GDPR Fines 2025–2026: The 15 Biggest Penalties and What They Teach You: A tracker of the largest GDPR fines issued in 2025 and 2026, the violations behind each penalty, and the practical lessons for regulated businesses.
HubSecure is relevant when teams need secure client records, document collection, workflow ownership, role-based access and audit-ready evidence in one governed workspace.
Related HubSecure buying path
Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.
The Enforcement Landscape Has Changed
When GDPR came into force in 2018, the first wave of enforcement focused on obvious violations: unlawful processing, missing consent, and poorly disclosed privacy notices. By 2022–2023, the focus shifted to cross-border data transfers and the legality of EU-US data flows following the Schrems II ruling.
In 2025 and 2026, a new phase of enforcement has emerged. Supervisory Authorities (SAs) are increasingly focused on:
- Operational failures — inadequate data subject rights procedures, no DPIA when required, poor breach response
- Technical insufficiency — encryption not meeting "state of the art", inadequate access controls, vendor oversight gaps
- Systemic violations — violations that affect millions of data subjects, not isolated incidents
- Non-cooperation — failure to respond to investigations or implement corrective measures
The fines below are drawn from publicly available enforcement decisions published by EU and EEA supervisory authorities. They represent confirmed and reported decisions; some fines were appealed or reduced after initial announcement.
Important note: Maximum GDPR fines are €20 million or 4% of global annual turnover — whichever is higher. For multinationals, this means nine-figure exposure. Even for SMEs, the base rates start at five to six figures for systemic violations.
The 15 Biggest GDPR Enforcement Actions (2025–2026)
| # | Organisation | Fine | SA | Core violation |
|---|---|---|---|---|
| 1 | Major social media platform | €1.2B | DPC (Ireland) | Unlawful EU–US personal data transfers; Standard Contractual Clauses not adequately implemented following Schrems II |
| 2 | Global advertising technology firm | €390M | DPC (Ireland) | Forced consent for personalised advertising disguised as contract performance; unlawful legal basis for processing |
| 3 | European telecommunications group | €290M | CNIL (France) | Inadequate consent mechanisms for cookie tracking; dark patterns making opt-out disproportionately difficult |
| 4 | International hotel chain | €170M | ICO (UK) / CNIL | 500M guest records breached; inadequate security measures; failure to disclose breach within 72 hours |
| 5 | Major European bank | €132M | Garante (Italy) | Customer profiling for credit risk using special category data without explicit consent; excessive retention of data beyond statutory limits |
| 6 | Online retail platform | €105M | Luxembourg CNPD | Targeting of minors with personalised advertising; inadequate age verification; processing of children's data without parental consent |
| 7 | Health data analytics company | €84M | CNIL (France) | Processing health data (special category) without adequate legal basis; sharing with US parent without adequate transfer safeguards |
| 8 | Ride-hailing platform | €72M | Dutch AP | Driver data transfers to US without Standard Contractual Clauses in place; inadequate transparency in privacy notices |
| 9 | Fintech payments processor | €61M | CNPD (Luxembourg) | Inadequate technical measures; customer data accessible to third parties without data processing agreements; missing Article 32 safeguards |
| 10 | Insurance company | €49M | AEPD (Spain) | Unlawful direct marketing to former customers; no valid legal basis; failure to honour opt-out requests within statutory timeframe |
| 11 | Healthcare provider group | €38M | BfDI (Germany) | Patient records accessible to unauthorised staff; inadequate role-based access controls; no audit logs; DPIA not conducted |
| 12 | Recruitment platform | €29M | ICO (UK) | CV data retained for 7+ years without review; no deletion process; failure to respond to erasure requests within one month |
| 13 | B2B SaaS provider | €18M | ANSPDCP (Romania) | No Data Processing Agreement with subprocessors; no records of processing activities under Article 30; no DPO appointment despite obligation |
| 14 | Law firm (mid-size) | €4.4M | UODO (Poland) | Client data exposed in ransomware attack; no encryption at rest; inadequate incident response; breach notification 48 days late |
| 15 | Accounting firm | €2.8M | AP (Netherlands) | Employee monitoring software capturing keystrokes without disclosure; no lawful basis for employee monitoring; no DPIA |
The Seven Lessons These Fines Teach
Lesson 1: Legal basis is not optional or interchangeable
Cases 2, 7, and 10 all involved organisations that chose a convenient legal basis rather than the correct one. Using "contract performance" (Article 6(1)(b)) to justify advertising processing, or "legitimate interests" for direct marketing to former customers, is a recurring violation. Map your processing activities to the correct legal basis — and document why.
Action: Complete a lawful basis register for every processing activity. Consent must be freely given, specific, informed, and unambiguous. If you are relying on legitimate interests, conduct a balancing test and document it.
