30 Biggest GDPR Fines Ever Recorded (2025)
What companies received the biggest GDPR fines in?
Since its implementation in 2018, the General Data Protection Regulation (GDPR) has become the cornerstone of data privacy laws across the European Union.
Designed to protect individuals’ data and enforce accountability among organizations, GDPR has also resulted in substantial financial penalties for violators.
Companies—big and small—have faced hefty GDPR fines and penalties for breaching the law, whether by mishandling personal data, failing to secure user information, or ignoring compliance obligations.
As we enter 2025, the list of violators of GDPR continues to grow, with fines hitting unprecedented levels. Organizations have paid the price for GDPR violations, from global tech giants to regional businesses, making it clear that non-compliance is not an option.
This article explores the 31 biggest GDPR breach fines, their reasons, and the lessons businesses can learn to avoid similar penalties.
Biggest GDPR Fines
These record-breaking GDPR fines and penalties highlight the importance of adhering to strict data protection laws. Each GDPR violation showcases the risks organizations take when failing to prioritize user privacy.
Violators of GDPR have faced severe consequences, with penalties reaching millions of euros. Such GDPR breach fines emphasize the need for businesses to implement robust data security measures.
GDPR penalties serve as a deterrent, ensuring companies comply with data privacy regulations. Non-compliance not only damages reputations but also results in significant financial setbacks. The cases of violators of GDPR underline the importance of transparency in handling personal data.
These fines reveal how seriously regulators take even minor breaches of GDPR requirements. For organizations worldwide, understanding and avoiding GDPR violations is no longer optional—it’s essential.
1. Meta €1.2 billion ($1.3 billion)
Meta, the parent company of Facebook, faced the biggest GDPR fines ever recorded on May 22, 2023. The Irish supervisory authority charged Meta a staggering €1.2 billion penalty for breaching GDPR’s international data transfer regulations.
This record-breaking fine stemmed from Meta transferring Facebook users’ data from the EU/EEA to the US, violating the guidelines outlined under GDPR.
Regulators highlighted that Meta failed to adhere to the EU’s Schrems II decision of 2020, which invalidated the EU-US Privacy Shield Framework.
Despite the ruling, Meta has announced plans to appeal the decision, potentially setting the stage for a prolonged legal battle. This case remains a significant example of the consequences of non-compliance with GDPR.
2. Facebook – €265 million ($275 million)
Facebook received GDPR penalties in the year 2022.
This platform faced one of the biggest GDPR fines of €265 million imposed by the Irish Data Protection Commission (DPC) due to a significant GDPR violation. This fine stemmed from an incident where users’ data appeared on an online hacking forum.
Reports revealed that the leaked information included names, Facebook IDs, phone numbers, locations, birthdates, and email addresses of individuals from over 100 countries.
The investigation uncovered that attackers “scraped” this data from Facebook using tools designed to help users locate their friends through phone numbers via features like search and contact imports.
3. TikTok – €345 million ($377 million)
TikTok was one of the violaters of GDPR, and they received the penalties for violating GDPR in the year 2023.
The Irish Data Protection Commission (DPC) issued a substantial fine to TikTok for violating GDPR. The streaming app failed to protect the content of underage users, resulting in a GDPR breach fine.
TikTok’s default account settings raised concerns because the platform automatically set accounts of users aged 13 to 17 to public during the sign-up process.This meant anyone could view their content or leave comments on their profiles.
This violation highlights how authorities apply GDPR fines and penalties to companies that fail to prioritize their users’ privacy, particularly minors.
4. Instagram – €405 million ($427 million)
In September 2022, Instagram faced a hefty fine from the Irish Data Protection Commission (DPC) for violating GDPR, particularly concerning children’s privacy online. Authorities penalized the platform for exposing sensitive data, including children’s phone numbers and email addresses.
The investigation revealed that Instagram’s user registration system defaulted child accounts to a “public” setting unless manually changed to “private.” This practice violated GDPR’s privacy by design principles and provisions to safeguard children’s personal information.
This case underscores the biggest GDPR fines and penalties imposed on violators of GDPR, especially when they fail to adhere to strict guidelines for protecting minors’ data.
