out adequate assessments of the risks posed by Chinese laws on anti‑terrorism, counter‑espionage and state surveillance. Deputy Commissioner Graham Doyle emphasised that ByteDance never demonstrated it could guarantee an "essentially equivalent" level of privacy safeguarding outside the EU.
At €530 million, this penalty is the DPC's third‑largest GDPR fine to date—only Amazon's €746 million sanction and Meta Platforms' €1.2 billion penalty rank higher.
GDPR breaches - Art. 4
Meta has been hit with a massive €479 million fine by a Madrid court after being found to have unlawfully processed user data. The court sided with 87 Spanish media companies, ruling that Meta’s data practices gave it an unfair advantage in the online ad market.
When the EU's GDPR came into effect in 2018, Meta switched the legal justification for collecting data from "user consent" to “contract necessity.” Regulators later rejected that justification. In 2023, Meta reverted to relying on user consent again.
The Spanish court said that by harvesting huge amounts of user data under the “contract necessity” pretext, Meta gained a "significant competitive advantage," drawing away ad revenue that could have gone to Spanish publishers. The fine was calculated based on Meta’s ad earnings during the period it used that disallowed legal basis.
Unsurprisingly, Meta is appealing. They argue the decision is “without merit” and insist that users already have clear ways to control how their data is used.
GDPR breaches - Art. 5 (1) a), c), Art. 6 (1), Art. 12 (1), Art. 24, Art. 25 (1), (2), Art. 35
The Data Protection Commission (DPC) issued a fine to Meta Platforms Ireland Ltd. (Instagram) of €405m, which includes a fine of €20m for the infringement of Article 6(1). This is one of the all-time biggest GDPR fines. An inquiry into the company investigated the processing of personal data of child users on the social networking service Instagram.
The DPC conducted a thorough investigation and submitted a draft decision to all peer regulators in the EU. After they couldn't reach a consensus, the case was referred to the European Data Protection Board ("EDPB"). In the end, the DPC's original recommended fine amount was imposed, and the DPC issued a reprimand to the company with an order requiring specified specific remedial actions.
GDPR breaches - Art. 5 (1) a), Art. 6 (1), Art. 12, Art. 13 (1) c)
Meta Platforms Ireland Ltd. makes a second appearance for the year with a €390m fine for requesting to use people's data for ads on Facebook and Instagram in an unlawful manner. The regulator states that Meta cannot force consent by asking consumers to accept how their data is used or leave the platform.
During the investigation, the Irish Data Protection Commission (DPC) also found that Meta was not clear enough about how and why it would use a user's data.
GDPR breaches - Art. 5 (1) c), 5 (1) f), Art. 12 (1), Art. 13 (1) e), Art. 24 (1), Art. 25 (1), (2)
Irish Data Protection Commissioner (DPC) has fined TikTok €345m for breaching a number of GDPR rules, including putting 13-17-year-old users' accounts on default public settings.
This failure to shield underage users from public view was coupled with not supplying these users with transparent information and not checking if the adult who 'paired' with the child in the 'family pairing' scheme was, in fact, a parent or guardian.
Furthermore, the DPC found that TikTok didn't take into account the risk posed to underage users who gained access to the platform.
GDPR breaches - Art. 5 (1) a), Art. 6 (1) a), e), f), Art. 13 (1) c), Art. 14 (1) c)
The Irish Data Protection Commission (DPC) has fined LinkedIn Ireland €310 million and issued a reprimand following an investigation into the company's processing of personal data for behavioural analysis and targeted advertising.
The inquiry, initiated after a complaint from the French Data Protection Authority, found that LinkedIn’s data practices violated several provisions of the General Data Protection Regulation (GDPR).
The breaches included unlawful data processing, invalidly relying on consent, legitimate interests, and contractual necessity as legal bases for behavioural analysis and advertising. LinkedIn also failed to provide sufficient transparency about these practices, violating Articles 13 and 14 and breached the fairness principle under Article 5.
GDPR breaches - Art. 44
Uber has been fined €290 million ($324 million) by the Dutch data protection authority (DPA) for illegally transferring European taxi drivers' personal data to the U.S., violating EU regulations.
Although Uber has since stopped this practice, the company disagrees with the fine, calling it "unjustified" and plans to appeal, arguing their data transfer process was GDPR-compliant. The investigation began after a complaint from a French human rights organisation.
The appeals process could take up to four years, with fines on hold until all legal options are exhausted. Earlier this year, Uber was fined €10 million for similar privacy violations.
