← Blog Home

Biggest GDPR fines of 2025

GDPR

Posted by Kevin Yun | December 19, 2025

European data protection authorities showed no signs of slowing down their enforcement efforts as the year progressed. Record-breaking penalties continued to make headlines, with some fines reaching unprecedented levels that sent shockwaves through the business community.

The financial impact has been staggering. Companies across various sectors faced penalties that not only affected their bottom line but also forced fundamental changes to their data handling practices. Tech giants, traditional corporations, and even smaller enterprises found themselves in the crosshairs of regulators who demonstrated increasing confidence in applying the full weight of GDPR enforcement.

What makes these fines particularly noteworthy is their diversity. No longer are penalties limited to social media platforms or tech companies. Financial institutions, healthcare organizations, retail chains, and energy companies have all experienced significant enforcement actions. This broadening scope reflects the maturing regulatory landscape and authorities' willingness to tackle complex cases across all industries.

The scale of these penalties reflects years of investigation, detailed legal analysis, and careful consideration of aggravating factors. Regulators have become more sophisticated in their approach, taking into account not just the technical violations but also the broader context of each company's data protection culture and commitment to compliance.

Table of contents

Meta's record-breaking €1.2 billion penalty

The Irish Data Protection Commission delivered a seismic blow to Meta in May 2023 with a €1.2 billion fine that redefined the GDPR enforcement landscape. This penalty stemmed from the company's continued transfer of European user data to the United States without adequate protection mechanisms following the invalidation of Privacy Shield.

The case centered on fundamental questions about international data transfers. Meta had been relying on Standard Contractual Clauses (SCCs) as a legal mechanism for transferring personal data across the Atlantic. However, the DPC determined that these clauses alone were insufficient to protect European citizens' data from potential U.S. government surveillance programs.

What made this case particularly significant was its timing. The fine came after years of legal uncertainty following the Schrems II decision, which invalidated Privacy Shield and raised serious questions about the adequacy of data protection in the United States. Companies across Europe had been watching this case closely, knowing that the outcome would set precedents for their own international operations.

Meta's response was swift and predictable. The company immediately announced its intention to appeal the decision, arguing that it had been operating within the legal framework available at the time. They also emphasized their ongoing efforts to implement technical safeguards and their hope that a new EU-US data adequacy framework would resolve the underlying issues.

The financial impact was substantial, but perhaps more important were the operational implications. The DPC ordered Meta to suspend its data transfers within six months unless it could implement adequate safeguards. This deadline created enormous pressure on the company to find technical solutions or await the completion of negotiations for a new transatlantic data agreement.

Amazon faces €746 million Luxembourg fine

Luxembourg's National Commission for Data Protection (CNPD) made headlines in July 2021 when it imposed a €746 million fine on Amazon.com Inc. The case originated from a complaint filed by 10,000 individuals through the French privacy rights organization La Quadrature du Net.

The investigation focused on Amazon's advertising targeting system and its approach to obtaining user consent. Regulators found that the company had been processing personal data for behavioral advertising without securing proper consent from users. This represented a fundamental misunderstanding of GDPR consent requirements, which demand that consent be freely given, specific, informed, and unambiguous.

Amazon's advertising ecosystem relies heavily on tracking user behavior across its vast network of services and partner websites. This data collection enables the company to create detailed profiles of consumer preferences and purchasing patterns. The CNPD's investigation revealed that users were not adequately informed about the extent of this data collection, nor were they given meaningful choices about whether to participate.

The case highlighted the tension between innovative digital advertising models and privacy protection requirements. Amazon argued that its advertising services provided value to both merchants and consumers by showing relevant products. However, regulators emphasized that commercial benefits cannot justify bypassing fundamental privacy rights.

The fine sent ripples through the digital advertising industry. Many companies began reassessing their consent mechanisms and data collection practices, recognizing that regulators were willing to impose significant penalties for violations related to behavioral advertising. The Amazon case demonstrated that no company, regardless of its market position or economic importance, was immune from GDPR enforcement.

