📋 Company & Violation Details
EUR
Total worldwide revenue of the entire corporate group
Enter a valid global annual turnover.
Tier 2 covers the most serious GDPR infringements
EU and UK GDPR have different fixed cap amounts
EU fines issued in EUR; UK fines in GBP
Maximum GDPR Fine
--
⚠️ Disclaimer: This calculator shows the maximum possible fine under Article 83 GDPR. Actual fines are set by supervisory authorities using discretion based on Article 83(2) factors including nature, gravity, intent, mitigation, cooperation, and prior violations. Most fines are substantially below the maximum. This is not legal advice. Consult a qualified data protection attorney for specific compliance guidance.
Was this calculator helpful?
Sources & Methodology
All fine calculations verified directly against GDPR Article 83(4) and 83(5) text and UK Data Protection Act 2018 Schedule 16 fine limits. The critical higher-of formula is confirmed in the official GDPR text: "whichever is higher."
GDPR Full Text — EUR-Lex (Regulation EU 2016/679)
Official GDPR text including Article 83 administrative fines provisions, confirming the two-tier structure, fixed monetary caps, percentage of global annual turnover basis, and the "whichever is higher" formula used in this calculator.
ICO — UK GDPR Fines Guidance
UK Information Commissioner's Office official guidance on UK GDPR fine limits (17.5M GBP / 4% and 8.7M GBP / 2%) post-Brexit, used for all UK GDPR calculations in this calculator.
GDPR Enforcement Tracker — CMS Law
Comprehensive database of all GDPR fines issued across EU member states, used to verify real-world fine application patterns, typical fine amounts by violation type, and enforcement trends cited in the content of this page.
Exact Article 83 Formula (verified from GDPR text):
Tier 1 Max = max(EUR 10,000,000 ; 2% of global annual turnover) Tier 2 Max = max(EUR 20,000,000 ; 4% of global annual turnover) UK Tier 1 Max = max(GBP 8,700,000 ; 2% of global annual turnover) UK Tier 2 Max = max(GBP 17,500,000 ; 4% of global annual turnover) "Global annual turnover" = total worldwide annual revenue of the entire undertaking (corporate group) for the preceding financial year. Currency conversions are approximate (EUR/USD ~1.08, EUR/GBP ~0.86 as of April 2026).
Tier 1 Max = max(EUR 10,000,000 ; 2% of global annual turnover) Tier 2 Max = max(EUR 20,000,000 ; 4% of global annual turnover) UK Tier 1 Max = max(GBP 8,700,000 ; 2% of global annual turnover) UK Tier 2 Max = max(GBP 17,500,000 ; 4% of global annual turnover) "Global annual turnover" = total worldwide annual revenue of the entire undertaking (corporate group) for the preceding financial year. Currency conversions are approximate (EUR/USD ~1.08, EUR/GBP ~0.86 as of April 2026).
Last reviewed: April 2026 | Based on GDPR as amended through 2024
How GDPR Fines Are Calculated Under Article 83
The most critical and most misunderstood aspect of GDPR fine calculation is the "whichever is higher" rule. Many websites, compliance guides, and even legal teams incorrectly state the Tier 2 maximum as "20 million euros." This is wrong for large companies. The correct maximum is the higher of 20 million euros OR 4% of global annual turnover — meaning a company with 5 billion euros in revenue faces a maximum Tier 2 fine of 200 million euros, not 20 million euros.