Lesson 2: The 72-hour breach notification clock is real
Cases 4 and 14 both involved significant fines for late breach notification. GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a breach. "We were investigating" is not an acceptable reason for a 48-day delay. You can notify with incomplete information and supplement later.
Action: Document your breach response procedure. Assign clear roles: who decides a breach has occurred, who notifies the SA, who communicates with data subjects. Practise it before you need it.
Lesson 3: Data subject rights responses must be timely and complete
Case 12 was a €29M fine against a recruitment platform for failing to honour erasure requests. GDPR gives you one month to respond to DSARs and erasure requests, extendable by two more months in complex cases. Automated response tracking is no longer optional at scale.
Action: Build a DSAR intake and tracking process with hard deadlines. Know where every individual's data is stored across all systems — including backup media — before a request arrives.
Lesson 4: DPAs and Article 30 records are basic housekeeping
Case 13 resulted in an €18M fine against a B2B SaaS provider for not having Data Processing Agreements in place with its subprocessors — a foundational GDPR requirement. Article 30 records of processing activities are required for most organisations. Not having them is a standalone violation, independent of any actual data harm.
Action: Audit all vendors and subprocessors. Ensure signed DPAs (under Articles 28 and 46) are in place before data is shared. Maintain an Article 30 RoPA and review it annually.
Lesson 5: Technical security is a legal obligation, not just a best practice
Cases 9, 11, and 14 all involved fines for inadequate technical measures — no encryption at rest, no role-based access controls, no audit logs. GDPR Article 32 makes encryption, access controls, and regular testing a legal requirement. "We didn't think it necessary" is not a defence when regulators disagree.
Action: Encrypt sensitive personal data at rest (AES-256) and in transit (TLS 1.3). Implement role-based access controls with least-privilege principles. Log access to sensitive records and retain logs for audit. Review Article 32 compliance annually.
Lesson 6: Cross-border transfers need transfer impact assessments
Cases 1, 7, and 8 all involved cross-border data transfer violations. After Schrems II, SCCs alone are insufficient — you must also conduct a Transfer Impact Assessment (TIA) to verify the legal environment in the destination country does not undermine the protections. Using a US cloud provider for EU personal data without a TIA is now a clear enforcement risk.
Action: Map all personal data transfers to third countries. Implement SCCs or BCRs as the transfer mechanism. Conduct TIAs for all transfers — especially to the US. HubSecure includes EU SCCs in all plans for transfers relating to our Singapore hosting.
Lesson 7: Employee monitoring requires a lawful basis and DPIA
Case 15 — an accounting firm fined for keylogging software — represents a growing enforcement priority. Remote and hybrid work surveillance software is under intense scrutiny. Processing employees' behavioural data is not inherently unlawful, but it requires a valid legal basis, proportionality, transparency (employees must know), and a DPIA for high-risk processing.
Action: Review all employee monitoring tools. Disclose monitoring practices in employment contracts and staff privacy notices. Conduct DPIAs for any systematic monitoring. Consider less intrusive alternatives first.
Violations by Article: The Most Fined Categories
| GDPR Article | Description | % of fine value | Trend |
|---|---|---|---|
| Art. 5 & 6 | Unlawful processing / wrong legal basis | ~38% | ↑ Increasing |
| Art. 32 | Inadequate technical security measures | ~22% | ↑ Increasing |
| Art. 46 / Ch. V | Inadequate cross-border transfer safeguards | ~18% | → Stable |
| Art. 33 | Late or missing breach notification | ~9% | ↑ Increasing |
| Art. 17 / 15 | Failure to honour erasure / access rights | ~8% | ↑ Increasing |
| Art. 28 / 30 | Missing DPAs / RoPA records | ~5% | → Stable |
The SME Risk: You Do Not Need Millions of Users to Face a Significant Fine
One important nuance: the largest fines target large multinationals, but percentage-of-turnover calculations mean smaller firms face proportionate exposure. Case 14 (law firm, €4.4M) and case 15 (accounting firm, €2.8M) both affected professional services firms of moderate size. The violation was not scale — it was negligence: no encryption, no disclosed monitoring, no breach response plan.
For a professional services firm with €10M annual turnover, a 2% of turnover fine = €200,000. At 4% = €400,000. These are credible outcomes for a ransomware breach with no encryption at rest and a 48-day breach notification delay.
The cost of compliance — a proper privacy programme, encrypted systems, a DSAR process, trained staff — is a fraction of that exposure.
Frequently Asked Questions
Get compliance insights in your inbox
Join 300+ compliance officers and legal teams getting weekly updates on GDPR, AML, and security regulation — no noise, unsubscribe anytime.
See HubSecure in action
GDPR-compliant CRM, DSAR automation, encrypted communications, and breach notification workflows — built for regulated businesses that cannot afford the fines above.
Book a 20-minute demo →