Instagram's €405 million children's data violation

The Irish Data Protection Commission targeted Meta's Instagram platform in September 2022 with a €405 million fine for failing to protect children's personal data. This case marked a significant milestone in GDPR enforcement related to child protection online.

The investigation examined Instagram's handling of personal data belonging to users between 13 and 17 years old. A key issue was the platform's business account feature, which automatically made certain contact information publicly visible. When teenagers switched to business accounts, their email addresses and phone numbers became accessible to anyone on the internet.

This public exposure of children's contact details created obvious safety risks. The DPC found that Instagram had failed to conduct proper Data Protection Impact Assessments (DPIAs) to identify and mitigate these risks. The platform also struggled to provide information to young users in clear, age-appropriate language that they could understand.

The case reflected growing concerns about how social media platforms handle children's data. Regulators across Europe have become increasingly focused on ensuring that digital services adequately protect young users, who may not fully understand the implications of sharing personal information online.

Instagram's response included significant changes to its platform design. The company implemented new privacy settings for teenage users, made accounts private by default for users under 18, and introduced additional safeguards around contact information sharing. These changes demonstrated how major GDPR penalties can drive meaningful improvements in product design and user protection.

The fine also established important precedents for how platforms should approach age verification and child protection. Other social media companies took note, implementing similar protective measures and conducting more thorough assessments of their child safety practices.

Meta's €390 million contract processing fine

Meta faced another significant penalty in January 2023 when the Irish DPC imposed a €390 million fine related to the legal basis for processing user data on Facebook and Instagram. This case examined fundamental questions about consent, contracts, and user choice in social media platforms.

The issue arose from changes Meta made to its Terms of Service just before GDPR took effect in 2018. The company shifted its legal basis for data processing from consent to "contractual necessity," arguing that personalized advertising was an integral part of the service users were receiving.

This approach created a problematic situation for users. To access Facebook or Instagram, individuals had to accept terms that included extensive data processing for advertising purposes. The DPC found that this "take it or leave it" approach effectively coerced users into agreeing to data processing they might not want.

The case highlighted a crucial distinction in GDPR law between different legal bases for processing. While companies can rely on contractual necessity for some data processing activities, they cannot use this basis to justify processing that is not genuinely necessary for service delivery. Personalized advertising, the DPC concluded, was not a core component of social networking services.

Meta argued that advertising revenue was essential for providing free social media services to billions of users. The company contended that users understood and accepted this business model when they chose to use its platforms. However, regulators emphasized that economic necessity does not create legal necessity under GDPR.

The penalty forced Meta to reconsider its fundamental approach to user consent and data processing. The company began exploring alternative models that would give users more genuine choice about whether to receive personalized advertising while still maintaining viable business operations.

TikTok receives €345 million penalty for child protection failures

TikTok's approach to protecting young users came under intense scrutiny when the Irish DPC imposed a €345 million fine in September 2023. The investigation focused on the platform's data practices during the second half of 2020, with particular attention to how it handled accounts belonging to children.

The case revealed multiple weaknesses in TikTok's child protection mechanisms. The platform struggled with age verification, making it difficult to ensure that appropriate safeguards were applied to underage users. Default privacy settings for children's accounts were also found to be inadequate, potentially exposing young users to unwanted contact from strangers.

TikTok's approach to communicating with child users raised additional concerns. The platform's privacy notices and data processing information were not written in language that children could easily understand. This communication gap meant that young users could not make informed decisions about their data and privacy settings.

The investigation also examined TikTok's data sharing practices and how information from children's accounts might be processed for algorithmic recommendations and content personalization. Regulators found that the platform had not adequately assessed the potential risks of these processing activities for young users.

The fine represented a broader shift in regulatory focus toward child protection online. European authorities have become increasingly concerned about how social media platforms and other digital services affect young people's privacy and safety. The TikTok case demonstrated their willingness to impose significant penalties when platforms fail to meet these responsibilities.

Following the penalty, TikTok implemented several changes to strengthen child protection. The company introduced new age verification methods, enhanced privacy settings for teenage users, and improved its communication materials to be more accessible to young audiences.

