What is the highest fine for GDPR non-compliance?

Asked by: Prof. Abbey O'Hara  |  Last update: March 10, 2026
Score: 4.5/5 (75 votes)

The highest potential fine for GDPR non-compliance is €20 million or 4% of a company's annual global turnover, whichever is greater, for severe violations like infringements of core principles or data subject rights; the highest fine issued to date was a €1.2 billion penalty against Meta in 2023 for unlawful data transfers. A lower tier of fines caps penalties at €10 million or 2% of global turnover for less serious breaches.

What is the penalty for non compliance of GDPR?

83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. But even the catalogue of less severe violations in Art.

What is the largest GDPR fine ever?

1. Meta GDPR fine- €1.2 billion. In May 2023, in a groundbreaking decision in the past five years of GDPR enforcement, the Irish Data Protection Commission (DPC) imposed a historic fine of €1.2 billion on US tech giant Meta.

What is the maximum fine for GDPR compliance?

Data Breaches and the Financial Implications of GDPR

Under GDPR, data breaches can result in severe financial penalties—up to £17 million or 4% of annual global turnover, but the regulation's true weight lies in its demand for transparency and accountability in handling personal data.

Who was fined $20 million for breaching GDPR?

The Information Commissioner's Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.

How Are GDPR Penalties For Non-Compliance Determined?

41 related questions found

Why was Meta fined 1.2 billion?

...Meta's sanction is for breaching conditions set out in the pan-EU regulation governing transfers of personal data to so-called third countries (in this case the US) without ensuring adequate protections for people's information...

Can a company be fined up to 1 million under GDPR?

What is the maximum GDPR fine? Under the General Data Protection Regulation (GDPR), the highest penalties can reach up to €20 million or 4% of the annual worldwide turnover from the previous fiscal year, whichever is greater.

What is a serious breach of GDPR?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

What are some famous GDPR breach examples?

  • Meta's 1.2 billion euro fine: The cross-border data transfer debacle.
  • Google's violation of GDPR's right to be forgotten.
  • Twitter's failure to notify the breach.
  • Cathay Pacific: A wake-up call for the industry.
  • TIM S.P.A – failure to uphold data subjects' rights.
  • Make GDPR compliance easy and your default state with Sprinto.

What is the maximum fee for GDPR?

What Is The Maximum Fine Under UK GDPR?

  • Higher tier: up to £17.5 million or 4% of your global annual turnover (whichever is higher).
  • Standard tier: up to £8.7 million or 2% of your global annual turnover (whichever is higher).

What is the largest data breach ever?

10 Most Impactful Data Breaches Ever

  1. 1. Yahoo – 3,000,000,000 records lost. ...
  2. National Public Data – 2,900,000,000 records lost. ...
  3. River City Media – 1,370,000,000 records lost. ...
  4. Aadhaar – 1,100,000,000 records lost. ...
  5. Indian Council of Medical Research (ICMR) – 815,000,000 records lost. ...
  6. Spambot – 711,000,000 records lost.

How did Facebook violate GDPR?

Facebook has tried different strategies of circumventing the intent of the GDPR. In the first case, it complied with the timeline set out by the GDPR but left out crucial details. In the second case, Facebook interpreted the GDPR to say that a company has an unlimited amount of time to investigate a breach.

What are the possible penalties for non-compliance?

These include higher fines, civil action, or in some cases, criminal prosecution. In addition to the financial cost, non-compliance can damage a company's reputation and damage business operations.

What is the maximum penalty that can be applied in the event of non-compliance with the European Regulation?

Lower-tier fines: A maximum fine of up to €10 million or 2% of the prior financial year's annual global turnover, whichever is higher. Higher tier fines: A maximum fine of up to €20 million or 4% of the prior financial year's annual global turnover, whichever is higher.

Which of the following is a consequence of GDPR noncompliance?

The risks of GDPR non-compliance include financial penalties of up to €20 million or 4% of global turnover, depending on the violation's severity. Reputational damage may occur from negative publicity and loss of customer trust, particularly if data subject rights are violated.

How much can you sue for a GDPR breach?

The affected persons have the right to file a data breach claim for up to £2,000 or more in compensation under the DPA and GDPR if: Their personal information has been leaked, exposed, damaged, hacked, misappropriated, or lost. It was a planned or unintentional breach.

What is the max fine for a GDPR breach?

The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements. The EU GDPR sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements.

What are the levels of breach in GDPR?

Low Risk: The breach is unlikely to have an impact on individuals, or the impact is likely to be minimal. Medium Risk: The breach may have an impact on individuals, but the impact is unlikely to be substantial. High Risk: The breach may have a considerable impact on affected individuals.

What is the largest GDPR penalty?

Largest fines issued for violations of GDPR 2025

Of these, the fine of 1.2 billion euros received by Meta Platforms, Inc. in May 2023 has been by far the greatest. The company was issued such a penalty for personal data transfers to the United States without sufficiently complying with the EU regulation.

How big should a company be for GDPR to affect it?

GDPR does not specify a minimum company size. It applies to all organizations, including small and medium-sized enterprises (SMEs), that handle the personal data of individuals in the EU, irrespective of their size or turnover.

Who gets the money from GDPR fines?

Each year, the income from these fines is passed to the Government's Consolidated Fund. However, from 1 April 2022, the HM Treasury has allowed the ICO to retain funds to cover pre-agreed, specific and externally audited enforcement and litigation costs.

What if you invested $10,000 in Facebook in 2012?

Investing $10,000 in Facebook (now Meta Platforms) at its $38 IPO in May 2012 would have yielded significant returns, turning that investment into tens of thousands of dollars, potentially exceeding $80,000 to over $100,000 by late 2025, depending on the exact purchase price after the IPO's initial volatility and factoring in any stock splits and dividends, though performance has been volatile, with strong growth offset by downturns like in 2022. 

Are lots of people deleting Facebook?

Not only are people deleting the app, but in the same study, it was noted that 42% of Facebook users have taken a substantial break from the website at some point within the past year.

Why was Google fined 3.5 billion?

The European Commission fined Google nearly $3.5 billion after ruling that the company had abused its dominance in digital advertising. Regulators found that Google unfairly preferred its ad exchange, AdX, in its publisher ad server and ad-buying tools, which violated EU antitrust rules.