GDPR breaches - Art. 25 (1), (2)
Meta Platforms Ireland Limited (MPIL), the data controller of the Facebook social media network, has been issued a fine of €265m along with corrective measures. This is one of the largest fines since the beginning of GDPR.
The inquiry began after reports that a collated dataset of Facebook personal data was made available on the internet. The main issues in the inquiry involved questions of compliance with the GDPR obligation for Data Protection by Design and Default.
After a comprehensive investigation, the DPC found MPIL in breach of Articles 25(1) and 25(2) GDPR, and the supervisory authorities agreed with the final decision.
GDPR breach - Art. 33 (3), (5), Art. 25 (1), (2)
Meta has been fined $263.5 million (€251 million) by Ireland's Data Protection Commission (DPC) over a 2018 Facebook security breach that exposed sensitive data from 29 million users globally.
The breach exploited a vulnerability in Facebook's "view as" feature, allowing unauthorized access to personal information such as names, contact details, locations, workplaces, and even data about users' children.
While Meta promptly reported the breach and implemented corrective measures, the DPC found several violations of the EU’s General Data Protection Regulation (GDPR), underscoring the serious risks posed by the data exposure.
This fine is part of a broader series of GDPR-related penalties against Meta, which have now surpassed $3 billion. Meta plans to appeal the decision, emphasizing its enhanced data protection measures since the incident.
GDPR breaches - Articles 5, 12, 13, 14
Ireland's data authority fined WhatsApp £193m in 2021 for violating privacy standards. It's the highest penalty the Irish Data Protection Commission (DPC) has ever imposed and the second-highest under EU GDPR standards.
A 2018 investigation revealed that WhatsApp was not transparent enough with its customers on how it collected, managed and processed their data. Following "a lengthy and comprehensive investigation," the Irish DPC said it had communicated its decision to other regulators, as required under GDPR law, and had received complaints from eight countries, including Germany, France, and Italy.
GDPR breaches - Art. 82 loi Informatique et Libertés, Article L. 34-5 CPCE
France’s data watchdog CNIL fined Google LLC €200 million for breaching privacy rules by inserting advertisements disguised as emails into Gmail users’ inboxes without valid consent.
The CNIL ruled that this practice amounted to unsolicited direct marketing, violating EU privacy law. It also criticised Google’s account-creation process, saying users were unfairly steered toward accepting advertising cookies.
GDPR breaches - Art. 82 loi Informatique et Libertés
France’s data watchdog ,CNIL, fined INFINITE STYLES SERVICES Co. Ltd (SHEIN) €150 million for placing cookies on users’ devices without valid consent on shein.com.
CNIL found that SHEIN placed advertising cookies before users could consent, provided incomplete or misleading information in cookie banners, failed to clearly identify third-party cookies, and made it difficult for users to refuse or withdraw consent.
The fine reflects SHEIN’s large French user base, with around 12 million visitors per month, making the breaches more serious.
GDPR breaches - Art. 82 loi Informatique et Libertés, Article L. 34-5 CPCE
France’s data protection authority CNIL fined Google Ireland Limited €125 million for breaching EU privacy laws on cookie consent.
CNIL found that users were not properly informed about the use of advertising cookies during account creation, and that the consent interface failed to clearly explain third-party data collection or provide a simple way to refuse cookies. Because of these shortcomings, users’ consent was deemed invalid. The fine reflects the serious nature of the violations given Google’s large user base in France.
GDPR breaches - Art. 5 (1) f), Art. 32 (1), Art. 33 (1), (5)
The DPC has fined Meta Platforms Ireland Limited (MPIL) €91 million for GDPR violations stemming from the mishandling of social media users' passwords. The investigation began in 2019 when Meta disclosed that certain user passwords were stored in plaintext on its internal systems without encryption, exposing them to potential misuse.
The DPC found that Meta failed to implement adequate technical and organisational measures to secure these passwords, breaching GDPR principles of integrity and confidentiality.
While Meta claimed no evidence of improper access or abuse, the DPC highlighted the heightened sensitivity of passwords due to their potential to grant access to users' accounts. Meta has since rectified the issue and cooperated with the investigation.
GDPR breaches - Art. 5 (1) f), Art. 5 (2), Art. 24 (1), Art. 25, Art. 28, Art. 32
The Italian data protection authority, the Garante, issued its largest GDPR fine of over €79 million against ENEL Energia for telemarketing misconduct. This follows the cancellation of a previous €26.5 million fine due to procedural delays.
The Garante criticised ENEL Energia for not implementing adequate measures to prevent telemarketing abuses but acknowledged the company's efforts to improve security.