LinkedIn fined €310 million for behavioral targeting

The Irish Data Protection Commission imposed a €310 million fine on LinkedIn Ireland in October 2024 for violations related to behavioral analysis and targeted advertising. The case originated from a complaint by the French nonprofit organization La Quadrature du Net, which has been active in challenging tech companies' data practices.

LinkedIn's advertising model relies on detailed analysis of user behavior on its platform. The company tracks how users interact with content, which profiles they view, and how they engage with different features. This information feeds into algorithmic systems that determine which advertisements and content to show each user.

The investigation revealed that LinkedIn had not obtained proper consent for much of this behavioral analysis. Users were not adequately informed about the extent of data processing for advertising purposes, nor were they given meaningful opportunities to opt out of targeted advertising while still using the platform's core networking features.

The case highlighted tensions between professional networking services and privacy protection. LinkedIn argued that its advertising model enabled the platform to remain free for most users while providing valuable services for professional networking and career development. However, regulators emphasized that commercial benefits cannot justify bypassing user consent requirements.

The DPC's decision included both the financial penalty and orders for LinkedIn to revise its data processing practices. The company was required to improve its consent mechanisms and provide users with clearer information about how their data is used for advertising purposes.

This case had broader implications for professional networking and B2B marketing platforms. Many companies in this sector reassessed their own data processing practices and consent mechanisms to ensure compliance with GDPR requirements.

Uber's €290 million data transfer violation

The Dutch Data Protection Authority imposed a €290 million fine on Uber in January 2024 for improperly transferring European drivers' personal data to the United States. The case began with complaints from more than 170 French Uber drivers, which were transferred to the Dutch regulator due to Uber's European headquarters location in the Netherlands.

Uber's business model requires extensive data collection about its drivers, including location information, driving patterns, earnings data, and personal identification documents. This information is processed globally to support the company's operations, but the transfer of European data to U.S. servers raised significant legal questions.

The violation occurred after the Court of Justice of the European Union invalidated the Privacy Shield framework in its Schrems II decision. Following this ruling, companies could no longer rely on Privacy Shield as a legal mechanism for transferring personal data to the United States. Uber continued these transfers without implementing adequate alternative safeguards.

The Dutch DPA found that Uber had stored sensitive driver data on U.S. servers for more than two years without proper legal protections. This included information about drivers' taxi licenses, location data, photos, and payment details. The regulator determined that these transfers violated GDPR requirements for international data transfers.

Uber's response emphasized the company's commitment to data protection and its efforts to implement technical safeguards for international transfers. The company has since made significant investments in data localization and encryption technologies to address regulatory concerns.

The case underscored the ongoing challenges that global companies face in managing international data transfers post-Privacy Shield. Many organizations have had to completely restructure their data architecture and processing operations to comply with European requirements.

Meta's €265 million data breach penalty

The Irish DPC imposed a €265 million fine on Meta in November 2022 following a significant data breach that exposed personal information belonging to approximately 533 million Facebook users worldwide. The breach included data from roughly 3 million European users.

The security incident involved multiple Facebook features, including the platform's search functionality and contact import tools. Attackers exploited vulnerabilities in these systems to extract phone numbers, email addresses, and other personal information that users had provided to Facebook.

The investigation revealed several concerning aspects of Meta's data protection practices. The company had not implemented adequate technical safeguards to prevent the exploitation of these vulnerabilities. The DPC also found deficiencies in how Meta detected, documented, and reported the breach to authorities and affected users.

Meta's breach notification procedures came under particular scrutiny. The company was found to have delayed in reporting the incident to supervisory authorities and failed to maintain proper documentation about the scope and impact of the breach. These procedural failures compounded the penalties related to the underlying security weaknesses.

The case highlighted the importance of implementing robust security measures throughout the entire data processing lifecycle. Simple vulnerabilities in search and import features had allowed attackers to systematically extract massive amounts of personal data over an extended period.

Following the penalty, Meta invested heavily in security improvements and breach detection systems. The company also revised its incident response procedures to ensure faster notification to authorities and more comprehensive documentation of security events.

