Since 2020, regulators have issued over €6.65 billion in fines. €1.2 billion was fined against Meta alone and €746 million against Amazon. And these companies know compliance. They have dedicated security teams and fat compliance budgets.
Yet, violations don’t stop.
One of the many reasons behind this is organizations’ lack of visibility into what’s happening on the client side. Often, third-party scripts run unchecked in users' browsers, disregarding consent choices or sending data overseas without users’ knowledge. This exposes companies to GDPR violations.
TL;DR
- What are the penalties for violating GDPR? GDPR penalties can reach up to €20 million or 4% of global annual turnover, whichever is higher. Fines as low €50 have been handed out while the largest penalty to date was for €1.2 Billion (Meta). Apart from monetary penalties regulators may also apply corrective orders, audits, and processing bans.
- What are some famous GDPR failures in recent history? There have been several high-profile GDPR violations where fines reach hundreds of millions of euros. Meta, Amazon, and TikTok have all been fined for unlawful data processing, failures in obtaining consent, and cross-border data transfers, respectively.
- Can small businesses be fined under GDPR? Yes. Enforcement is not limited to mega corporations. Regulators will fine small and mid-sized organizations for everyday issues like marketing consent, misleading forms, and unlawful analytics transfers.
- Why is client-side security important for GDPR compliance? Third-party scripts that handle data in the browser are often left unchecked. These count as processors under GDPR and a lack of visibility on these scripts leads to failures under Article 25, 28, 32, and others.
What Are the Penalties for GDPR Violations
GDPR penalties depend on the severity of the incident. The maximum fine reaches €20 million or 4% of global annual turnover, whichever is higher. Companies that can demonstrate ongoing monitoring and preventive measures can attract lower fines.
Most Common Reasons for GDPR Violations
GDPR enforcement follows some patterns. Regulators are known to penalize the same categories of violations, be it consent failures or security gaps.
Here are some of the most common causes.
- Inadequate legal basis or invalid consent: Article 6 requires every processing activity to have a lawful basis. Pre-ticked checkboxes and bundled consent forms that are acceptable in different geographies can violate GDPR consent requirements. The same goes for cookies that force users to accept tracking.
- Lack of transparency: Under Articles 12 and 13, organizations must explain data collection and processing in simple language. Fines target privacy policies that omit details about third-party sharing or do not accurately reflect the processing activity on your website.
- Inadequate security measures: Article 32 mandates that organizations implement appropriate technical and organizational safeguards to reduce data exposure risk. Regulators issue fines after breaches expose weak security practices. Common failures include unencrypted data and website code injections that skim data.
- Unlawful data processing or purpose limitation failures: Article 5 restricts using data for only the purposes disclosed initially. Using data for marketing without permission or collecting excessive information beyond the stated purpose can attract regulatory pressure or civil lawsuits.
- Third-party data violations: Controllers are responsible for how processors or third-party vendors handle their data. Fines result from sharing personal data with vendors without proper data processing agreements (DPAs). Allowing analytics and scripts to transfer data without protection does the same.
- Failure to honor data subject rights: Articles 15 grants consumers rights to access, rectify, erase, and port their data within a specified time window. If a controller’s response to these requests is delayed, supervising bodies impose quick penalties.
Additional Reasons for GDPR Violations
Fines due to data minimization
Data minimization (GDPR Art. 5(1)(c)) means personal data should be relevant and limited to what is necessary for the purpose. Real estate website PAP (pap.fr) was fined €100,000 after the CNIL found failures around retention periods (keeping data longer than necessary).
Cross-border data transfer
Cross-border transfers (GDPR Chapter 5) become risky when personal data leaves the European Economic Area (EEA) for a country without an adequacy decision, and the exporter cannot ensure equivalent protection.
For instance, the Dutch DPA fined Uber €290 million for transferring European drivers’ data to US servers without appropriate safeguards.
Tracking tech
This enforcement category looks at cookies, pixels, SDKs, and ad identifiers that profile users or follow them across sites without valid consent.
Regulators treat unlawful tracking as high-impact because it can be continuous, large-scale, and complex for users to avoid. For instance, the CNIL fined Shein €150 million for cookie practices that failed consent requirements.
Total GDPR Fines by Violation Types
| Violation category | Total fines (€) | Notable example |
|---|---|---|
| Insufficient legal basis for data processing | €3,010,751,097 | Meta €1.2B for unlawful EU-US data transfers |
| Non-compliance with general data processing principles | €2,527,583,332 | Amazon €746M (Luxembourg CNPD) |
| Insufficient technical and organisational measures to ensure information security | €883,754,537 | Meta €265M (Facebook data scraping inquiry) |
| Insufficient fulfilment of information obligations | €252,723,860 | WhatsApp €225M for transparency and information obligations |
| Insufficient fulfilment of data subjects' rights | €103,066,766 | €100,000 fine imposed on a telecom company by the Belgian DPA for improperly handling a data subject access request |
Data source: CMS GDPR Enforcement Tracker, as of December 2025. Cumulative fines total approximately €6.6 billion.