The regulator found that Enel Energia violated GDPR Articles 5(1)(f) and 32 by failing to properly assess risks associated with its CRM interface and not implementing adequate measures to secure access credentials, preventing their sharing. This oversight allowed unauthorised agency employees to access and process personal data within Enel Energia's contractual system.
GDPR breaches - Articles 4, 5, 6, 13, 14
In one of the most high-profile cases of 2019, the French data regulator (CNIL) fined Google an astounding €50 million.
The fine was for a "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". Ad personalisation information was diluted throughout several documents, hindering users from knowing their full extent.
Additionally, the choice to receive personalised ads was "pre-ticked" upon opening a new account, directly defying the GDPR.
GDPR breaches - Art. 28(1)
Vodafone's German subsidiary has been fined €45 million for past breaches of EU data protection laws. Germany's data protection authority (BfDI) issued two fines: €15 million for poor internal data protection controls and €30 million for security flaws in handling customer data via the "MeinVodafone" portal and hotline.
Vodafone Germany stated it has fully cooperated with the investigation, accepted the penalties, and paid the fines. The company expressed regret over the incident and noted that under new leadership, data protection is now a top priority, with systems and processes having been comprehensively overhauled.
GDPR breaches - Art. 7 (1), (3), Art. 12, Art. 13, Art. 15 (1), Art. 17 (1), Art. 26
French Data Protection Authority (CNIL) has fined Criteo, an online advertising specialist, €40 million in response to complaints from non-profit organisations Privacy International and None of Your Business (NOYB).
CNIL's decision cites Criteo's failure to ensure that its partners, such as publishers, obtained user consent for using Criteo's cookies. Although partners are primarily responsible for obtaining consent from users, CNIL still holds Criteo responsible for verifying this consent.
The €40 million penalty amounts to approximately 2% of the company's global revenue, reduced from an initial proposal of €60 million by CNIL rapporteurs.
Before the introduction of the GDPR, the ICO could issue fines capped at £500k. The limitation on the fine amount meant that large global organisations were unlikely to feel the impact of the penalty. The ICO now has the power to issue companies a fine equaling 4% of their annual turnover.
Over the years, the ICO has handed out some of the biggest penalties for data breaches where companies have failed to protect customer data. From 2020 to 2021, the ICO issued a record amount of £42m in fines issued, which is a 1580% increase from the previous year.
Here are some of the biggest fines the ICO has issued:
Yahoo currently wears the crown for the biggest data breach of the 21st century. In September 2016, the internet giant revealed that its 2014 data breach had compromised the personal data of 500 million users. Later that year, another breach from 2013 came to light that had compromised 1 billion accounts. That's one for every seven or eight people on the planet!
But the full extent of the multiple breaches was not acknowledged until October 2017, when Yahoo's new owner, Verizon, discovered it was not 1 billion accounts that had been compromised in 2013, but 3 billion accounts! That's every single account under the Yahoo name, including Flickr and Tumblr.
The breaches knocked a huge chunk off Yahoo's sale price - to the tune of $350 million. Having once been valued at $100 billion, Verizon paid just $4.48 billion for the core internet business. In October last year, Yahoo agreed to pay $50 million in damages- of which half will be paid by Verizon and the other by Altaba, Inc. (Yahoo changed its name to Altaba after the sale of its core business).
But what would have happened if this breach had taken place post-GDPR?
Of course, the scope of the breach was significant. But, what would have been crucial today was that Yahoo didn’t disclose the extent of the breach within 72 hours as the GDPR requires. And with revenue in excess of $4 billion for the year 2012/2013, Yahoo would have faced an $80 million fine, or potentially as much as $160 million!
Facebook, now known as Meta, was slapped with a £500,000 fine for its role in the well-documented Cambridge Analytica scandal. The information of 87 million Facebook users was improperly shared with the political consultancy through a quiz that collected data from participants and their friends.
Facebook was found guilty of allowing application developers access to user information without sufficient consent, failing to make suitable checks to secure personal information, and not taking action once the misuse of data was discovered.
Equifax was fined £500,000 after failing to protect the personal information of up to 15 million UK customers during a cyber attack. Hackers stole personal data, including names, dates of birth, addresses, passwords, driving licences and financial details. The company had retained data for longer than necessary, making it vulnerable to unauthorised access.
The systems compromised were actually based in the US, but because the UK branch failed to ensure its American parent was protecting UK customers, the ICO was forced to issue the fine.
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of compliance courses, including data protection and GDPR.
We also have additional free resources such as e-learning modules, microlearning modules, and more.