Meta's €251 million security breach fine

The Irish Data Protection Commission imposed an additional €251 million fine on Meta in December 2024 for a separate security breach that occurred in 2018. This incident affected approximately 29 million Facebook users globally, including 3 million in Europe.

The breach exploited vulnerabilities in Facebook's "View As" feature, which allows users to see how their profiles appear to others. Attackers discovered a way to generate access tokens through this feature, giving them unauthorized access to user accounts and personal information.

The stolen data included basic profile information, contact details, and in some cases more sensitive information such as religious views and relationship status. The DPC's investigation found that the breach could have been prevented with better security practices and more thorough testing of platform features.

Meta's response to the breach raised additional concerns. The company took several weeks to fully understand the scope of the incident and notify all affected users. Regulators found that Meta's initial security response was inadequate and that the company failed to implement sufficient safeguards to prevent similar incidents.

The fine reflected multiple GDPR violations beyond the basic security failure. The DPC found problems with breach notification procedures, documentation requirements, and the company's overall approach to data protection by design and by default.

This case emphasized the critical importance of building security considerations into product development from the earliest stages. Features that seem innocuous can create significant security risks if not properly designed and tested.

WhatsApp's €225 million transparency violation

Ireland's Data Protection Commission imposed a €225 million fine on WhatsApp Ireland in September 2021 for failing to provide users with adequate information about how their personal data is processed. The case centered on transparency obligations under GDPR Articles 13 and 14.

The investigation examined WhatsApp's privacy policy and user communications, finding that the messaging platform had not clearly explained its data processing activities to users. The company's privacy notices were deemed too vague and failed to provide specific information about how data is shared with other Meta companies.

WhatsApp's business model involves significant data sharing with Facebook and Instagram to support advertising and product development across Meta's family of applications. However, users were not adequately informed about these data flows or given meaningful choices about whether to participate.

The case became particularly complex due to interventions by the European Data Protection Board (EDPB). The EDPB disagreed with the Irish DPC's initial assessment and required the regulator to increase the penalty and expand the scope of violations addressed in the decision.

WhatsApp argued that its privacy policy met legal requirements and that the company had made significant efforts to communicate clearly with users. The platform emphasized its end-to-end encryption and commitment to user privacy in messaging communications.

The penalty forced WhatsApp to comprehensively revise its privacy communications and user interface design. The company implemented new notification systems and privacy policy presentations to better inform users about data processing activities.

French regulator CNIL imposed substantial fines on Google in December 2021 for making it unnecessarily difficult for users to reject cookies on YouTube and Google Search. Google LLC received a €90 million penalty while Google Ireland was fined €60 million for similar violations.

The investigation found that Google's websites provided simple, one-click options for accepting cookies but required multiple steps and navigation through several pages to reject them. This design pattern discouraged users from exercising their right to refuse tracking cookies.

CNIL's analysis revealed that Google's consent interfaces were deliberately designed to favor cookie acceptance. The "Accept all" button was prominently displayed and immediately accessible, while rejection options were buried in settings menus or required users to individually configure dozens of different cookie categories.

The regulator found that this approach violated both GDPR consent requirements and French ePrivacy regulations. Consent must be freely given, which means that rejecting cookies should be as easy as accepting them. Google's design patterns effectively coerced users into accepting tracking they might not want.

Google's advertising business model depends heavily on tracking user behavior across websites to enable targeted advertising. The company argued that cookies improve user experience by personalizing content and supporting free online services. However, regulators emphasized that commercial interests cannot override user choice requirements.

The penalties included orders for Google to implement equal treatment for acceptance and rejection of cookies within three months. Non-compliance would result in additional daily fines of €100,000, creating strong incentives for rapid implementation of changes.

H&M's employee surveillance scandal

The Hamburg Commissioner for Data Protection and Freedom of Information imposed a €35.3 million fine on retail giant H&M for extensive employee surveillance practices at one of its service centers in Germany. The case revealed shocking violations of employee privacy rights.

