GDPR fines since 2018: What the numbers really show
Since the GDPR came into force in May 2018, enforcement has evolved from cautious supervision to a mature and strategically targeted regulatory framework.
Billions of euros in fines have been issued across the EU, but the raw totals only tell part of the story.
If you only look at the headlines, you might assume that GDPR enforcement is dominated by a few tech giants. And yes, Ireland and Luxembourg lead the ranking in average fines largely because of record-breaking penalties against companies like Meta and Amazon. But the broader picture is far more nuanced.
For example:
- Spain by a wide margin leads Europe in the total number of fines.
- Ireland dominates in total fine amounts, despite issuing very few decisions.
- Media, Telecoms & Broadcasting shows dramatically higher average fines than any other sector.
- The most common violations are not exotic or complex, they revolve around basic principles, lawful processing, and insufficient security measures.
- Annual totals fluctuate heavily, and a single landmark case can reshape an entire year’s statistics.
The data reveals two parallel enforcement realities: high-frequency operational enforcement in some countries, and high-impact strategic fines in others.
In this article, we break down:
- Enforcement by sector
- Enforcement by country (volume vs. financial weight)
- Violation trends
- Annual developments from 2021 to 2025
- And what these patterns mean for companies operating in the EU
The conclusion may surprise you: GDPR enforcement is no longer just about punishing major tech companies — it is increasingly about systematic compliance, documentation, and technical safeguards across all industries.
Let’s dive into the numbers.
Chart 1: Average fine by sector (since the GDPR came into force) [Source]
The chart clearly shows that Media, Telecommunications and Broadcasting stands in a league of its own when it comes to the average GDPR fine amount. The gap between this sector and all others is striking. With an average fine exceeding €12 million, it is multiple times higher than the second-ranked sector and significantly above the overall landscape. This suggests that supervisory authorities impose particularly substantial penalties in cases involving large-scale data processing, platform ecosystems, advertising technologies, and cross-border data transfers – all common in media and telecom environments.
In second place comes Employment, with an average fine slightly above €2 million. Although far behind the leading sector, employment-related cases still show relatively high penalty levels. This reflects the sensitivity of employee data, the imbalance of power in employer-employee relationships, and frequent compliance issues related to monitoring, excessive data retention, or insufficient transparency.
Closely following is Industry & Commerce, also with an average fine around the €2 million mark. This sector often involves large customer databases, CRM systems, and complex data flows across supply chains. Data breaches, insufficient security measures, and unlawful processing of customer information appear to be key enforcement drivers here.
In fourth position, Transportation & Energy shows an average fine of roughly €1.5 million. While lower than the top three, it still reflects the critical infrastructure nature of these industries, where data security and operational resilience are particularly important. Large-scale service providers in this space process substantial volumes of personal data, making compliance failures financially significant.
Overall, the chart illustrates a clear pattern: sectors characterized by high data volumes, cross-border operations, and complex digital ecosystems tend to face the highest average fines under the GDPR.
Chart 2: Number of fines by sector (since the GDPR came into force)
While the previous chart highlighted average fine amounts, this chart shifts the perspective to the number of GDPR fines per sector, revealing a different enforcement dynamic.
The most notable result is that Industry & Commerce leads by a wide margin, with nearly 480 recorded fines. This clearly positions it as the sector most frequently targeted by enforcement actions. The high volume likely reflects the sheer number of companies operating in this category, combined with extensive customer data processing, marketing activities, and large digital infrastructures.
In second place are Media, Telecommunications and Broadcasting, with slightly above 300 fines. Although this sector also dominates in terms of average fine size, it does not lead in volume. This suggests that while enforcement actions may be fewer than in Industry & Commerce, they tend to involve larger, more impactful cases, often against major platforms or multinational operators.
Interestingly, Individuals & Private Associations also show a relatively high number of fines, comparable to Media & Telecom. This indicates that GDPR enforcement is not limited to large corporations. Smaller entities, associations, and even individuals can face penalties, often related to unlawful data publication, insufficient legal basis for processing, or transparency violations.
Following these sectors are Public Sector & Education and Finance, Insurance & Consulting, both with over 240 cases. This underlines the ongoing regulatory scrutiny of institutions that handle large volumes of sensitive personal data, including financial records, citizen information, and educational data.
At the lower end, Accommodation & Hospitality and Real Estate show comparatively fewer fines. This may reflect either lower enforcement activity or fewer reported violations, but not necessarily lower compliance risk.
Overall, the chart demonstrates that GDPR enforcement is both broad and sector-diverse. Some sectors face high average penalties, others high enforcement frequency, and in a few cases, both.
Chart 3: Total number of fines by country (since the GDPR came into force)
This chart illustrates the total number of GDPR fines by country since the regulation came into force, revealing significant differences in enforcement intensity across Europe.