Major GDPR Penalties in Recent Years (Sorted by Causes)
We’ve compiled an analysis of recent notable GDPR violations by cause. These cases show what kinds of failures tend to trigger the most significant penalties.
1. GDPR Fine Example: Lack of legal basis or invalid consent
LinkedIn Ireland was fined €310 million for using an incorrect legal basis for advertising and analytics. The company utilized user data for targeted advertising and claimed that this processing was necessary to perform its contract with users.
Regulators rejected these claims because targeted advertising was not required to deliver the LinkedIn service. LinkedIn also failed to tell users which legal basis applied to which type of processing. As such, the data processing had no valid legal basis under Article 6.
In another enforcement, INFINITE STYLES SERVICES CO. LIMITED, which operates the Shein fashion brand, received a €150 million fine for pushing users toward accepting tracking and profiling through manipulative interface design.
If users cannot clearly understand why their data is processed, or if consent isn’t a choice, the organization risks violating GDPR requirements.
2. GDPR Fine Example: Lack of transparency
WhatsApp was fined by the Irish Data Protection Commission for failing to clarify how users’ personal data was processed between WhatsApp and other Facebook-owned services. WhatsApp also failed to inform non-users whose phone numbers it processed when contacts were uploaded. Further, their privacy details were not clearly explained. This lack of transparency principles violated Articles 12, 13, and 14 of GDPR, leading to a €225 million penalty.
Another company, Clearview AI, scraped facial images from the public web and used them for biometric identification. However, the company did not seek explicit content from the individuals involved. Since people received no notice or explanation of the purpose, they had no practical way to exercise their rights. Multiple EU authorities fined the company after finding that its hidden data collection violated the GDPR at its core.
Transparency extends beyond a privacy policy. GDPR expects clarity and visibility. If users cannot easily understand what data you collect and why, regulators treat that lack of transparency as a violation in its own right.
3. GDPR Fine Example: Missing security measures (Article 32)
Article 32 of GDPR requires organizations to protect users’ personal data with appropriate technical and organizational security measures.
The Hellenic Data Protection Authority fined OTE Group €3,250,000 after a breach exposed user call data transferred out of its systems to an external server. Investigators accused OTE of failing to implement adequate safeguards for its infrastructure, resulting in the exfiltration of personal data over several days.
Similarly, Ireland’s Data Protection Commission penalized the Bank of Ireland with €463,000. This was a result of repeated data breaches involving the corruption or disclosure of customer personal data during transfers to the Central Credit Register (CCR). Like with OTE, the regulators concluded that the bank did not implement appropriate technical and organizational measures, thus breaching Article 32.
Article 32 is mandatory, and if systems expose data through weak access controls or inadequate process oversight, the organization faces the risk of GDPR exposure.
4. GDPR Fine Example: Third-party or vendor-related data violations
The German data protection authority (BfDI) hit Vodafone with a €45 million fine. Of this, €15 million was imposed specifically for failing to review and monitor partner agencies acting on its behalf. Vodafone did not adequately ensure that those third-party partners handled customer data in compliance with GDPR’s requirements under Article 28, putting customers’ data at risk.
In another case, a German financial institution was fined €11 million after a SaaS vendor misconfigured its systems. This exposed over 200,000 customer records online. First, the bank did not exercise sufficient oversight over its vendor’s security practices. Secondly, its vendor agreement was outdated. The breach triggered GDPR enforcement because controllers remain responsible for personal data protection, even when third parties process it.
Signing a contract with a vendor does not make compliance a vendor’s problem. GDPR requirements place the responsibility for compliance on the organization that hires them.
5. GDPR Fine Example: Failure to honor data subject rights
In August 2025, a €100,000 fine was imposed on a telecom company by the Belgian Data Protection Authority for improperly handling a data subject access request (DSAR). When one of its customers demanded access to logs showing who had accessed their personal data, the company dragged its feet for 14 months. The Belgian DPA found that the controller violated Articles 12 and 15 of the GDPR. It failed to facilitate the exercise of access rights, was unable to communicate promptly, and mishandled the response process.
Similarly, SATS ASA was fined roughly €850 000 by the Norwegian Data Protection Authority after repeated complaints about failures to respond to access and erasure requests. SATS also failed to communicate retention policies and legal bases, and ignored valid deletion requests when membership ended.
Regulators penalize companies that do not implement adequate mechanisms to promptly and fully handle access, deletion, and consent withdrawal requests. Regardless of how complex your processing is, if people cannot exercise their rights in practice, GDPR treats that as a clear violation.
Do Small and Mid-Sized Businesses Get Fined Under GDPR?
Yes. SMBs do get fined under GDPR. Size is not a shield. GDPR applies to any company that processes EU personal data, whether it’s a bootstrapped startup or a local ecommerce brand. However, company size affects how regulators assess the penalty.
Here’s what enforcement authorities take into account:
- Company size and revenue: Smaller businesses will face much lower fines that those that make the headlines, but even modest penalties can leave a dent when margins are thin.
- Nature and duration of the violation: Penalties depend on the severity of the breach and the length of time it remains unaddressed. A brief exposure caused by a misfiring script is very different from a data leakage that is unaddressed for months.
