The General Data Protection Regulation (GDPR) is the cornerstone of data privacy law in the European Union. It sets out strict obligations for businesses processing personal data and introduces some of the world’s toughest enforcement powers.

One of the most discussed aspects of the GDPR is its regime of substantial administrative fines. At AGPLAW, we are often asked: How exactly are these GDPR fines calculated? Why do penalties vary so widely, from modest sums to hundreds of millions of euros?

In this guide, we explain how GDPR penalties are calculated in practice, exploring the legal framework, the European Data Protection Board’s guidelines, and real-world enforcement examples. If your company is doing business in the EU or handling EU residents’ personal data, understanding this process is vital for effective data privacy compliance.

The Legal Basis for GDPR Fines

Under the GDPR, national supervisory authorities in each EU Member State can impose fines for breaches. The core provision is Article 83, which establishes the legal foundation for these fines and sets important principles: any penalty must be effective, proportionate and dissuasive.

In practice, the GDPR sets out two tiers of maximum fines:

• Up to €10 million or 2% of the company’s total worldwide annual turnover, whichever is higher, for infringements such as record-keeping failures or inadequate security measures.
• Up to €20 million or 4% of total worldwide annual turnover, whichever is higher, for more serious breaches, such as unlawful processing, violating data subjects’ rights, or breaching cross-border transfer rules.

These maximum figures often grab headlines, but they are just upper limits. The actual amount of a GDPR administrative fine is calculated through a structured assessment of multiple factors.

Key Factors Determining GDPR Penalties

Article 83(2) GDPR lists mandatory criteria that must be considered in deciding whether to impose a fine and in setting its amount.

These criteria include:

• Nature, gravity, and duration of the infringement: How severe was the breach? How many data subjects were affected? How long did the violation last?
• Intentional or negligent character: Was the breach deliberate, or did it result from carelessness?
• Mitigation efforts: Did the company act quickly to limit harm?
• Degree of responsibility: Were sufficient technical and organisational safeguards in place?
• Past infringements: Does the company have a history of violating data protection rules?
• Cooperation with authorities: Did the company help the investigation?
• Categories of personal data affected: Were sensitive categories (like health or children’s data) involved?
• How the breach became known: Was it self-reported or discovered by complaint?
• Other aggravating or mitigating factors: For example, was financial benefit derived from the breach?

These factors ensure that GDPR fines are not arbitrary, but instead carefully tailored to the circumstances of each case.

EDPB Guidelines: A Standardised Methodology

To harmonise enforcement across the EU, the European Data Protection Board (EDPB) has issued Guidelines 04/2022 on the Calculation of Administrative Fines, adopted in 2023. These guidelines help national authorities apply Article 83(2) consistently.

Step 1 – Identify the Infringement

Regulators first identify the specific processing activities that breached the GDPR and classify them into the appropriate tier (lower or higher). For instance, failing to implement adequate security measures typically falls in the lower tier, while unlawful processing or ignoring data subjects’ rights usually falls in the higher tier.

Step 2 – Assess Gravity and Set a Starting Amount

Authorities then assess the nature, gravity, and duration of the infringement to determine a starting point for the fine. The EDPB proposes indicative ranges:

• Low gravity: 0–10% of the maximum.
• Medium gravity: 10–20% of the maximum.
• High gravity: 20–100% of the maximum.

A serious Tier 2 breach might have a starting amount at 20% of €20 million (or 20% of 4% of global turnover if that is higher).

Step 3 – Adjust for Aggravating and Mitigating Factors

Authorities then adjust the starting amount. Aggravating factors include intentional wrongdoing, repeat offences, delay in notifying breaches, or obstructing investigations. Mitigating factors can include swift mitigation efforts, voluntary breach notifications, and full cooperation.

Step 4 – Check Against the Maximum

The adjusted figure must stay within the GDPR’s legal ceilings, either €10 million/2% or €20 million/4% of global turnover.

Step 5 – Ensure Effectiveness, Proportionality, and Deterrence

Finally, authorities must ensure the fine is effective, proportionate to the company’s size and resources, and sufficiently dissuasive. This ensures small companies are not ruined by disproportionate fines while large multinationals cannot simply absorb minor penalties as a cost of doing business.