GDPR Fine = max(Fixed Cap, Turnover Percentage)
Example — Large tech company, Tier 2 violation:
Global annual turnover: EUR 50,000,000,000 (50 billion)
4% of turnover: EUR 50B x 0.04 = EUR 2,000,000,000 (2 billion)
Fixed cap: EUR 20,000,000 (20 million)
Maximum fine = max(EUR 20M, EUR 2B) = EUR 2,000,000,000
Example — Small business, Tier 2 violation:
Global annual turnover: EUR 500,000
4% of turnover: EUR 500K x 0.04 = EUR 20,000
Fixed cap: EUR 20,000,000
Maximum fine = max(EUR 20M, EUR 20K) = EUR 20,000,000
(Small business faces the full fixed cap as it exceeds the turnover percentage)
Global annual turnover: EUR 50,000,000,000 (50 billion)
4% of turnover: EUR 50B x 0.04 = EUR 2,000,000,000 (2 billion)
Fixed cap: EUR 20,000,000 (20 million)
Maximum fine = max(EUR 20M, EUR 2B) = EUR 2,000,000,000
Example — Small business, Tier 2 violation:
Global annual turnover: EUR 500,000
4% of turnover: EUR 500K x 0.04 = EUR 20,000
Fixed cap: EUR 20,000,000
Maximum fine = max(EUR 20M, EUR 20K) = EUR 20,000,000
(Small business faces the full fixed cap as it exceeds the turnover percentage)
GDPR Article 83 Two-Tier Structure
| Tier | Article | Fixed Cap | Turnover % | Applies To |
|---|---|---|---|---|
| Tier 1 | 83(4) | EUR 10M | 2% global | Security measures, DPO, DPIA, processor obligations, certification bodies |
| Tier 2 | 83(5)–(6) | EUR 20M | 4% global | Lawful basis violations, data subject rights, consent, international transfers, supervisory authority orders |
EU vs UK GDPR Fine Limits
| Tier | EU GDPR Fixed Cap | EU Turnover % | UK GDPR Fixed Cap | UK Turnover % |
|---|---|---|---|---|
| Tier 1 | EUR 10,000,000 | 2% | GBP 8,700,000 | 2% |
| Tier 2 | EUR 20,000,000 | 4% | GBP 17,500,000 | 4% |
The 8 Factors Regulators Use to Set the Actual Fine
The maximum fine is the ceiling, not the starting point. Supervisory authorities consider all factors in Article 83(2) before setting an actual fine amount. Understanding these factors is critical for compliance risk assessment:
- Nature, gravity, and duration of the infringement, including the number of data subjects affected and the damage they suffered
- Intentional or negligent character of the infringement
- Actions taken to mitigate the damage suffered by data subjects
- Degree of responsibility taking into account technical and organizational measures implemented
- Relevant prior infringements by the controller or processor
- Degree of cooperation with the supervisory authority
- Categories of personal data affected (sensitive data = higher fine)
- Manner in which the infringement became known to the supervisory authority (self-reporting mitigates; discovered during investigation aggravates)
Largest GDPR Fines in History
| Company | Fine Amount | Tier | Violation | Year |
|---|---|---|---|---|
| Meta (Facebook) | EUR 1.2 billion | Tier 2 | Illegal EU-US data transfers | 2023 |
| Amazon | EUR 746 million | Tier 2 | Advertising tracking without consent | 2021 |
| Instagram (Meta) | EUR 405 million | Tier 2 | Children's data processing | 2022 |
| WhatsApp (Meta) | EUR 225 million | Tier 2 | Transparency failures | 2021 |
| TikTok | EUR 345 million | Tier 2 | Children's data, dark patterns | 2023 |
💡 The breakeven point: For EU GDPR, the fixed cap exceeds the turnover percentage for Tier 2 when annual turnover is below 500 million euros (EUR 20M / 4% = EUR 500M breakeven). For companies with turnover above EUR 500M, the 4% calculation always produces a larger fine than the fixed EUR 20M cap. For Tier 1: breakeven is EUR 500M (EUR 10M / 2%). UK Tier 2 breakeven: GBP 437.5M. UK Tier 1 breakeven: GBP 435M.
GDPR Compliance: Priority Risk Areas
- Lawful basis documentation: Processing personal data without a clearly documented lawful basis (Article 6) is a Tier 2 violation. Every processing activity must map to one of the six lawful bases.
- Cookie consent: Deploying tracking cookies without valid consent violates Article 6 and 7. Pre-ticked boxes, bundled consent, and cookie walls are all invalid consent mechanisms.
- Data subject rights: Failing to respond to access requests (SAR) within 30 days, improperly refusing deletion requests, or not honoring opt-outs are Tier 2 violations.
- International transfers: Transferring EU personal data to third countries without adequate safeguards (SCCs, binding corporate rules, adequacy decision) is a Tier 2 violation and has produced the largest fines.
- Breach notification: Failing to notify supervisory authorities within 72 hours of discovering a data breach can be Tier 1 (security failure) or Tier 2 depending on the breach nature.
Frequently Asked Questions
GDPR fines under Article 83 are the HIGHER of a fixed monetary cap or a percentage of global annual turnover. Tier 1: higher of EUR 10M or 2% of global annual turnover. Tier 2: higher of EUR 20M or 4% of global annual turnover. "Global annual turnover" means the total worldwide revenue of the entire corporate group, not just the violating entity. Most competitors only show the fixed cap — this calculator correctly shows the higher-of calculation.
The maximum GDPR Tier 2 fine is 4% of global annual turnover, with no upper ceiling. For a company with EUR 100 billion in revenue, the maximum is EUR 4 billion. The fixed EUR 20 million cap only applies if it is larger than 4% of turnover, which is only true for companies with less than EUR 500 million in annual revenue. This is why major tech companies can receive billion-euro fines — the 20 million euro cap is irrelevant for them.