Spain clearly dominates the ranking, with close to 950 recorded fines. The gap between Spain and all other countries is substantial, indicating a particularly active supervisory authority. Spanish data protection authorities are known for consistently investigating complaints and issuing fines, including against smaller entities, which contributes to the high volume.
In second place is Italy, with roughly 400 fines. While significantly lower than Spain, Italy still stands out compared to the rest of the EU. This suggests a strong enforcement culture and a relatively high level of regulatory activity.
Germany, despite being Europe’s largest economy, appears further down the list with 86 recorded fines (as shown in the chart). This may seem surprising at first glance. However, Germany operates with a decentralized supervisory structure, where enforcement is distributed across federal states. The lower number does not necessarily indicate weak enforcement but may reflect differences in reporting structures, enforcement strategies, or the preference for corrective measures over financial penalties.
Countries such as Poland, Greece, Hungary, France, Norway, and Cyprus show moderate but steady enforcement activity. Their fine counts suggest active supervision, though on a smaller scale compared to Spain and Italy.
Overall, the chart highlights that GDPR enforcement intensity varies significantly across jurisdictions. The number of fines is influenced not only by population size or economic output, but also by national enforcement culture, supervisory authority resources, reporting practices, and regulatory priorities.
Chart 4: Average fine by country (since the GDPR came into force)
This chart presents the average GDPR fine amount by country since the regulation entered into force, and the results reveal a very different picture compared to the total number of fines.
At the top of the ranking is Ireland, followed by Luxembourg. However, this position is heavily influenced by a small number of exceptionally large fines rather than a high overall enforcement volume.
Ireland’s leading position is largely explained by several landmark decisions involving major multinational technology companies headquartered there. The most significant case to date is the €1.2 billion fine against Meta (2023). In addition, the €530 million fine against TikTok (2025) further increases Ireland’s average fine amount. Similarly, Luxembourg’s high ranking is driven primarily by the €746 million fine against Amazon Europe (2021). These large-scale cases significantly distort the statistical average.
Top-3 fines since the GDPR came into force:
Controller | Sector | Country | Fine, € | Type of Violation | Date | |
1 | Meta Platforms Ireland Limited | Media, Telecoms and Broadcasting | Ireland | 1,200,000,000 | Insufficient legal basis for data processing | 2023-05-12 |
2 | Amazon Europe Core S.à.r.l. | Industry and Commerce | Luxembourg | 746,000,000 | Non-compliance with general data processing principles | 2021-07-16 |
3 | TikTok Technology Limited | Media, Telecoms and Broadcasting | Ireland | 530,000,000 | Insufficient legal basis for data processing | 2025-05-02 |
In contrast, countries such as Spain and Italy, which lead in total number of fines, rank much lower in terms of average fine size. This suggests a more distributed enforcement pattern: frequent but generally smaller penalties across a broad range of organizations.
Germany appears in the upper-middle range, with an average fine of approximately €656,000. This reflects a more balanced enforcement approach, combining mid-sized penalties with fewer extreme outliers.
The key takeaway from this chart is that average fine size does not necessarily reflect enforcement intensity, but rather the presence of large cross-border cases, often linked to the “one-stop-shop” mechanism under GDPR. Countries hosting European headquarters of global tech companies naturally become the lead supervisory authority in major cross-border investigations.
Chart 5: Total accumulated sum of fines by country (since the GDPR came into force)
This chart illustrates the total accumulated monetary value of GDPR fines per country since 2018, combining both enforcement volume and penalty size into one financial impact indicator.
At the top of the ranking are again Ireland and Luxembourg, with a very substantial lead over all other countries. Their dominant position is primarily driven by a few exceptionally large fines against multinational technology companies headquartered there.
However, unlike the “average fine” chart, this view reflects the overall financial enforcement impact per jurisdiction. It shows not only the presence of outlier cases but the total regulatory exposure concentrated in specific countries.
Following Ireland and Luxembourg are France and the Netherlands, both of which have accumulated significant total fine volumes. These countries combine relatively active enforcement with several high-value penalties, placing them consistently in the upper tier across multiple metrics.
Italy and Spain, which lead in the number of fines, also appear prominently here, though not at the very top. This indicates a broad and consistent enforcement strategy with numerous cases contributing to the cumulative total.
Germany’s position (approximately €56 million, as indicated in the chart) reflects a steady but more moderate overall financial enforcement footprint compared to jurisdictions handling major cross-border Big Tech cases.
Chart 6: Total number of fines by violation (since the GDPR came into force)
This chart shows the number of GDPR fines by type of violation since 2018, offering insight into which compliance failures most frequently trigger enforcement action.
Two violation categories clearly dominate:
- Insufficient legal basis for data processing
- Non-compliance with general data processing principles
Both categories significantly outperform all others in terms of case volume. This is highly relevant from a compliance perspective: most GDPR enforcement actions are not caused by technical failures alone, but by fundamental shortcomings in lawful processing and adherence to core principles such as transparency, purpose limitation, fairness, and proportionality.