5. Amazon– €746 million ($781 million)
Amazon Europe received the second-biggest GDPR fines in 2021, imposed by Luxembourg’s National Commission for Data Protection (CNPD). Authorities penalized the online retail giant for failing to obtain user consent before storing advertisement cookies on users’ devices.
This violation of GDPR highlighted Amazon’s non-compliance with the rules governing user consent and data protection.
Such cases emphasize the strict enforcement of GDPR fines and penalties for violators of GDPR, ensuring organizations adhere to data privacy standards to avoid significant GDPR breach fines.
6. Google – €150 million ($169 million)
In 2021, France’s data regulator, CNIL, imposed a €150 million fine on Google for violating GDPR related to cookie consent mechanisms. The regulator found that Google and YouTube made it significantly more challenging for users to refuse cookies than to accept them.
This noncompliant approach breached GDPR guidelines, which require equal ease in granting or refusing consent.
This case highlights how GDPR fines and penalties target violators of GDPR who fail to prioritize transparency and user choice, reinforcing the importance of adhering to GDPR laws to avoid substantial penalties.
7. WhatsApp – €225 million ($247 million)
In 2021, the Irish Data Protection Commission (DPC) imposed a significant GDPR fines and penalties on Meta-owned WhatsApp for failing to provide adequate transparency about its data processing practices in its privacy notice.
The investigation began in 2018 and scrutinized whether WhatsApp had clearly outlined how it manages customer data. Regulators determined that the company failed to explain the mechanisms to store and share data.
This lack of transparency led to one of the biggest GDPR fines, highlighting the importance of compliance with GDPR laws to avoid severe fines and penalties for such violations.
8. H&M – €35 million ($41 million)
In 2020, the German Data Protection Authority issued a €35 million GDPR fine to H&M for unlawfully monitoring its employees.
Investigators found that the retailer kept excessive and intrusive records about its workforce at its Nuremberg service center, including details about their families, religions, illnesses, holidays, medical symptoms, and diagnoses.
Additionally, managers collected further personal information about employees’ family matters and religious beliefs. The retailer improperly used this information to evaluate work performance and influence employment decisions.
This GDPR breach highlights the severe penalties violators of GDPR face for failing to protect employee privacy and adhering to data protection regulations.
9. British Airways – €22 million ($26 million)
In 2020, the Information Commissioner’s Office (ICO) imposed a substantial GDPR fine on British Airways for failing to implement adequate data privacy controls. This failure led to a cybersecurity breach in 2018 that compromised the personal and credit card information of 400,000 customers.
Investigators determined that British Airways lacked essential security measures, such as multi-factor authentication, which violated GDPR guidelines.
This case underscores the importance of robust security protocols in preventing GDPR violations and avoiding significant fines and penalties for data breaches.
10. Marriott International – €20.4 million ($23.8 million)
The Information Commissioner’s Office (ICO) fined Marriott International €20.4 million for failing to safeguard customers’ data. This GDPR breach compromised nearly 339 million guest records, including the personal information of seven million U.K. residents.
The exposed data included sensitive details such as guests’ names, email addresses, phone numbers, passport numbers, arrival and departure information, VIP status, and loyalty program membership numbers.
This incident highlights how violators of GDPR face severe fines and penalties for inadequate data security measures, underscoring the critical need to protect personal information.
11. Vodafone Italia – €12.3 million ($14.5 million)
The Italian data regulator imposed a significant GDPR fine on Vodafone Italia for using customer data for marketing purposes without obtaining proper consent. Authorities found that Vodafone unlawfully processed the personal data of millions of users for telemarketing activities.
The investigation followed numerous complaints from users frustrated by unsolicited phone calls.
This case highlights how the biggest GDPR fines are levied against organizations that fail to comply with consent requirements, emphasizing the importance of adhering to GDPR to avoid substantial penalties.
12. Austrian Post – €9.5 million ($10.2 million)
The Austrian Data Protection Authority (DPA) fined the Austrian Post €9.5 million for failing to fulfill data subject rights under GDPR properly.
The investigation revealed that the company did not provide adequate options for customers to request a copy of their data or sufficient contact methods on their website to exercise these rights.