Tier 1 (Article 83(4)) covers administrative/technical violations: security measures, DPO requirements, DPIA obligations, certification body obligations. Maximum: EUR 10M or 2% of global turnover (whichever higher). Tier 2 (Article 83(5)) covers fundamental GDPR violations: processing without a lawful basis, violating data subject rights, illegal international data transfers, violating consent requirements, and non-compliance with supervisory authority orders. Maximum: EUR 20M or 4% (whichever higher). Tier 2 violations produce the largest fines.
Yes. GDPR applies to any organization processing EU residents' personal data, regardless of where the organization is based. US companies with EU users or EU-targeting websites must comply with GDPR. Enforcement against non-EU companies is increasingly common through EU subsidiaries, cooperation with US regulators, and by targeting EU business operations. Meta's 1.2 billion euro fine and Amazon's 746 million euro fine both involved US companies' EU operations.
After Brexit, the UK retained UK GDPR under the Data Protection Act 2018, enforced by the ICO. UK fine limits: Tier 1: GBP 8.7M or 2% of global turnover. Tier 2: GBP 17.5M or 4% of global turnover. The pound caps are lower than euro caps (set at Brexit-era conversion rates), but the percentage calculation is identical (2%/4% of global turnover). Companies operating in both EU and UK may face separate fines from both EU DPAs and the ICO for the same violation.
Mitigating factors under Article 83(2) include: self-reporting the violation before discovery, immediate corrective action and remediation, full cooperation with the supervisory authority investigation, limited number of affected data subjects, low impact on data subjects, negligence rather than intentional violation, no prior GDPR violations, strong pre-existing compliance program, small business with limited financial resources, and rapid implementation of requested corrective measures.
Each EU member state has a national supervisory authority (DPA) enforcing GDPR. For cross-border processing, the one-stop-shop mechanism designates the DPA in the country of the company's EU main establishment as the lead authority. The Irish DPC handles many major tech company cases (Google, Meta, Apple have EU HQs in Ireland). DPAs investigate following complaints from data subjects, ex officio investigations, or breach notifications. The investigation process can take years before a final fine decision.
Yes. Fines can be appealed through the supervisory authority's internal review and then through national administrative courts. Several large fines have been reduced on appeal — Amazon's original 746M EUR fine was reduced, and various national court challenges have modified DPA decisions. The European Data Protection Board (EDPB) can also issue binding decisions in cross-border cases, sometimes overruling lead DPA decisions. Appeals can take several years to resolve, creating ongoing uncertainty about final fine amounts.
Under GDPR Article 33, controllers must notify their supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in risk to individuals. The notification must include the nature of the breach, categories and number of records affected, likely consequences, and measures taken or proposed. Late notification or failure to notify is a violation itself, and can be Tier 1 (failure to implement security measures) or Tier 2 (if it involves fundamental failures). Many organizations fail this 72-hour requirement due to slow internal breach discovery processes.
Global annual turnover for GDPR fine purposes means the total worldwide annual revenue of the entire undertaking (corporate group), not just the entity that violated GDPR. This includes parent companies, subsidiaries, and affiliates worldwide. If a small EU subsidiary of a large US company violates GDPR, the fine can be based on the entire US parent company's global revenue. This is explicitly stated in GDPR recital 150 and has been confirmed in enforcement decisions.
Yes. GDPR applies to all organizations processing EU personal data, including non-profits, charities, political parties, religious organizations, and public authorities. However, for non-profit entities without significant commercial turnover, the fixed cap (EUR 10M or EUR 20M) often applies since their turnover percentage would be lower. Some member state implementations provide reduced fine limits for public authorities and non-commercial entities. The fundamental processing obligations (lawful basis, rights, security) apply equally to all organizations.
GDPR and US state privacy laws like CCPA (California Consumer Privacy Act) apply independently. A company can be subject to both. GDPR is generally considered stricter than CCPA — it requires a lawful basis for all processing, while CCPA primarily focuses on opt-out rights for sale of personal information. Companies with both EU and California operations often align to GDPR standards as the baseline since it is more demanding. However, each law has its own compliance requirements, enforcement authority, and fine structure that must be addressed separately.
Related Calculators
Popular Calculators
ADA Website Compliance Calculator
Legal
Builders Risk Insurance Calculator
Legal
CA Car Accident Settlement Calculator
Legal
ADA Compliance Cost Calculator
Legal
Stripe Fee Calculator
Finance
Pain & Suffering
Legal
TDEE Calculator
Health
Roofing Calculator
Construction
GPA Calculator
Education
Mortgage Refinance
Finance
CPM Calculator
Marketing
Markup Calculator
Finance