Type something to search...
to navigateto selectESC to close

GDPR Fines

GDPR fines are financial penalties imposed by data protection authorities on organisations that violate the EU General Data Protection Regulation (GDPR). These fines can reach up to €20 million or 4% of annual global turnover, whichever is higher, for serious infringements of data protection rules.

Legal Basis

"Administrative fines shall in each individual case be effective, proportionate and dissuasive. [...] the administrative fine shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of paragraph 2."

— Article 83(1), Regulation (EU) 2016/679 (GDPR)

The GDPR establishes two tiers of maximum fines: up to €10 million or 2% of global annual turnover for certain violations (such as inadequate record-keeping), and up to €20 million or 4% of global annual turnover for more serious infringements (such as violations of the legal bases for processing, data subject rights, or international data transfers).

Why It Matters

GDPR fines affect any organisation that processes personal data of individuals in the EU, regardless of where the organisation is established. This includes political parties, campaign organisations, platforms, publishers, and providers of political advertising services that handle voter data, targeting information, or other personal data.

For providers of political advertising services, GDPR fines are particularly relevant when using targeting techniques or ad-delivery techniques based on personal data. Under Regulation 2024/900 (the political advertising regulation), the use of personal data for targeting political advertisements must comply with GDPR requirements, including having a valid legal basis and respecting data subject rights.

Supervisory authorities consider factors such as the nature and severity of the infringement, whether it was intentional or negligent, previous violations, cooperation with the authority, and the categories of personal data affected. Political advertising involving special category data (such as political opinions) may attract closer scrutiny and higher fines if mishandled.

Key Points

  • Two-tier system: Fines up to €10 million or 2% of turnover for some violations; up to €20 million or 4% of turnover for serious breaches
  • Global turnover: The percentage is calculated on worldwide annual revenue, not just EU operations or the infringing service
  • Proportionality: Authorities must ensure fines are effective, proportionate, and dissuasive based on case circumstances
  • Political advertising context: Misuse of personal data for targeting political ads can trigger GDPR fines from data protection authorities
  • Special category data: Processing political opinions or other sensitive data without proper legal basis increases fine risk
  • Cross-border cases: Lead supervisory authority coordinates with other authorities for organisations operating across multiple Member States

GDPR Fines vs. DSA Penalties vs. Competition Fines

GDPR fines specifically address data protection violations, while Digital Services Act (DSA) penalties address illegal content, transparency, and platform obligations (up to 6% of global turnover). Competition fines under Articles 101 and 102 TFEU address anti-competitive behaviour and can reach 10% of global turnover. An organisation can face multiple types of fines simultaneously if violations span different legal frameworks. For example, a platform could receive GDPR fines for misusing targeting data, DSA penalties for transparency failures in political advertising, and competition fines for market abuse—all arising from the same political advertising activities.

Related Terms

  • Data Protection Authority
  • Personal Data
  • Legal Basis for Processing
  • Special Category Data
  • Targeting Techniques
  • Data Subject Rights
  • Controller
  • Processor
  • Consent
  • Legitimate Interest

GDPR fines: Core Facts

Status
Active Definition
Verified
2026-03-07

Related

Very transparent. Every political ad will be labelled, linked to a transparency notice with detailed information, and online ads will be searchable in a central European repository.
The Network coordinates election-related cooperation between member states. National contact points for TTPA enforcement should be members of this network where possible.
Election campaigns will need to ensure all paid advertising includes proper labels and transparency notices. Sponsors must be prepared to provide required information to all service providers.
Several major platforms currently do not allow paid political advertising, including some large social networks. This limits where political actors can place paid online advertisements.
The TTPA applies from 10 October 2025. Member States had until 10 April 2025 to designate competent authorities, and the Commission must provide label templates by 10 July 2025.
Publishers must ensure completeness and accuracy of certain information but are not required to verify all sponsor claims. They must correct manifestly erroneous information when they become aware of it.
Yes. When a hosting provider and a website both display an ad, both are considered publishers with responsibility for their specific services. Contracts should clarify how they share compliance duties.
If a publisher removes or disables access to a political ad due to illegality or terms violations, they must still provide access to the transparency information for the full seven-year retention period.