GDPR Fines 2025/26: Tracker and SME Reality Check

· Category: GDPR· As of: 2026-05-02· Reading time: ~7 min
Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

  • Maximum: EUR 20 million or 4 percent of worldwide annual turnover, whichever is higher
  • 2025 top fines: TikTok EUR 530M (third-country transfers), LinkedIn EUR 310M (targeting without consent)
  • SME reality: average EUR 8,000-80,000; gross violations EUR 80,000-500,000
  • Top 3 triggers: cookie banner violations (35 percent), missing DPAs (18 percent), inadequate TOMs (15 percent)
  • Five escalation stages precede a fine — SMEs remain negotiable in stages 2-4 in 70 percent of cases

1. GDPR fine statistics 2025/26

Indicator20242025
Number of fines EU-wide~2,100~2,450 (+17 percent)
Total amountEUR 1.9BEUR 2.3B
Big Tech share (top 10)EUR 1.4B (74 percent)EUR 1.8B (78 percent)
SME averageEUR 14,500EUR 16,200
Highest 2025 fineTikTok EUR 530M (Ireland)

2. Top 10 fines 2025/26

CompanyAmountViolationAuthority
TikTokEUR 530MThird-country transfer (China without SCCs)DPC Ireland 2025
LinkedInEUR 310MTargeting without consentDPC Ireland 2024
UberEUR 290MUS data transfer without safeguardsAP Netherlands 2024
MetaEUR 251M2018 breach, follow-up violationsDPC Ireland 2024
VodafoneEUR 45MMarketing calls + DPF violationsBfDI 2025
H&MEUR 35.3MEmployee monitoringHmbBfDI 2020/2024
Clearview AIEUR 30.5MBiometric processing without basisAP Netherlands 2024
Deutsche WohnenEUR 14.5MTenant-data retention without deletionBerlin 2024
Notebooksbilliger.deEUR 10.4MVideo surveillance without basisLfDI Lower Saxony 2021
AOK Baden-WürttembergEUR 1.24MAccess-rights gaps + missing trainingLfDI BW 2020

3. SME fines: actual practice

SME sizeAverage fineMost common triggers
1-10 employeesEUR 2,500-8,000Cookie banner, missing privacy notice
11-50EUR 8,000-25,000Missing DPAs, weak TOMs, late breach reporting
51-249EUR 25,000-150,000RoPA gaps, missing DPIA, access denied
250-1,000EUR 80,000-500,000Multiple violations, no deletion concept
1,000+EUR 500,000+Systemic violations, management liability

4. Seven typical mistakes that lead to fines

  1. Cookie banner without genuine choice (35 percent of EU fines).
  2. Missing DPAs with cloud providers, especially Microsoft 365 without EU Data Boundary (18 percent).
  3. Inadequate TOMs after a breach (15 percent).
  4. Refused or delayed access requests under Art. 15 (12 percent).
  5. Missing DPIA for high-risk processing (10 percent).
  6. No deletion concept, retention beyond the legal limit.
  7. Third-country transfers without TIA documentation.

5. Supervisory practice: what authorities actually check

According to the BfDI 2024 activity report, 85 percent of supervisory inquiries start with a request for the records of processing. The standard order: RoPA, DPA inventory, TOM concept, DPIA for high-risk processing, website privacy notice, cookie banner test, breach workflow, and training records.

6. The 14 documents authorities expect

  1. Records of Processing (Art. 30).
  2. TOM concept (Art. 32).
  3. DPA inventory covering all processors.
  4. DPIA methodology and threshold analysis.
  5. Breach response plan with 72-hour notification template.
  6. Deletion concept (DIN 66398-aligned).
  7. DPO appointment letter where required.
  8. Website privacy notice.
  9. Applicant and employee privacy notices.
  10. Cookie/consent concept (TDDDG-aligned).
  11. Third-country transfer TIA (Schrems II).
  12. Training concept and attendance records.
  13. Confidentiality declarations under Section 53 BDSG.
  14. Data-subject-rights workflow (Art. 15-22).

7. Damages claims under Art. 82 — escalating

Apart from supervisory fines, civil damages claims under Art. 82 GDPR are growing. The CJEU C-340/21 (December 2023) confirmed that non-material damages can be awarded based on the fear of misuse alone. Typical 2024-2026 awards: EUR 200-2,000 per individual; class actions covering up to 50,000 individuals create EUR 10-100M risk exposure. The EU representative-action directive (2020/1828) lets qualified consumer organizations file collective claims.

8. Nine-step fine-prevention checklist

  1. RoPA audit: are all processing activities documented?
  2. DPA inventory: every external processor under contract?
  3. TOM review: appropriate to the risk profile?
  4. DPIA for every high-risk processing activity.
  5. Breach tabletop exercise twice per year.
  6. Cookie banner tested with consent tool.
  7. Third-country TIA for every US tool.
  8. Annual employee training plus onboarding.
  9. DPO activity report to management.

Summary

The 2025 fine landscape is dominated by Big Tech (78 percent of total), but SMEs see steady five-figure fines for the same recurring failures. Closing the 14-document checklist removes the bulk of supervisory exposure. Civil damages claims now form a parallel risk track that needs separate attention.

View GDPR Kit →

Frequently Asked Questions

What is the maximum fine?
Up to EUR 20 million or 4% of global annual turnover (whichever is higher). For the most severe violations (Art. 83(5) GDPR): violation of principles, legal bases, data subject rights, or third-country transfers. Lesser violations (Art. 83(4)): up to EUR 10 million / 2%.
What are typical SME fines?
Practice 2024-2026: average EUR 8,000-80,000 per case. For gross breaches of duty (missing ROPA, cookie banners without opt-out): EUR 25,000-150,000. Complete absence of GDPR compliance + supervisory proceedings with hearings: EUR 80,000-500,000.
Which violations most frequently lead to fines?
BfDI statistics 2024: (1) cookie banner violations (35%), (2) missing DPAs with US cloud providers (18%), (3) inadequate TOMs after data breaches (15%), (4) refusal to provide information under Art. 15 (12%), (5) missing DPIAs for high-risk processing (10%).
What does 'effective, proportionate, dissuasive' mean?
Art. 83(1) GDPR. The supervisory authority considers: severity and duration of the violation, intent/negligence, measures to mitigate damages, cooperation with the supervisory authority, categories of data concerned, notification compliance (Art. 33), prior record. In practice: a first incident is usually a warning, a second one a fine.
Who decides on the fine?
Germany: state data protection authorities (16 LfDI + BfDI for federal authorities, telecommunications, postal services). Austria: ÖDSB. Switzerland: EDÖB. For cross-border violations: one-stop-shop mechanism with a lead supervisory authority + consultation of the concerned authorities.
Can the fine be paid in installments?
Yes, in practice. Supervisory authorities grant deferrals or installment payments, especially for SMEs facing liquidity-threatening amounts. Prior agreement is necessary — no unilateral delay.
Are fines tax-deductible?
No. Section 4(5)(8) EStG (German Income Tax Act): fines are not operating expenses. Defense costs (lawyer) are also only partially deductible — advisory costs yes, criminal defense costs no.
Escalation: what comes before the fine?
Supervisory escalation stages: (1) complaint received, (2) request for information sent to the company (often submission of ROPA), (3) hearing with a 4-8 week deadline, (4) warning or order, (5) fine notice in case of repetition or severity, (6) lawsuit / administrative court. SMEs are still in a negotiating position in 70% of cases at stages 2-4.

Sources

Related Reading