This case highlights the importance of complying with GDPR guidelines regarding data subject rights and how failure to do so can result in significant GDPR fines and penalties.
13. Uber B.V. and Uber Technologies, Inc. – €4.24 million ($4.5 million)
The Italian Data Protection Authority (DPA) imposed a €4.24 million fine on Uber B.V. and Uber Technologies Inc. for having an unclear privacy policy. This penalty stemmed from a 2016 data breach that affected 57 million users, including 295,000 in Italy.
The DPA found that Uber’s privacy policy was vague, incomplete, and confusing, as it failed to clearly outline data processing purposes and the roles of data controllers. The fine was upheld despite Uber’s defense, citing previous communications with the DPA.
This case highlights the risks of noncompliance with GDPR and serves as a reminder of the consequences of unclear privacy policies, which can lead to significant GDPR fines and penalties.
14. Carrefour Group – €3.05 million ($3.2 million)
CNIL fined Carrefour Group companies €3.05 million for GDPR and cookie violations. Carrefour France was fined €2.25 million, and Carrefour Banque €800,000.
The fines were due to non-compliance with data access and erasure requests, sending direct marketing without consent, and setting non-essential cookies without approval.
The companies were also found to have inadequate privacy notices and excessive data retention, leading to significant GDPR breach fines.
15. Amazon Road Transport – €2 million ($2.1 million)
Spain’s data protection authority, AEPD, fined Amazon Road Transport Spain €2 million for unlawfully processing criminal records data from delivery driver candidates. The company required candidates to provide certificates of good conduct, despite no legal basis for this request.
The AEPD found that the consent obtained was invalid, as it was mandatory for the application, and no Spanish law mandated such certificates. This practice was deemed a violation of GDPR concerning data processing of criminal convictions, leading to significant GDPR fines for noncompliance.
16. Criteo – €40 million ($44 million)
French ad-tech company Criteo was fined €40 million by CNIL, France’s data protection authority, for failing to collect and store adequate consent records, a major GDPR violation. The case originated in 2018 after complaints from privacy groups None of Your Business (NOYB) and Privacy International.
Criteo was found guilty of using data-processing techniques, including behavioral modeling, to profile internet users for targeted advertising without proper consent.
Initially fined €60 million, the penalty was reduced to €40 million in 2023 after CNIL identified five GDPR breaches linked to Criteo’s ad-tracking activities.
This case highlights how GDPR fines and penalties target companies engaging in non-compliant data practices, reinforcing the importance of precise consent mechanisms to avoid GDPR breach fines.
17. TIM – €27.8 million
Italian telecommunications operator TIM was fined by Garante, the Italian data protection regulator, for multiple GDPR violations related to customer data. TIM was penalized for making excessive advertising phone calls without proper recipients’ consent.
This case highlights the importance of adhering to GDPR guidelines regarding user consent, as noncompliance can result in significant GDPR fines and penalties for violators of GDPR rules.
18. Enel Energia – €26.5 million ($29.3 million)
The Italian data protection authority fined Enel Energia for unlawfully using personal data for telemarketing purposes. The investigation revealed that the company failed to respect data subject rights and continued to process personal data for marketing despite clear requests to stop.
This violation of GDPR regulations underscores the importance of honoring user consent and data rights. Companies that fail to comply face significant GDPR fines and penalties for breaching data protection laws.
19. Clearview AI – €20 million ($20.5 million)
Italy’s data protection authority imposed a €20 million fine on a facial recognition firm for violating GDPR. The company was found to have processed personal data, including biometric and geolocation information, without a valid legal basis.
This case highlights the strict enforcement of GDPR fines and penalties for violators, particularly regarding sensitive data processing. Such breaches emphasize the need for companies to ensure compliance with GDPR rules to avoid significant penalties.
20. Wind Tre – €16.7 million ($18.4 million)
The Italian data regulator, Garante, fined telecom company Wind Tre €16.7 million for GDPR violations related to unlawful direct marketing activities. Users reported receiving unsolicited texts, emails, faxes, and automated calls despite not providing consent for marketing purposes.