In third place is insufficient technical and organizational measures (TOMs) to ensure information security. This category reflects classic security failures: inadequate encryption, poor access controls, misconfigurations, or insufficient risk management practices. While it ranks below the first two categories, it remains a major enforcement driver.
Key takeaway
The data clearly shows that GDPR enforcement focuses primarily on lawfulness and fundamental data protection principles, not just on cybersecurity incidents.
For organizations, this reinforces an important message:
- Legal basis documentation must be robust and regularly reviewed.
- Data processing principles must be embedded into operational workflows.
- Security measures must be appropriate and demonstrable.
- Governance processes (rights handling, documentation, cooperation) must be mature.
GDPR risk is as much about governance and accountability as it is about IT security.
GDPR fines by year: Trends in volume vs. financial impact (2021–2025)
The table highlights an important dynamic in GDPR enforcement: the number of fines and the total financial impact do not move in parallel.
Year | Total amount of fines, € | Total number of fines |
2021 | 1,273,440,733 | 477 |
2022 | 841,297,735 | 537 |
2023 | 2,086,684,332 | 523 |
2024 | 1,181,757,699 | 297 |
2025 | 1,110,948,705 | 374 |
Several clear patterns emerge:
- Financial impact is heavily influenced by individual mega-fines.
- Enforcement volume does not necessarily correlate with total monetary value.
- Regulators are increasingly combining:
- Broad enforcement (higher case numbers in some years)
- Strategic large-scale cases against major players
The data shows that GDPR enforcement has matured. It is no longer only about sporadic large penalties; it is a sustained regulatory environment with both high-profile cases and ongoing operational supervision.
For organizations, this means: compliance risk is continuous and structural, not limited to exceptional “headline” cases.
GDPR enforcement in 2025: Volume vs. financial impact
The 2025 data clearly shows a strong divergence between the number of fines issued and the total monetary impact.
The countries with the highest number of fines in 2025 were:
- Spain – 117 fines (€28.3 million total)
- Italy – 77 fines (€11.2 million total)
- Romania – 73 fines (€467,200 total)
Together, these three countries account for 267 fines, which represents more than 70% of all 374 fines issued in 2025.
However, despite their high enforcement activity, the total financial impact in these countries remains comparatively moderate. This suggests a strong focus on operational enforcement and corrective supervision rather than large-scale punitive actions.
In contrast, the financial landscape is dominated by a small number of high-value cases:
- Ireland – 3 fines totaling €530.7 million
- France – 12 fines totaling €484.6 million
- Germany – 4 fines totaling €45.7 million
Ireland stands out in particular: only three fines account for nearly half a billion euros. This again reflects the concentration of major multinational technology companies under Irish supervisory authority. France follows a similar pattern, combining relatively few cases with very substantial penalties.
Out of 374 total fines, the three dominant violation categories were:
- 108 – Insufficient technical and organizational measures to ensure information security
- 102 – Non-compliance with general data processing principles
- 101 – Insufficient legal basis for data processing
These three categories alone account for 311 fines, or more than 80% of all cases in 2025.
This indicates that enforcement continues to focus on core GDPR obligations:
- Information security
- Lawful processing
- Fundamental data protection principles
Key takeaway for 2025
The 2025 enforcement pattern confirms a dual approach across Europe:
- Some countries (e.g., Spain, Italy) pursue high-frequency, moderate-value enforcement.
- Others (e.g., Ireland, France) issue fewer but extremely high-value, strategically significant fines.
For organizations, this means that GDPR risk exists on two levels: routine compliance failures can trigger supervisory action anywhere, while large-scale structural violations can lead to massive financial exposure in jurisdictions handling cross-border cases.
Conclusion
Since the GDPR came into force, enforcement across Europe has become both more structured and more strategic. The data shows clear differences between countries: some issue a high number of moderate fines (e.g., Spain and Italy), while others impose fewer but extremely high-value penalties (notably Ireland and France), often linked to large multinational tech companies.
Across sectors, Media, Telecoms & Broadcasting stands out with significantly higher average fines than any other industry. In terms of violations, enforcement continues to focus on core GDPR obligations: lawful processing, data protection principles, and insufficient technical and organizational security measures.
The annual figures also demonstrate that total fine amounts are heavily influenced by a small number of landmark cases. This means GDPR risk operates on two levels: frequent operational non-compliance and rare but financially severe structural violations.
Overall, the trend confirms that GDPR enforcement remains active, financially impactful, and increasingly aligned with strategic regulatory priorities across the EU.
Sources:
https://cms.law/en/int/publication/gdpr-enforcement-tracker-report
https://www.enforcementtracker.com/?insights