The investigation began after a technical error temporarily made employee data accessible to everyone on the company's network. This glitch exposed detailed records that H&M had been maintaining about its workforce, including highly personal information about employees' health, family situations, and private activities.

H&M managers had been systematically collecting information about employees through informal conversations, gossip, and observation of workplace behavior. This data was then documented in employee files and used to make decisions about work assignments, promotions, and disciplinary actions.

The collected information included medical diagnoses and symptoms, family problems and financial difficulties, religious beliefs and vacation activities, and details about personal relationships and lifestyle choices. Much of this information had no legitimate business purpose and created significant risks for employee privacy and dignity.

The case demonstrated how workplace surveillance can escalate beyond reasonable business needs. What may have started as informal management practices had evolved into a comprehensive monitoring system that violated basic principles of data protection and employee rights.

H&M's response included immediate changes to its employee data handling practices and comprehensive training for managers about privacy requirements. The company also implemented new policies to prevent similar violations at other locations worldwide.

Regulatory authorities across Europe have developed increasingly sophisticated enforcement strategies that reflect years of experience with GDPR implementation. Several key trends have emerged that shape how companies should approach compliance planning.

Cross-border cooperation between data protection authorities has become much more effective. The EDPB's coordination mechanisms enable faster resolution of complex cases and more consistent enforcement approaches across different member states. This cooperation reduces opportunities for companies to exploit regulatory arbitrage between jurisdictions.

Penalties have grown significantly larger as authorities gain confidence in their enforcement powers. Early GDPR fines were often relatively modest, reflecting regulators' cautious approach to applying the new framework. Current penalties reflect the full potential of GDPR's financial sanctions and demonstrate authorities' willingness to impose business-changing consequences for serious violations.

The scope of enforcement has expanded well beyond technology companies. Financial institutions, healthcare organizations, retail companies, and industrial firms now face regular scrutiny from data protection authorities. This expansion reflects the universal applicability of GDPR across all sectors of the economy.

Technical complexity no longer provides protection from enforcement action. Regulators have developed sophisticated technical expertise and can analyze complex data processing systems, algorithmic decision-making, and technical safeguards. Companies cannot rely on regulatory confusion about technical matters to avoid accountability.

Child protection has emerged as a particular priority for enforcement actions. Social media platforms, gaming companies, educational technology providers, and other services targeting young users face heightened scrutiny about their data protection practices. Regulators view child protection as fundamental to maintaining public trust in digital services.

Industry impact and compliance implications

The cumulative impact of major GDPR fines has transformed corporate approaches to data protection across multiple industries. Companies now recognize that compliance is not just a legal obligation but a business-critical function that affects their competitive position and operational sustainability.

Technology companies have invested billions in compliance infrastructure, privacy engineering, and legal expertise. Many organizations have fundamentally restructured their product development processes to incorporate privacy considerations from the earliest design stages. This "privacy by design" approach represents a significant cultural shift in how technology companies approach innovation.

Financial services firms face particular challenges due to their extensive data processing requirements and complex international operations. Banks, insurance companies, and payment processors must balance GDPR compliance with other regulatory obligations while maintaining the data flows necessary for risk management and customer service.

Healthcare organizations struggle with the intersection of GDPR and medical privacy requirements. The processing of health data for research, treatment, and public health purposes creates complex legal questions that require careful analysis of multiple regulatory frameworks.

Retail and consumer goods companies have had to completely reimagine their customer data strategies. Traditional approaches to customer relationship management, marketing personalization, and loyalty programs often conflict with GDPR requirements for explicit consent and data minimization.

International companies face ongoing challenges related to data transfers and localization requirements. The invalidation of Privacy Shield and uncertainty about future EU-US data agreements have forced many organizations to restructure their global data architecture at enormous cost.

Building effective compliance programs

Successful GDPR compliance requires comprehensive programs that address technical, operational, and cultural aspects of data protection. Organizations that have avoided major penalties typically share several key characteristics in their approach to privacy management.