Negligence vs intent: Organizations who can document safeguards tend to receive leniency. If a violation is caused by employee negligence even though privacy systems were put in place, the fine amount may be reduced.
Examples of GDPR Fines Against Small and Mid-Sized Businesses
GDPR enforcement is not limited to mega corporations like Amazon and Meta. Regulators will fine small and mid-sized organizations for everyday issues like marketing consent, misleading forms, unlawful analytics transfers, and even failing to cooperate with an investigation.
Table of GDPR Fines Against Small and Mid Sized Businesses
| Company | Country | Authority | Year | Fine amount | What happened |
|---|---|---|---|---|---|
| Knuddels.de (small social network) | Germany | LfDI Baden-Württemberg | 2018 | €20,000 | A security weakness led to user data exposure; the authority viewed it as a failure to secure processing. |
| Smart Cities (Warsaw company) | Poland | UODO | 2021 | PLN 12,000 (about €3,000) | The company did not cooperate with the authority (did not reply and did not provide the required access). |
| Vis Consulting Sp. z o.o. (telemarketing company) | Poland | UODO | 2020 | PLN 20,000 (about €4,674) | Fine for failing to cooperate during an inspection. |
| HUBSIDE.STORE (electronics retailer) | France | CNIL | 2024 | €525,000 | Used broker-supplied contact data for phone or SMS marketing without ensuring people had validly consented. |
Can Companies Be Fined Under GDPR for Data Tracking from Third-Party Vendors?
Yes. Website operators are accountable for how third-party scripts handle personal data.
In the past, authorities have fined companies for violations originating in vendor code, partner integrations, and advertising technologies they did not build.
- France's CNIL fined Criteo €40 million in 2023. The company tracked browsing data through cookies placed by partner websites, but never verified that partners obtained valid consent. Over half the partner sites tested didn’t collect lawful consent.
- Data protection authorities across Austria, France, Italy, and Sweden ruled that websites using Google Analytics violated GDPR. Google Analytics transferred user identifiers, browser parameters, and IP addresses to US servers without enough safeguards.
- CNIL fined Google €100 million and Amazon €35 million in 2020 for placing advertising cookies before obtaining consent. Google's banner placed cookies without waiting for the user to make a choice or opt out.
- Social media buttons and third-party widgets like video embeds can transfer data to external parties without user knowledge. Ireland's DPC has warned that it is in the hands of controllers to understand exactly what data these tools transmit.
GDPR liability does not end at first-party code
- Controllers remain responsible for data processing of third-party code on their website. DPAs should be in place for controllers to understand exactly what each processor is doing with user data. Website script monitoring tools help controllers ensure that third party data trackers are operating within the agreed scope.
Processors and sub-processors expand the risk surface. Article 28 requires controllers to ensure processors meet data protection standards. This includes subprocessors (4th party scripts) loaded onto your website by 3rd party scripts.
What Regulators Look for When Assessing GDPR Penalties
Supervising authorities follow the criteria in Article 83 of the GDPR to decide whether to issue a fine and how much the penalty will be.
Penalties are proportionate to bith the violation and the organization’s circumstances. Regulating bodies generally consider:
- Nature, gravity, and duration of the infringement
- Intent weighed against negligence
- Types of personal data affected
- Actions taken to contain damage
- Technical and organizational security measures
- Previous infringements
- Cooperation with the supervising authority
GDPR Court Cases That Shaped Enforcement
Here are some notable court cases that shaped how GDPR laws are enforced.
- Google Spain v. Costeja González (C-131/12) gave birth to the right to be forgotten. The Court ruled that individuals can ask search engines to delist results that show outdated or irrelevant personal information about them.
- Planet49 (C-673/17) clarified consent standards. The Court held that pre-ticked cookie boxes do not constitute valid consent. Instead, consent must be explicit and active, not assumed.
- Fashion ID (C-40/17) established that websites embedding third-party plugins (like social media buttons) can be joint controllers with those third parties for data sent to them. This forced many sites to rethink liability and compliance when using embedded content.
Meta's ad model ruling by Austria’s Supreme Court (2025) found Meta’s personalised advertising unlawful because it combined sensitive categories of personal data and lacked specific, informed consent. The court ordered full transparency and separation of sensitive data for all EU users.
How cside Helps With GDPR Compliance
cside Privacy Watch offers visibility into what happens inside user browser sessions.
It shows compliance teams how third-party scripts behave behind the scenes. Here’s how cside help compliance teams:
- Puts the spotlight on third-party cookies: cside provides visibility into every third-party script running in the browser. It exposes what data each script accesses and where it sends it.
- Stops unauthorized data collection: Cside enforces consent and privacy rules before scripts execute. This prevents personal data from being collected or shared without a valid basis.
- Prevents website data breaches: cside identifies suspicious script behavior in real time. It alerts teams of risky or non-compliant actions with 24/7 logs that prove security safeguards were put in place.
- Watches for over-collection: cside tracks every change to third party script code, catching any updates that changes how your website processes data. Privacy teams use this information to review and approve scripts without falling into compliance drift.
You can book a demo with cside to see how our dashboards and AI-assisted documentation save time for your team.
