Biggest GDPR Fines of 2025

Last year, some hefty fines were issued, often to repeat offenders. We review the largest penalties dished out in 2025 so far and the breaches behind them.

With the majority of the year behind us, there is sufficient information to state that it has been a fine-heavy year. Penalties have already broken the million euro mark. The third biggest fine of all time has been recorded, with TikTok improperly transferring users' personal data to China. We investigate the breaches that resulted in the fines so that your company can avoid similar penalties.

Top GDPR fines in 2025

1. TikTok - €530m fine
2. Google LLC - €200m fine
3. Infinite Styles Services Co. Limited - €150m fine
4. Google Ireland Limited - €125m fine
5. Vodafone - €45m fine
6. Capita - £8m fine
7. Capita Pension Solutions Limited - €6m fine
8. Poczta Polska SA - €6.3m fine
9. Luka Inc. - €5m fine
10. ING Bank Śląski - €4.3m fine
11. McDonald’s Polska - €3.9m fine
12. Advanced Computer Software Group Ltd - €3.5m fine
13. Acea Energia S.p.A. - €3m fine
14. Allium UPI - €3m fine
15. S-Pankki Oyj - €1.8m fine
16. ING Bank N.V. - €1.6m fine
17. Orange Espagne - €1.2m fine

We continuously track the largest data protection fines throughout the year and have highlighted the biggest GDPR fines of all time.

What are the biggest GDPR fines in 2025?

1. TikTok - €530m fine

GDPR breaches - Art. 13 (1) f), Art. 46 (1)

Ireland’s Data Protection Commission (DPC) has fined TikTok €530 million ($601 million) for breaching the EU's General Data Protection Regulation. In a ruling issued, the Irish regulator found that TikTok, owned by China's ByteDance, transferred European users' personal data to servers in China without ensuring protections equivalent to those required under EU law.

The investigation revealed that engineers in China were routinely able to access sensitive information belonging to people in the European Economic Area (EEA), and that TikTok failed to carry out adequate assessments of the risks posed by Chinese laws on anti‑terrorism, counter‑espionage and state surveillance. Deputy Commissioner Graham Doyle emphasised that ByteDance never demonstrated it could guarantee an "essentially equivalent" level of privacy safeguarding outside the EU.

At €530 million, this penalty is the DPC's third‑largest GDPR fine to date—only Amazon's €746 million sanction and Meta Platforms' €1.2 billion penalty rank higher.

2. Google LLC - €200m fine

GDPR breaches - Art. 82 loi Informatique et Libertés, Article L. 34-5 CPCE

France’s data watchdog CNIL fined Google LLC €200 million for breaching privacy rules by inserting advertisements disguised as emails into Gmail users’ inboxes without valid consent.

The CNIL ruled that this practice amounted to unsolicited direct marketing, violating EU privacy law. It also criticised Google’s account-creation process, saying users were unfairly steered toward accepting advertising cookies.

3. Infinite Styles Services Co. Limited - €150m fine

GDPR breaches - Art. 82 loi Informatique et Libertés

France’s data watchdog ,CNIL, fined INFINITE STYLES SERVICES Co. Ltd (SHEIN) €150 million for placing cookies on users’ devices without valid consent on shein.com.

CNIL found that SHEIN placed advertising cookies before users could consent, provided incomplete or misleading information in cookie banners, failed to clearly identify third-party cookies, and made it difficult for users to refuse or withdraw consent.

The fine reflects SHEIN’s large French user base, with around 12 million visitors per month, making the breaches more serious.

4. Google Ireland Limited - €125m fine

GDPR breaches - Art. 82 loi Informatique et Libertés, Article L. 34-5 CPCE

France’s data protection authority CNIL fined Google Ireland Limited €125 million for breaching EU privacy laws on cookie consent.

CNIL found that users were not properly informed about the use of advertising cookies during account creation, and that the consent interface failed to clearly explain third-party data collection or provide a simple way to refuse cookies. Because of these shortcomings, users’ consent was deemed invalid. The fine reflects the serious nature of the violations given Google’s large user base in France.

5. Vodafone - €45m fine

GDPR breaches - Art. 28(1)

Vodafone's German subsidiary has been fined €45 million for past breaches of EU data protection laws. Germany's data protection authority (BfDI) issued two fines: €15 million for poor internal data protection controls and €30 million for security flaws in handling customer data via the "MeinVodafone" portal and hotline.

Vodafone Germany stated it has fully cooperated with the investigation, accepted the penalties, and paid the fines. The company expressed regret over the incident and noted that under new leadership, data protection is now a top priority, with systems and processes having been comprehensively overhauled.