Why Turnover Matters

A defining feature of the GDPR is its use of total worldwide annual turnover as the basis for calculating maximum fines. This means that large multinationals cannot escape meaningful enforcement by sheltering operations in small subsidiaries. The 2% or 4% thresholds apply to the entire corporate group’s turnover, creating real financial incentives to comply with EU data protection law.

Enforcement in Practice: Notable Examples

Several landmark cases illustrate how GDPR fines are calculated in practice.

• Amazon Europe received a record €746 million fine from Luxembourg’s CNPD in 2021 for alleged unlawful processing of personal data for targeted advertising. While details remain partly confidential, the fine reflects the enormous scale of processing, the duration, and the perceived intentional nature of the breach.
• British Airways was initially threatened with a £183 million fine by the UK ICO (then still under GDPR). Following mitigation efforts, demonstrated cooperation, and the financial impact of COVID-19, the final penalty was reduced to £20 million. This shows how regulators consider mitigation and proportionality.
• H&M was fined €35.3 million in Germany for systematic monitoring of employee privacy, including sensitive data. The regulator considered this an intentional and grave breach, though the fine also accounted for H&M’s cooperation and remedial measures.

These examples show how authorities balance scale of harm, type of data, intent, mitigation, and company turnover to set fines that are proportionate yet dissuasive.

Aggravating and Mitigating Factors: A Closer Look

The GDPR and the EDPB guidelines both stress that context matters.

Aggravating factors can include:

• Deliberate or repeated violations
• Obstructing investigations
• Gaining financial benefits through non-compliance
• Systematic or large-scale infringements

Mitigating factors may include:

• Immediate and effective mitigation
• Voluntary notification of the breach
• Full cooperation with authorities
• A clean compliance record

For businesses, this means that even in the event of a breach, demonstrating a culture of compliance and transparent cooperation can significantly reduce potential penalties.

SMEs and Non-Profit Organisations

The GDPR’s proportionality requirement ensures that fines don’t disproportionately harm small and medium-sized businesses or non-profits. Authorities can choose to impose a reprimand instead of a fine or significantly reduce the amount if the company’s turnover is low.

However, seriousness matters more than size. Small businesses processing sensitive data without proper safeguards can still face meaningful penalties. At AGPLAW, we routinely advise SMEs on GDPR compliance strategies that both meet regulatory expectations and make sense for their scale and resources.

Beyond Fines: Other Enforcement Measures

It is important to remember that GDPR enforcement isn’t only about fines. Supervisory authorities can impose corrective orders, suspend or restrict certain processing activities, or require deletion of unlawfully obtained data.

Additionally, data subjects can seek compensation for damages resulting from breaches. In some Member States, criminal cases can also apply under national laws for certain serious offences.
Often, the reputational damage from enforcement actions or publicity surrounding a breach can be even more costly than the fine itself. This emphasizes the importance of adopting strong data privacy compliance programme.

Conclusion

While the GDPR’s fine regime often makes headlines for painful amounts, the underlying system for calculating GDPR administrative fines is careful, structured, and balanced.

By taking into account the nature and gravity of the breach, intent, mitigation efforts, cooperation, turnover, and the principle of proportionality, regulators ensure that penalties are tailored, fair, and genuinely effective.

For companies, the message is clear: proactive GDPR compliance is not optional. Investing in privacy governance, training, strong security, and responsive incident management isn’t just about avoiding fines, it is about protecting your customers, your reputation, and your long-term business viability.

About AGPLAW

At AGPLAW, our GDPR and data protection regulatory team provides practical, strategic advice on EU data protection law, GDPR compliance, and enforcement risk management. We assist businesses of all sizes in building strong data protection frameworks, preparing for regulatory audits, and responding effectively to investigations.

If you have questions about GDPR fines, data protection policies, or compliance audits, contact us to learn how we can help.

The information provided by AGPLAW | A.G. Paphitis & Co. LLC is for general informational purposes only and should not be construed as professional or formal legal advice. While every effort has been made to ensure the accuracy and reliability of the information contained herein, the author, publisher, or any related parties make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability of the information. In no event will the author, publisher, or any related parties be liable for any loss or damage, including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this document/article. You should not act or refrain from acting based on any information provided above without obtaining legal or other professional advice.