GDPR Fines Statistics 2026: What Small Companies Actually Pay
GDPR turned eight in May 2026, and the enforcement numbers keep climbing. The headlines are dominated by billion-euro fines against big tech — but the statistics also show a second, much quieter track of small fines against small companies that rarely gets reported. This page collects the key GDPR fine statistics for 2026, every one of them with a named source, and then looks at what the data actually means if you run a small business.
GDPR fines: key statistics (2026)
- €7.1 billion — cumulative GDPR fines reported by European supervisory authorities from 25 May 2018 to 10 January 2026 (DLA Piper GDPR Fines and Data Breach Survey, January 2026).
- ~€1.2 billion — GDPR fines issued in 2025, closely matching the 2024 total (DLA Piper, January 2026).
- €1.2 billion — the largest single GDPR fine ever, issued by the Irish Data Protection Commission against Meta Platforms Ireland in 2023 (DLA Piper, January 2026).
- €530 million — the largest fine of 2025, issued by the Irish DPC against TikTok over international data transfers (DLA Piper, January 2026; CMS Enforcement Tracker Report 2025/2026).
- €4.04 billion — cumulative fines issued by Ireland's DPC alone since May 2018, the most of any authority by value (DLA Piper, January 2026).
- 2,685 fines individually tracked in the CMS GDPR Enforcement Tracker, worth around €6.11 billion, with an average fine of €2,277,122 (CMS Enforcement Tracker Report, as of 1 March 2026).
- 1,048 fines — Spain has issued the most GDPR fines of any country by count (CMS Enforcement Tracker Report, as of 1 March 2026).
- 443 data breach notifications per day on average were reported to European regulators in the year to 27 January 2026 — a 22% annual increase and the first time the daily average passed 400 (DLA Piper, January 2026).
- 83 sanctions totalling €486,839,500 were issued in France in 2025 — and 67 of them went through the CNIL's simplified procedure for smaller cases involving companies and independent professionals (CNIL, 2025 sanctions report).
Cite this page: BusinessConnect, “GDPR Fines Statistics 2026”, businessconnect.lt, updated 3 July 2026. All statistics are free to quote with a link to this page or to the primary source next to each number.
GDPR fines by year
The annual totals below come from DLA Piper's yearly GDPR Fines and Data Breach Surveys. Note that most survey periods run late January to late January, so they approximate — but do not exactly match — calendar years.
| Period | Fines issued | Change | Source |
|---|---|---|---|
| 25 May 2018 – 27 Jan 2021 | ≈ €0.2bn* | — | Derived* |
| 28 Jan 2021 – 27 Jan 2022 | ≈ €1.1bn | “Nearly a sevenfold increase” on the prior year | DLA Piper, Jan 2022 |
| 28 Jan 2022 – 25 Jan 2023 | ≈ €1.64bn | +50% year on year | DLA Piper, Jan 2023 |
| 28 Jan 2023 – 27 Jan 2024 | ≈ €1.78bn | +14% year on year | DLA Piper, Jan 2024 |
| Calendar year 2024 | ≈ €1.2bn | −33% vs 2023 | DLA Piper, Jan 2025 |
| Calendar year 2025 | ≈ €1.2bn | Roughly flat vs 2024 | DLA Piper, Jan 2026 |
| Cumulative, 25 May 2018 – 10 Jan 2026 | €7.1bn | — | DLA Piper, Jan 2026 |
* The first row is not separately reported in the sources above; it is derived by subtracting the later survey periods from the €7.1bn cumulative total, so treat it as an approximation only.
Two different totals circulate for cumulative GDPR fines: DLA Piper's €7.1bn (a survey of supervisory authorities across 31 European jurisdictions) and the CMS Enforcement Tracker's ~€6.11bn (a database of individually documented public fines, 2,685 of them as of 1 March 2026). The datasets are built differently, which is why the numbers differ — cite whichever matches your use case, and name the source.
The largest GDPR fines ever issued
Per the CMS Enforcement Tracker Report (as of 1 March 2026), the ten largest GDPR fines to date:
- Meta Platforms Ireland — €1.2 billion (Ireland, 2023)
- TikTok Technology Limited — €530 million (Ireland, 2025)
- Meta Platforms, Inc. — €405 million (Ireland)
- Meta Platforms Ireland — €390 million (Ireland)
- TikTok Limited — €345 million (Ireland)
- LinkedIn — €310 million (Ireland, 2024)
- Uber Technologies Inc. / Uber B.V. — €290 million (Netherlands, 2024)
- Meta Platforms Ireland — €265 million (Ireland)
- Meta Platforms Ireland — €251 million (Ireland, 2024)
- WhatsApp Ireland — €225 million (Ireland)
Nine of the top ten were issued in Ireland — a structural effect of the GDPR's one-stop-shop mechanism, since most large US tech companies have their EU headquarters in Dublin.
Fines by country: two very different league tables
- By value: Ireland leads with €4.04 billion in cumulative fines since May 2018 (DLA Piper, Jan 2026). Luxembourg had reached €746.38 million as of January 2025, driven almost entirely by its 2021 Amazon fine of €746 million (DLA Piper, Jan 2025; DLA Piper, Jan 2022).
- By count: Spain leads with 1,048 fines tracked — the highest enforcement activity in Europe, mostly in smaller amounts (CMS Enforcement Tracker Report, as of 1 March 2026).
- France in 2025: the CNIL issued 83 sanctions totalling €486,839,500 — 16 through its ordinary procedure and 67 through the simplified procedure used for smaller cases (CNIL, 2025).
The takeaway for a small business: the value league table is about big tech, but the count league tables — Spain's 1,048 fines, France's 67 simplified-procedure sanctions in one year — are largely about ordinary companies.