6. Capita Plc - £8m fine

GDPR breaches - Art. 5 (1) f) UK, Art. 32 (1), (2) UK

The UK’s Information Commissioner’s Office (ICO) has fined outsourcing firm Capita plc and Capita Pension Solutions Limited a total of £14 million following a cyber-attack that exposed the personal data of 6.6 million people. The breach, in March 2023, left sensitive information, including home addresses, passport images, financial details, and some criminal records, unsecured online and circulating on the dark web.

The fine was originally £45 million but reduced after Capita demonstrated improvements to its cybersecurity, offered support to affected individuals, and engaged with regulators and the National Cyber Security Centre (NCSC). The ICO criticised Capita for failing to protect data entrusted to it, affecting 325 of the 600+ pension schemes it manages.

Capita CEO Adolfo Hernandez said the company was "pleased to have concluded this matter" and highlighted strengthened security measures. Experts welcomed the financial penalty as a signal that regulators are serious about data protection.

7. Capita Pension Solutions Limited - £6m fine

GDPR breaches - Art. 32 (1), (2) UK

The UK Information Commissioner’s Office (ICO) has fined Capita plc £8 million and Capita Pension Solutions Limited (CPSL) £6 million, totaling £14 million, for failing to secure personal data following a cyber-attack in March 2023. The breach compromised the personal data of 6.6 million individuals, including sensitive information such as criminal records, financial data, and special category data. Capita's inadequate security measures and delayed response to the attack led to unauthorized access and exfiltration of personal data.

The ICO determined that Capita breached Articles 5(1)(f) and 32(1)(b), (d), and (2) of the UK General Data Protection Regulation (GDPR), which pertain to the security of personal data and the implementation of appropriate technical and organizational measures. The fine reflects the severity of the infringement, the number of individuals affected, and Capita's responsibility in managing the data processing activities.

Capita has since made significant improvements to its cybersecurity infrastructure and has cooperated with relevant authorities to address the incident. The ICO's decision underscores the importance of robust data protection practices and the accountability of organizations in safeguarding personal information.

8. Poczta Polska SA - €6.3m fine

GDPR breaches - Art. 6 (1)

Poland’s UODO fined Poczta Polska 27 million PLN (€6.3 million) and the Minister of Digital Affairs 100,000 PLN for illegally processing the personal data of around 30 million citizens during the 2020 "envelope elections."

The violations included transferring PESEL data without legal basis, processing personal data without GDPR-compliant safeguards, and failing to conduct proper legal assessments. The breach affected nearly 80% of Poland’s population and posed risks of non-material harm such as anxiety over uncontrolled data access. UODO stressed the fines were necessary to uphold GDPR compliance in the public sector.

9. Luka Inc. - €5m fine

GDPR breaches - Art. 5 (1) a), c), Art. 6, Art. 12, Art. 13, Art. 24, Art. 25 (1)

Italy’s Data Protection Authority (Garante) imposed a €5 million fine on Luka Inc., the U.S.-based company behind the Replika chatbot, for multiple violations of the GDPR.

The Garante’s investigation, initiated in response to media reports, revealed that until February 2023, Luka Inc. had not identified a lawful basis for processing personal data through Replika. Additionally, the company failed to implement age verification mechanisms, despite stating that minors were excluded from using the service. The Garante also found deficiencies in Replika’s privacy policy and transparency measures.

The Garante has ordered Luka Inc. to bring its data processing operations into compliance with the GDPR. A separate investigation into the lawfulness of the processing operations throughout the entire lifecycle of the generative AI system underlying Replika is ongoing.

10. ING Bank Śląski - €4.3m fine

GDPR breaches - Art. 5 (1) a), b), c), Art. 6 (1)

Poland’s Personal Data Protection Office (UODO) imposed a €4.375 million fine on ING Bank Śląski S.A. for unlawfully processing personal data. Between April 2019 and September 2020, the bank scanned customers’ and potential customers’ identity documents without verifying whether such actions were justified under the Anti-Money Laundering (AML) Act.

The UODO found that the bank failed to assess the necessity and proportionality of collecting and storing these sensitive documents, violating GDPR Articles 5(1)(c) and 6(1), which require data processing to be lawful and limited to what is necessary. The fine reflects the severity of the breach and ING Bank Śląski’s responsibility in ensuring compliance with data protection laws.

11. McDonald’s Polska - €3.9m fine

GDPR breaches - Art. 5 (1) c), Art. 25 (1), Art. 28 (1), Art. 38 (1)

Poland’s Personal Data Protection Office (UODO) imposed a €4,022,773 fine on McDonald’s Polska Sp. z o.o. for multiple violations of the GDPR.