Strong leadership commitment proves essential for building effective privacy cultures. Companies with engaged executives and board-level oversight of privacy issues tend to identify and address compliance gaps before they become enforcement problems. This leadership support also ensures adequate resources for compliance activities.

Cross-functional collaboration helps identify privacy risks across all business operations. Legal, technology, marketing, and operations teams must work together to understand how data flows through organizations and where protection gaps might exist. Siloed approaches often miss critical interdependencies.

Regular risk assessments and audits help organizations identify emerging compliance challenges before they become violations. Many successful companies conduct quarterly privacy reviews and maintain ongoing monitoring of their data processing activities. This proactive approach enables early detection and correction of potential problems.

Employee training programs ensure that privacy considerations are embedded throughout organizational culture. All employees should understand basic privacy principles and their role in protecting personal data. Specialized training for high-risk roles helps prevent inadvertent violations that could trigger enforcement action.

Technology solutions play an increasingly important role in managing compliance at scale. Data discovery tools, consent management platforms, breach detection systems, and privacy dashboards help organizations monitor and control their data processing activities more effectively than manual processes allow.

Compliance software platforms like ComplyDog provide integrated solutions for managing GDPR requirements across complex organizational environments. These tools help companies automate privacy assessments, track consent, manage data subject requests, and maintain comprehensive records of processing activities. By centralizing privacy management functions, ComplyDog enables organizations to achieve consistent compliance while reducing the administrative burden on internal teams. The platform's comprehensive approach addresses all key aspects of GDPR compliance, from initial privacy impact assessments through ongoing monitoring and reporting. This integrated approach helps companies avoid the gaps and inconsistencies that often lead to regulatory violations and potential fines.

Companies that invest in robust compliance infrastructure and maintain proactive privacy programs are much better positioned to avoid the costly penalties and operational disruptions that have affected many organizations in recent years. The trend toward larger fines and broader enforcement makes these investments increasingly critical for business success.

Popular Posts
popular post 1

The 7 Essential Principles at the Heart of GDPR Compliance
popular post 1

GDPR Cookie Consent (Banner): An Essential Guide, Checklist, and Examples
popular post 1

OpenAI's €15 Million GDPR Fine: What It Means for AI Companies
popular post 1

GDPR Software ROI: Is It Worth the Investment?
popular post 1

GDPR and the Consequences of Non-Compliance: What B2B SaaS Companies Need to Know
popular post 1

New to ComplyDog? Your Guide to Getting Started
popular post 1

What is a DPA? Data Processing Agreement for GDPR Explained
popular post 1

GDPR Compliance Checklist For B2B SaaS Companies
popular post 1

GDPR Implementation Examples: Success Stories for B2B SaaS Companies

You might also enjoy

GDPR Fines and Penalties: 2025 Enforcement Guide
GDPR

GDPR Fines and Penalties: 2025 Enforcement Guide

Learn about GDPR fines and penalties in 2025. Analysis of recent enforcement actions, fine calculations, and compliance strategies.

Posted by Kevin Yun | July 15, 2025
The Biggest GDPR Fines of 2024: A Comprehensive Guide
GDPR

The Biggest GDPR Fines of 2024: A Comprehensive Guide

Explore the biggest GDPR fines of 2024, including Meta's €1.2 billion penalty for data transfer violations, Amazon's €746 million fine for improper data handling, and Instagram's €405 million penalty for children's data protection.

Posted by Kevin Yun | May 17, 2024
EU Tightens Enforcement of GDPR: Higher Fines and Faster Resolutions Looming
GDPR

EU Tightens Enforcement of GDPR: Higher Fines and Faster Resolutions Looming

EU strengthens GDPR enforcement with higher fines, faster resolutions, and empowering supervisory authorities. Impact on businesses includes increased penalties, streamlined enforcement, and greater transparency. Mixed reactions from industry and consumer advocates.

Posted by Kevin Yun | May 14, 2024

Choose the easy way to become GDPR compliant

Start your 14-day free trial of ComplyDog today. No credit card required.

Try It Free ➔

Trusted by B2B SaaS businesses

Blink Growsurf Requestly Odown Wonderchat