GDPR fines and penalties in the US & EU: A guide for effective compliance

Last updated on

November 5, 2025

min. read

It’s been seven years since GDPR reshaped global privacy law, and enforcement is only getting tougher. Regulators have ramped up fines and corrective actions, and no business is too small to be caught in the net.

Recent cases show regulators targeting not just Big Tech, but also SMEs and large businesses across sectors like employment, retail, and energy. If you process the personal data of EU residents, you’re firmly on their radar.

Add the growing use of AI and other emerging technologies, and the compliance landscape gets even more complex. Enforcement is more aggressive, rules are evolving, and the margin for error is shrinking.

In this article, we’ll unpack the latest enforcement trends, the most common triggers for GDPR fines, who regulators are focusing on, and practical steps to keep your business compliant.

GDPR enforcement structure: types of violations and GDPR penalties

The first questions most businesses ask when discussing GDPR enforcement are: Who enforces GDPR? and How much is a GDPR fine?

Each EU member state has its own independent Data Protection Authority (DPA). These regulators investigate, issue warnings, ban unlawful processing, and, most importantly, impose fines. Member states can also set additional penalties, including criminal charges for severe GDPR violations.

When a violation is found, GDPR penalties may be imposed on a business based on a clear, two-tiered system (Article 83) designed to match the severity of the offense:

1. Tier 1 GDPR fines (Article 83(4))

In this tier, fines can go up to €10 million or 2% of your company’s worldwide annual turnover, whichever is greater. This tier of GDPR penalties usually applies to first-time or less severe infringements, such as:

Not obtaining parental consent when processing a child’s data (Article 8).
Maintaining, acquiring, or processing personal data for the sole purpose of identifying a data subject when that identification is not required
Neglecting to implement data protection by design and default (Article 25).
Not maintaining written records of data processing activities (Article 30).
Refusing to cooperate with a supervisory authority (Article 31).
Not implementing adequate data protection measures (Article 32).
Failing to report a data breach to the DPA without undue delay, and within 72 hours where feasible (Article 33).
Neglecting to conduct a Data Protection Impact Assessment (DPIA) for high-risk processing (Article 35).
Failing to appoint a data protection officer (DPO) when required or restricting their independence (Articles 37, 38).

2. Tier 2 GDPR fines (Article 83 (5))

In this tier, fines can go up to €20 million or 4% of your worldwide annual turnover, whichever is greater. This tier kicks in for more serious or repeated violations of GDPR, including:

Processing personal data unlawfully, unfairly, or not for a specified, legitimate purpose (Article 5).
Processing personal data without a valid legal basis (Article 6).
Failing to meet the conditions for valid consent, which must be freely given, specific, informed, and unambiguous
Processing personal data belonging to special categories without a valid exemption (Article 9).
Not respecting the data subjects’ rights, including the rights to information, access, correction, deletion, and processing restriction, among others (Articles 12-22).
Unlawfully transferring personal data outside the EU (Articles 44-49).

The exact amount of fines varies from case to case. When a DPA determines a fine, they consider a range of factors, including:

The nature, gravity, and duration of the violation.
Whether it was intentional or due to negligence.
Mitigating actions taken by the organization.
The data sensitivity and the number of data subjects affected.
The company’s cooperation with the DPA.
History of previous infringements.

These factors are key in determining the final GDPR penalty and help DPAs ensure that the punishment fits the offense.

Not every violation results in multimillion-euro fines, but the possibility alone should drive businesses to act.

And administrative fines are only part of the picture. Under Article 82, data subjects can claim compensation for both material and non-material damage. The European Court of Justice has confirmed there’s no minimum threshold.

This opens the door for a wider range of compensation claims, as the "mere loss of control over personal data" can be considered non-material damage.

That changes the stakes.

For instance, a claim under Article 82 was awarded compensation of €10,000, which can be a financial blow for a small business. However, the real threat comes from mass litigation.

With a lower bar for proving damage, you could face hundreds or thousands of similar claims, quickly surpassing even the steepest administrative GDPR fines. That’s why building a solid GDPR compliance foundation is non-negotiable.

These GDPR penalties are meant to push businesses toward a proactive, risk-aware culture. If you take data privacy seriously, you’re not just avoiding fines. You’re earning trust and building a stronger, more resilient business.

Recent GDPR fines in the EU and what we can learn

As we move through 2025, GDPR fines keep piling up, both in number and size.

From its inception in May 2018 to August 2025, regulators have issued over 2800 GDPR fines totaling over €6.2 billion. More than 60% of that (over €3.8 billion) has been imposed since January 2023 alone.

This dramatic rise in the frequency and amount of GDPR fines highlights a more rigorous enforcement environment, indicating the EU’s strong commitment to privacy protection.