What businesses get fined for
The CMS Enforcement Tracker Report ranks violation types by frequency across all tracked fines:
- Insufficient legal basis for data processing (the most common)
- Non-compliance with general data processing principles
- Insufficient technical and organisational security measures
- Insufficient fulfilment of data subjects' rights
- Insufficient fulfilment of information obligations
France's 2025 numbers show the same pattern at small-business scale: the CNIL sanctioned 21 entities for cookie and tracker breaches, 16 for improper employee video surveillance, 14 for insufficient data security, 14 for failing to cooperate with the regulator, 14 for ignoring erasure/objection/access requests, and 10 for marketing-prospecting violations. Cookies, cameras, security basics and ignored data requests — not exotic edge cases.
What do small companies actually pay?
Honest answer first: there is no reliable public statistic for the “average small-business GDPR fine”. Many small-company sanctions are never published — the CNIL's 67 simplified-procedure decisions from 2025, for example, are confidential by design. Treat any precise “average SME fine” figure you see online with suspicion. What the verifiable record does show:
- The CNIL's published sanctions list includes fines as low as €500 — enforcement against small actors is real, just small enough to stay out of the news.
- France's simplified sanction procedure — used for 67 of 83 sanctions in 2025 — exists specifically to process smaller cases against companies and independent professionals quickly (CNIL).
- The legal maximum under Article 83(5) GDPR is €20 million or 4% of worldwide annual turnover, whichever is higher — that ceiling applies to a five-person company as much as to Meta.
A documented small-company case: Knuddels, €20,000
Germany's first-ever GDPR fine, issued on 21 November 2018 by the Baden-Württemberg data protection authority (LfDI), went to Knuddels.de, a small German chat platform. After a hack exposed user credentials, the investigation found the company had stored user passwords in plain text — a violation of Article 32(1)(a) GDPR. The fine: €20,000 (IAPP).
The instructive part is why the fine stayed low. Per the regulator, Knuddels contacted the authority directly after the hack, informed users immediately and comprehensively, cooperated in what the LfDI called an “exemplary” way, and invested a six-figure sum in fixing its security. The LfDI's head stated openly that the goal was better data protection, not maximum fines. Two lessons for any small business: report breaches fast (you have 72 hours), and cooperation measurably reduces the damage.
How to stay out of this table
Across the CMS violation rankings and the CNIL's 2025 caseload, small-company enforcement keeps hitting the same missing basics. The essential minimum:
- A proper cookie consent mechanism on your website
- A clear, comprehensive privacy policy
- A documented process for handling data subject requests
- Data processing agreements with your third-party tools
- A breach notification procedure (72-hour deadline)
Items 1 and 2 — the exact areas behind the CNIL's 21 cookie sanctions and the most common violation categories — are the easiest to automate. A compliance platform like Termly handles both: the free plan includes a cookie banner with automatic script blocking, one basic policy and 10,000 banner views per month, and paid plans run $10–15/month (billed annually) with a 30-day money-back guarantee — we break down the plans and limits in our full Termly review. For the wider toolbox, see our GDPR compliance tools comparison.
Cheapest insurance
Don't end up in this table
Every dataset on this page points the same way: small companies get fined for missing basics — cookie consent, privacy policies, ignored data requests. Termly covers the first two for less per year than even the smallest fine on the CNIL's published list, with a free plan to start and a 30-day money-back guarantee on paid plans. It covers GDPR, UK GDPR and CCPA.
- Free plan: cookie banner with automatic script blocking, 1 basic policy, 10,000 banner views/month
- Starter from $10/month and Pro+ from $15/month (billed annually) — Pro+ adds unlimited auto-updated policies, Consent Mode v2 and no Termly branding
- One setup instead of separate banner + policy generator tools
Frequently Asked Questions
How much have GDPR fines totalled since 2018?
According to DLA Piper's GDPR Fines and Data Breach Survey (January 2026), European supervisory authorities reported an aggregate of 7.1 billion euros in GDPR fines from 25 May 2018 to 10 January 2026. Around 1.2 billion euros of that was issued in 2025 alone.
What is the largest GDPR fine ever issued?
The largest GDPR fine ever is 1.2 billion euros, issued by the Irish Data Protection Commission against Meta Platforms Ireland in 2023 for unlawful EU-US data transfers. The largest fine of 2025 was 530 million euros against TikTok, also from the Irish DPC.
Do small businesses really get fined under GDPR?
Yes. GDPR applies to any business that processes personal data of EU residents, regardless of size. In 2025, 67 of the French CNIL's 83 sanctions went through its simplified procedure, which handles cases involving companies and independent professionals — these smaller decisions are simply not published, so they rarely make headlines.
How much do GDPR fines cost for small businesses?
The legal maximum is 20 million euros or 4% of worldwide annual turnover, whichever is higher. In practice, documented fines start much lower: the CNIL's published sanction list includes fines from 500 euros, and Germany's first GDPR fine was 20,000 euros against the small chat platform Knuddels. There is no reliable public statistic for an average small-business fine, because many small-company sanctions are never published.
What's the fastest way to make my website GDPR compliant?
The fastest approach is a compliance platform that handles cookie consent and privacy policy generation in one setup — for example, Termly's free plan includes a cookie banner with automatic script blocking, one basic policy and 10,000 banner views per month, with paid plans from 10 dollars per month billed annually.
Keep reading
- Best GDPR compliance tools compared — our hub page for the full toolbox
- GDPR compliance checklist for small businesses — work through the five basics step by step
- What happens if you ignore GDPR — the enforcement process from complaint to fine