Last year, some hefty fines were issued often to repeat offenders. We review the largest penalties dished out in 2025 so far and the breaches behind them.
With the first quarter of the year behind us, there is sufficient information to state that it has been a relatively quiet year on the fines front. That being said, penalties have already broken the million euro mark. The third biggest fine of all time has been recorded, with TikTok improperly transferring users' personal data to China. We investigate the breaches that resulted in the fines so that your company can avoid similar penalties.
Top GDPR fines in 2025
We continuously track the largest data protection fines throughout the year and have highlighted the biggest GDPR fines of all time.
The biggest 2025 GDPR fines in detail
1. TikTok - €530m fine
Ireland’s Data Protection Commission (DPC) has fined TikTok €530 million ($601 million) for breaching the EU's General Data Protection Regulation. In a ruling issued, the Irish regulator found that TikTok, owned by China's ByteDance, transferred European users' personal data to servers in China without ensuring protections equivalent to those required under EU law.
The investigation revealed that engineers in China were routinely able to access sensitive information belonging to people in the European Economic Area (EEA), and that TikTok failed to carry out adequate assessments of the risks posed by Chinese laws on anti‑terrorism, counter‑espionage and state surveillance. Deputy Commissioner Graham Doyle emphasised that ByteDance never demonstrated it could guarantee an "essentially equivalent" level of privacy safeguarding outside the EU.
At €530 million, this penalty is the DPC's third‑largest GDPR fine to date—only Amazon's €746 million sanction and Meta Platforms' €1.2 billion penalty rank higher.
2. Orange Espagne- €1.2m fine
GDPR breaches - Art. 6, Art. 25
Spain’s data protection authority (AEPD) has fined Orange Espagne €1.2 million for unlawful data processing related to a SIM-swapping fraud. A franchise employee fraudulently issued a duplicate SIM card without the customer's consent, enabling attackers to steal €9k from the victim's accounts.
The AEPD found Orange in violation of Articles 6 and 25 of the GDPR, citing inadequate identity verification processes. Despite Orange claiming it was individual misconduct, the regulator held the company accountable for failing to implement sufficient safeguards. The fine and required remedial actions were upheld following Orange's appeal.
3. Caja Rural de Jaen - €400k fine
GDPR breach - Art. 5 (1) f)
The AEPD has fined Caja Rural de Jaén, Barcelona y Madrid €500,000 following a cyberattack that exposed sensitive customer data due to insufficient security measures. The breach was found to violate Article 5(1)(f)of the GDPR.
The bank attempted to shift blame to its IT provider, but the AEPD maintained that the bank held ultimate responsibility for data protection. Although the bank appealed, the authority upheld the decision. After agreeing to pay without admitting fault, the fine was reduced to €400,000.
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
Written by: Emmeline de Chazal
Emmeline is an experienced digital editor and content marketing executive. She has a demonstrated history of working in both the education management and software industries. Emmeline has a degree in business science and her skillset includes Search Engine Optimisation (SEO) and digital marketing analytics. She is passionate about education and utilising her skills to encourage greater access to e-learning.