Let’s take a deeper look into the past year’s enforcement actions and GDPR penalties:

Top three EU countries by number of fines: Spain (107), Romania (61), and Italy (41).
Top three countries by fine amounts: Ireland (€1.18 billion), Germany (€45.9 million), and Italy (€32.4 million).
Most exposed sector to GDPR fines: Media, telecommunications, and broadcasting, for the fourth consecutive year.
Tech drivers: Emerging technologies are a significant factor in rising enforcement actions. The widespread use of AI, for example, often involves processing personal data in unsafe ways that potentially violate data privacy laws.
Top five reasons for fines:
- Insufficient technical and organizational measures to ensure information security (86 fines).
- Non-compliance with general data processing principles (74 fines).
- Insufficient legal basis for data processing (73 fines).
- Insufficient cooperation with the supervisory authority (25 fines).
- Insufficient fulfillment of data subjects' rights (18 fines).
Largest GDPR fines in the last year:

EU Country	Fine Imposed On (Date)	Fine Amount	Company	Type of Violation
Ireland	2025-05-02	€530 million	TikTok Technology Limited	Insufficient legal basis for data processing.
Ireland	2024-10-24	€310 million	LinkedIn	Insufficient legal basis for data processing.
Ireland	2024-12-17	€251 million	Meta Platforms Ireland Limited	Insufficient technical and organizational measures to ensure information security.
Ireland	2024-09-27	€91 million	Meta Platforms Ireland Limited	Insufficient technical and organizational measures to ensure information security.
Germany	2025	€45 million	Vodafone GmbH	Non-compliance with general data processing principles.

Note: All the facts and figures are sourced from GDPR Enforcement Tracker and GDPR Enforcement Tracker Report 2025.

Lessons from recent GDPR penalties

Here’s the gist extracted from the recent GDPR fine examples. GDPR fines aren’t just meant to make bold headlines; they’re a wake-up call for every company handling personal data of EU residents.

Regulators have made it clear: either manage data responsibly, or pay a heavy price.

Here are the non-negotiables, straight from the GDPR penalty playbook:

Legal basis is paramount: Stop guessing. Every piece of data you process needs a solid, documented legal basis. Many of the biggest fines hit companies that failed to provide one. Consent, contract, legitimate interest.

Choose the right reasons for data processing and be ready to justify them.

Security isn’t optional: Data breaches are costly, not just in fines, but in reputation. The top reason for penalties: insufficient data protection measures in place.

This means you must focus on robust controls, encryption, regular updates, and serious risk assessment. No excuses. Both your financial standing and brand credibility are on the line.

Transparency equals trust: People have the right to know what you’re doing with their data. Clear privacy policies, prompt responses, and honesty about breaches build trust. Break it—intentionally or not—and you risk fines and compensation claims.
Cooperate with authorities: Obstructing a DPA investigation only makes matters worse. Holding back information can inflate GDPR fines and invite public fallout. When regulators come knocking, respond fully and promptly. Professionalism can soften the impact.
Being continuously compliant: GDPR compliance is not a one-and-done thing. New technologies emerge (like artificial intelligence), threats evolve, and regulations shift. This means you should regularly monitor your compliance status, update your policies as needed, and conduct periodic staff training to stay out of the penalty box.

How GDPR and its penalties apply to US-based companies

If you’re wondering whether GDPR applies to businesses located in the US, the answer is yes. Article 3 of GDPR states that the law applies to any organization processing data of individuals in the EU, regardless of where it’s located or data is processed.

The key to GDPR compliance is your audience’s location, not your company’s location. The law is more about protecting individuals’ rights rather than just regulating businesses.

You must comply with GDPR if you process the personal data of people residing in the EU or European Economic Area (EEA) and meet the following criteria:

Offer goods or services to EU or EEA residents, whether free or paid.
Monitor the behavior of users in the EU or EEA, provided the behavior occurs in that region.

The same goes for GDPR fines. Any business outside the EU, including those in the US, that violates GDPR can face a fine or other corrective actions from the relevant DPA.

In fact, eight of the 10 highest GDPR fines so far have been imposed on US-based companies, including Meta, Amazon, LinkedIn, WhatsApp, and Uber. The sum of their fines amounts to a whopping €3.9 billion, which is nearly 63% of the entire fine amount (€6.2 billion) to date.

The primary reasons for these fines ranged from a lack of transparency and an insufficient legal basis for processing user data to the improper transfer of data outside of the EU.

While multi-million euro fines imposed on Big Tech and large corporations grab headlines, GDPR penalties in the US also extend to several small and mid-sized companies. Regulators are also on the lookout for GDPR breaches by companies in sectors beyond technology, such as healthcare, finance, and energy.

Smaller organizations may not face massive penalties or grab attention, but even a moderate GDPR fine can significantly disrupt their business and damage their professional credibility.

