GDPR Fines & Penalties 2026
Complete database of 5,535 GDPR fines, penalties, and data protection enforcement actions across Europe. Search fines, warnings, orders, bans, and investigations by country, action type, GDPR article, and violation category.
Data current as of 29 April 2026 · Updated daily
Frequently Asked Questions About GDPR Enforcement
Q:What types of GDPR enforcement actions exist?
GDPR enforcement actions include monetary fines (the most publicised), formal warnings, reprimands, processing bans, data erasure orders, and compliance orders. DPAs can also impose temporary or permanent limitations on data processing. Fines can reach up to EUR 20 million or 4% of annual worldwide turnover, whichever is higher, under Article 83(5) GDPR.
Q:How are GDPR fines calculated by data protection authorities?
DPAs consider factors listed in Article 83(2) GDPR: nature, gravity, and duration of the infringement; intentional or negligent character; actions taken to mitigate damage; degree of responsibility; previous infringements; degree of cooperation; categories of personal data affected; how the infringement became known; and adherence to approved codes of conduct or certification mechanisms.
Q:Can GDPR fines be appealed?
Yes, GDPR fines can be appealed through national courts. Many high-profile fines have been challenged. The appeals process varies by country. Some fines have been reduced on appeal (e.g., British Airways' fine was reduced from GBP 183 million to GBP 20 million), while others have been upheld or even increased.