Additionally, the company included personal data in public phone directories, disregarding objections from users. This case underscores how violators of GDPR face significant fines and penalties for failing to respect user consent and data protection rights.
21. Eni Gas e Luce – €11.5 million ($12.7 million)
The Italian Supervisory Authority (ISA) fined Eni Gas e Luce €11.5 million for GDPR violations. The first fine of €8.5 million was illegally processing personal data for telemarketing activities. In comparison, a second fine of €3 million was imposed for using unsolicited contracts and forging information on those contracts.
This case highlights the significant GDPR fines and penalties companies face for noncompliance, particularly regarding unlawful data processing and deceptive practices. Respecting user data and consent is crucial to avoid such violations.
22. Grindr – €6.5 million ($7 million)
Norway’s Data Protection Authority fined Grindr, a US-based dating app, €6.3 million for sharing users’ data with third parties without proper consent. Grindr was found to have sold personal data in violation of GDPR.
This marked the largest fine issued by Norway’s DPA, citing the seriousness of the violations. Although the initial fine was higher, it was reduced after Grindr cited financial difficulties. This case underscores the grave consequences of GDPR breaches, particularly when user consent is disregarded.
23. CaixaBank – €6 million ($6.4 million)
The Spanish Data Protection Authority (AEPD) fined CaixaBank €6 million for GDPR violations, including mishandling personal data, failing to obtain valid consent, and not providing sufficient information about data processing practices.
This fine, the largest ever imposed by the AEPD, highlighted significant compliance failures. CaixaBank was given six months to address these issues and align its processes with GDPR requirements to avoid further penalties.
24. Cosmote Mobile Telecommunications – €6 million ($6.4 million)
Greece’s Hellenic Data Protection Authority (HDPA) fined telecommunications companies COSMOTE €6 million and OTE €3.25 million for GDPR violations.
COSMOTE was penalized for providing unclear information to subscribers, inadequate security, and poor data protection measures, while OTE was fined for failing to secure its infrastructure correctly.
In addition to the fines, the companies were ordered to cease improper data processing and destroy the affected data. This case underscores the importance of robust security measures and transparent data practices to avoid significant GDPR fines and penalties.
25. Foodinho – €2.6 million ($2.7 million)
Foodinho was fined €2.6 million by Italy’s data protection authority, Garante, for unlawfully using employee management algorithms without proper transparency.
The investigation found that the company used automated decision-making systems to manage and evaluate its riders, violating GDPR regarding automated decision-making and data consent.
This case highlights the growing scrutiny of automated decision-making practices and underscores the importance of transparency and consent when using algorithms in business operations.
26. Easylife Limited – €1.48 million ($1.58 million)
The UK Information Commissioner’s Office (ICO) fined catalog retailer Easylife £1.48 million for misusing personal data to target customers with health products without consent.
Easylife used purchase history to infer medical conditions, marketed related products and made over 1.3 million predatory marketing calls.
The ICO found the company’s lack of transparency and aggressive marketing tactics to be severe GDPR breaches, noting the numerous consumer complaints. This case emphasizes respecting consent and consumer rights to avoid significant GDPR fines and penalties.
27. Linkedin GDPR fine – €310 million
On October 30, 2024, the Irish Data Protection Commission (DPC) fined LinkedIn Ireland €310 million for misusing user data for behavioral analysis and targeted advertising without a lawful basis.
A complaint from the French nonprofit La Quadrature Du Net initiated the investigation.Along with the fine, the DPC issued a reprimand and ordered LinkedIn to revise its data practices to ensure compliance with GDPR.
This case reinforces the importance of transparency, fairness, and lawful data processing to avoid significant penalties.
28. Axpo Italia S.p.A. — €10 million ($10.9 million)
On September 9, 2023, Italy’s data protection authority, Garante, fined Axpo Italia Spa €10 million for GDPR violations. The company was found to have mishandled personal data, failing to comply with key data protection principles.
This case underscores the importance of adhering to GDPR, particularly regarding lawful data processing and transparency, to avoid substantial fines and enforcement actions.