For example, a US-based facial recognition company, Clearview AI, was fined €30.5 million ($33.7 million) by the Dutch DPA for multiple GDPR violations in 2024. Not only that, various EU DPAs have fined it seven times since 2020, totaling over €100 million. This shows that even smaller, data-driven US companies are firmly within the regulators’ sights.

GDPR penalties go beyond monetary fines. Corrective actions can include reprimands, heightened scrutiny, and even temporary bans on data processing.

GDPR enforcement is becoming more aggressive than ever in 2025. Regulators across Europe are zeroing in on violators, issuing heavy GDPR fines and even hinting at holding executives personally liable for compliance lapses.

If your business interacts with EU residents in any way, adapting to these evolving enforcement trends should be your top priority.

Comparing enforcement trends: U.S vs EU

The enforcement of various privacy regulations is fundamentally different in the EU and the US. Here’s an overview of how they differ:

Aspect	EU (GDPR)	US (Federal and State)
Enforcement philosophy	Proactive, rights-based privacy protection.	Mostly reactive, complaint-based consumer protection.
Primary focus	Data subject rights, legal basis for data processing, data minimization, and AI governance.	Misleading practices, security breaches, and data sale disclosures.
Penalties	GDPR fines are calculated based on the percentage of global turnover (up to 4%).	Fines are determined per violation or per consumer, often a lump sum amount.
Enforcers	National DPAs, coordinated by the European Data Protection Board (EDPB).	Federal Trade Commission (FTC), state Attorneys General (AGs).

Let’s have a closer look at enforcement trends in the two regions:

Enforcement philosophy

Since GDPR treats data privacy as a fundamental human right, its enforcement mechanism is designed to be proactive and global in scope.

National DPAs, guided by the EDPB, are stepping up scrutiny through coordinated actions.

The recent enforcement sweeps under EDPB’s Coordinated Enforcement Framework (CEF) provide a perfect example of this structured approach:

2024 CEF: focused on the “right to access.”
2025 CEF: revolves around the “right to erasure.”

The EU also enacted the world’s first comprehensive AI Act to address privacy risks that stem from the misuse of AI. It came into force on August 1, 2024, with many of its mandates already applicable now, and those remaining set to be fully applicable by August 2, 2027.

In contrast, the US enforces data privacy reactively, seeing it as a matter of consumer protection rather than a fundamental right. Enforcement typically follows breaches, unfair business practices, or consumer complaints.

Privacy enforcement in the US is a complex patchwork of federal and state laws, each with its own distinct regulator. For example, the FTC enforces general consumer privacy, while specific laws like HIPAA and COPPA are handled by other agencies.

Additionally, the CCPA (2018) inspired 19 other US states to pass similar laws. However, this creates a fragmented landscape where businesses must comply with different rules in different states.

Types of violations prioritized

Enforcement is laser-focused on core GDPR principles. Recent trends confirm that GDPR regulators are actively targeting fundamental issues:

The lack of a valid legal basis for data processing.
Using personal data without proper consent.
Mishandling data subject rights.

For instance, the report on the actions of the Commission Nationale de l'Informatique et des Libertés (CNIL, French DPA) in 2024 confirms this. According to the report, CNIL’s sanctions and corrective measures focused on violations such as marketing without consent, infringing upon individual rights, and not ensuring data minimization.

In the US, enforcement is highly focused on specific, tangible violations. The FTC gets involved when a company fails to protect consumer data or misrepresents its privacy practices.

FTC and state AGs frequently take action against companies for:

Security failures leading to breaches.
Deceptive advertising and business scams.
False claims about AI capabilities.
Data privacy of minors (COPPA).

This signifies an increasing trend of holding companies accountable and penalizing them for failing to uphold their promises to customers, especially under the new state privacy laws.

Severity of penalties

This is where the difference is most striking. GDPR fines are a percentage of a company’s global annual turnover. This means regulators can slap multi-million or even billion-euro fines on violators. The message is clear: protecting individual privacy is paramount.

Regulators in the US calculate fines on a per-violation or per-customer basis. While the amounts can reach tens of millions of dollars, they rarely approach the scale of GDPR fines.

For example, a company might face $1,000 per violation, which can add up quickly, but doesn’t hit as hard as the GDPR’s turnover-based model.

Common compliance failures that lead to GDPR fines

GDPR compliance can feel like a balancing act. From establishing a lawful basis and implementing privacy by design to fulfilling data subject requests, there’s a lot to manage.

A single slip can lead to GDPR penalties and corrective actions from authorities, severely impacting your business. Here are some common compliance gaps that may result in GDPR fines:

Poor data security

Recent GDPR fines indicate that enforcers are increasingly cracking down on companies with insufficient data security. This means your security practices are no longer a footnote. They’re your top enforcement priority.

Insecure systems not only attract non-compliance penalties but also leave your data open to cyberattacks that can cost you much more than a GDPR fine.