The UODO’s investigation revealed that McDonald’s Polska processed customer data unlawfully, lacked transparency in data processing practices, and failed to implement adequate measures to ensure data subject rights. These actions contravened several provisions of the GDPR, including Articles 5 (principles relating to processing of personal data), 6 (lawfulness of processing), and 12 (transparent information, communication, and modalities for the exercise of data subject rights).

The fine reflects the severity of the infringements and underscores the importance of compliance with data protection regulations.

12. Advanced Computer Software Group Ltd - €3.5m fine

GDPR breaches - Art. 32 (1)

The UK's Information Commissioner’s Office (ICO) fined Advanced Computer Software Group Ltd £3.1 million for inadequate cybersecurity measures that led to a ransomware attack in August 2022. The breach compromised the personal data of 79,404 individuals and caused significant disruption to essential healthcare services, including inaccessible patient records and NHS 111 helpline outages.

The ICO's investigation found that Advanced failed to implement appropriate technical and organisational measures (TOMs) to protect personal data, as required under Articles 32 and 28 of the UK General Data Protection Regulation (UK GDPR). Deficiencies included the lack of multi-factor authentication (MFA), inadequate vulnerability scanning, and poor patch management. The fine was reduced from an initial £6.1 million following a voluntary settlement.

This case marks the ICO's first penalty imposed on a data processor under the UK GDPR, highlighting the regulator's commitment to holding processors accountable for data protection failures.

13. Acea Energia S.p.A. - €3m fine

GDPR breaches - Art. 5 (1) a), f), Art. 6, Art. 7, Art. 13, Art. 24, Art. 25 , Art. 28, Art. 32

Italy’s Data Protection Authority (Garante) imposed a €3 million fine on EU-based energy company, Accea Energia, for violating GDPR provisions during its telemarketing activities. Additionally, €850,000 in penalties were levied against the agencies involved in the unlawful practices.

The Garante's investigation uncovered that the company and its partners had engaged in unauthorised telemarketing campaigns, contacting individuals who had not consented to receive such communications.

The Garante emphasized that these actions not only violated individuals' rights but also undermined trust in the energy sector's commitment to data protection. The penalties serve as a reminder of the stringent requirements under the GDPR and the serious consequences of non-compliance.

14. Allium UPI - €3m fine

Estonia’s Data Protection Inspectorate fined Allium UPI OÜ, the operator of the Apotheka loyalty program, €3 million for a significant data breach. The breach compromised the personal data of over 750,000 individuals, including sensitive information such as health-related purchases and contact details. The incident occurred in early 2024 when unauthorized access to the Apotheka information system led to the extraction of customer data.

The Inspectorate found that Allium UPI OÜ had failed to implement basic cybersecurity measures, allowing repeated unauthorized access to the system and database backups. The leaked data included names, identification codes, contact information, and detailed purchase histories, some of which pertained to sensitive health-related products.

Allium UPI OÜ disputes the findings, arguing that the data has not been used for criminal purposes or exposed on the dark web. The company has appealed the decision in court, asserting that it did not neglect customer data protection and that the Inspectorate's assessment was based on incorrect facts.

15. S-Pankki Oyj - €1.8m fine

GDPR breaches - Art. 5 (1) f), Art. 25 (1), Art. 32 (1), (2)

Finland’s Data Protection Ombudsman fined S-Pankki €1.8 million after a flaw in its S-Mobiili app allowed unauthorized account access between April and August 2022.

The breach was linked to inadequate testing, weak security measures, and delayed responses to customer complaints, violating GDPR requirements. S-Pankki quickly fixed the issue, reimbursed affected customers, and strengthened its security protocols.

16. ING Bank N.V. - €1.6m fine

GDPR breaches - Art. 6 (1)

Spain’s anti-money laundering authority, SEPBLAC, imposed a €3.91 million fine on ING Spain for a significant violation of anti-money laundering (AML) regulations. The penalty stemmed from ING's failure to report suspicious transactions as mandated by Article 18 of Spain’s Law 10/2010, which requires financial institutions to promptly notify authorities of potential money laundering or terrorism financing activities.

17. Orange Espagne- €1.2m fine

GDPR breaches - Art. 6, Art. 25

Spain’s data protection authority (AEPD) has fined Orange Espagne €1.2 million for unlawful data processing related to a SIM-swapping fraud. A franchise employee fraudulently issued a duplicate SIM card without the customer's consent, enabling attackers to steal €9k from the victim's accounts.

The AEPD found Orange in violation of Articles 6 and 25 of the GDPR, citing inadequate identity verification processes. Despite Orange claiming it was individual misconduct, the regulator held the company accountable for failing to implement sufficient safeguards. The fine and required remedial actions were upheld following Orange's appeal.

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.