29. EOS Matrix d.o.o. — €5.4 million ($5.8 million)
On October 5, 2023, the Croatian Data Protection Agency (AZOP) fined debt collection company EOS Matrix d.o.o. for GDPR violations. The case began when AZOP received a petition containing a USB stick with the personal data of 181,641 individuals, revealing improper data handling.
The fine highlights the importance of securing personal data and ensuring compliance with GDPR, particularly in industries handling sensitive financial information.
30. REWE International — €8 Million ($9 Million)
The Austrian Data Protection Authority (DPA) fined food retailer REWE International €8 million for GDPR violations related to its loyalty program, jö Bonus Club. The company collected and used customer data for marketing without obtaining proper consent.
This case highlights the need for businesses to ensure transparency and lawful data processing, particularly when handling consumer information for marketing purposes.
How To Comply with the GDPR Law?
Complying with the General Data Protection Regulation (GDPR) is crucial for businesses that handle personal data, especially if you operate in the EU or serve EU customers. To ensure you’re meeting GDPR requirements, here are some key steps you should follow:
- Data Mapping and Inventory: Understand what personal data you collect how it’s processed, stored, and shared. Conduct a thorough audit of your data collection practices.
- Obtain Explicit Consent: Always obtain clear, informed consent from users before collecting their data, particularly for cookies and marketing purposes. Users must have the option to opt-in or opt out of data collection.
- Transparency in Data Usage: Provide clear and concise privacy policies that explain how personal data is used, stored, and processed. Include details about how users can exercise their data protection rights, such as requesting access to or deleting their data.
- Implement Data Protection Measures: Safeguard personal data by adopting security measures like encryption and ensuring that access to data is restricted.
- Cookie Consent Management: Ensure your website has a precise cookie consent mechanism, asking users for permission to use cookies before collecting data.
- Privacy by Design: Implement privacy protections at your processes, systems design, and development stages.
Consider using the WP Legal Pages Compliance Platform for an easy, efficient way to comply. This platform offers a comprehensive solution with legal pages (such as Privacy Policy, Terms & Conditions, and Cookie Policy) and a cookie consent plugin to ensure compliance with GDPR.
It automates the process, saving you time and reducing non-compliance risk. Plus, it’s easy to set up, user-friendly, and regularly updated to meet changing regulations.
Stay compliant with the GDPR and protect your business and users by leveraging the right tools. WP Legal Pages simplifies GDPR compliance while keeping your website secure and legally protected.
FAQ
The General Data Protection Regulation (GDPR) is a regulation enacted by the European Union (EU) in 2018 to protect the privacy and personal data of individuals within the EU and the European Economic Area (EEA). It sets guidelines for how companies handle personal data and enforces accountability for breaches.
Companies are fined under GDPR for failing to comply with the law, including mishandling personal data, protecting user privacy, not obtaining proper consent, or not meeting data security requirements.
Some of the biggest fines in 2025 include Meta’s €1.2 billion fine for improper data transfers, TikTok’s €345 million fine for underage user protection, and Google’s €150 million fine for improper cookie consent mechanisms.
Businesses can comply by performing data mapping, obtaining explicit user consent, ensuring transparency in data usage, implementing robust data protection measures, and maintaining privacy by design.
WP Legal Pages offers a comprehensive solution for businesses to create essential legal pages (Privacy Policy, Terms & Conditions, Cookie Policy) and manage cookie consent efficiently, ensuring GDPR compliance. It simplifies the process, saves time, and reduces non-compliance risk.
Conclusion
The hefty fines imposed on companies for violating GDPR serve as a clear reminder of the importance of data privacy and compliance. Businesses that fail to meet these regulations risk significant financial penalties and long-lasting reputational damage.
To ensure your business is compliant with GDPR and other privacy laws, consider using WP Legal Pages. This tool offers an easy and efficient way to manage your website’s legal pages and cookie consent, streamlining the process while protecting your business legally.
By integrating WP Legal Pages into your website, you can avoid non-compliance risks and safeguard your users’ privacy and your business’s reputation.
Further, if you liked the article, you can also consider reading:
- 9-Step GDPR Compliance Checklist You Need To Follow
- The Different Types of Internet Cookies You Need To Know
- What Are Functional Cookies? – An Ultimate Guide
Grab the WP Legal Pages now!