Ignoring legal basis and core GDPR principles

Non-compliance can happen even before you process any data. Without a valid legal basis—whether it’s explicit consent or a contractual requirement—even collecting data is against the law, violating its very premise. Enforcers have tightened their grip on businesses that use personal data for marketing or behavioral analytics without a legal basis.

And it doesn’t stop there. Break any of GDPR’s seven principles—including data minimization, purpose limitation, integrity, accountability—and you’re on a direct path to GDPR penalties.

Not fulfilling data subject rights

The law gives EU residents clear rights, and ignoring them is costly. Mishandled access, correction, or deletion requests not only risk fines but erode trust: something money can’t buy back.

Cross-border data transfers

Transferring data outside the EU or EEA is one of GDPR’s most sensitive areas. Unless there’s an EU adequacy decision or proper safeguards (like binding corporate rules), you’re exposed. This isn't a theory. Meta’s €1.2 billion fine in 2023 is proof of how steep the penalty can get.

Failing to report a data breach

Even with the best security measures, breaches can occur. GDPR can hold you accountable not just for preventing breaches but for your response to them. You are required to report a data breach to the DPA within 72 hours of identifying it.

Failing to meet this mandate or providing insufficient information can result in additional GDPR penalties besides those for the security failure.

Checklist: How to avoid GDPR fines

Here is a quick checklist to help you avoid common compliance pitfalls and GDPR fines:

Periodically perform data mapping and auditing to ensure your data processing activities align with your policies.
Ensure every data processing activity has a valid legal basis.
Obtain freely given, specific, informed, and unambiguous consent, and make it as easy to withdraw as to give.
Collect and process data only for a defined, legitimate purpose.
Collect and store only the minimum amount of data needed for the purpose.
Keep personal data accurate and up to date, correcting or erasing inaccuracies promptly.
Regularly review and update your privacy policies to align them with GDPR’s requirements.
Ensure processes are in place for responding to all data subject requests within the required timeframe.
Embed privacy and security controls into all new systems and processes from the start.
Conduct a DPIA for any new processing activity that poses a high risk to data subjects.
Implement strong data security measures to protect data from misuse and breaches.
Have a breach response plan in place and be prepared to notify the DPA of any personal data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of it.
Maintain detailed, up-to-date records of all data processing activities (RoPA).
Appoint a DPO if applicable to your organization, and ensure their independence.
Ensure all third-party vendors and partners are also compliant and have appropriate contracts.
Have a valid legal mechanism—like an adequacy decision or standard contractual clauses—for all data transferred outside of the EU/EEA.
Regularly train employees on data handling best practices and security protocols.
Continuously monitor systems and processes to check for compliance gaps.
Use GDPR compliance software to streamline all of the above processes.

How automation helps you stay ahead of GDPR risks

Most GDPR compliance failures aren’t deliberate. They usually happen because of limited resources, manual processes prone to errors, siloed implementation, or employees simply not being aware of what’s required.

The fix? Move away from fragmented, manual compliance and adopt a comprehensive automation platform like Scrut.

Scrut is trusted by 1,500+ customers worldwide to simplify GDPR compliance and stay away from GDPR penalties. With its automation-first approach, it helps you shift from reactive fire-fighting to proactive, continuous compliance. It keeps you aligned with GDPR requirements and out of regulators’ crosshairs.

Here’s what it offers:

Pre-built, expert-vetted GDPR policy templates to get started on day one.
Controls pre-mapped with GDPR’s core articles.
Integrated risk management to reduce non-compliance risks.
Daily automated control monitoring for always-on compliance.
Compliance gap analysis with real-time alerts.
Streamlined remediation workflows with owner assignment and progress tracker.
Automated evidence collection to always stay audit-ready.
Vendor management with automated third-party risk assessments and compliance monitoring.
Real-time dashboards for enhanced visibility into risk and compliance posture.
Single-click compliance reports with drill-down options.
Tagging and commenting features for smooth collaboration among internal teams and with auditors.
Automated, secure employee onboarding and tailored security training.
Access to GDPR experts to fix control gaps and conduct in-depth DPIAs.
Proactive customer support with 24×5 availability.

Want to see Scrut in action? Take our product tour or book a personalized demo with us today to discover how we can help you avoid GDPR fines and achieve sustained growth.

Liked the post? Share on:

Megha Thakkar

Technical Content Writer at

Scrut Automation

Megha Thakkar is a Certified Information Systems Auditor (CISA) and technical content writer who loves turning complex cybersecurity and compliance topics into stories people actually want to read. With a background as an Associate CPA (Australia) and CA Intermediate (India), she blends her love for finance and technology to bring clarity to every piece she writes. She’s known for her sharp eye for editing and content management, making sure every word earns its place.

Authored by

Table of contents