GDPR breach fines: 4% of global revenue or 20M EUR, whichever is higher.

GDPR penalties are calculated under Article 83, which establishes two penalty tiers based on the type of violation. Tier 1 covers procedural violations such as failure to maintain records of processing, failure to designate a data protection officer where required, and failure to cooperate with the supervisory authority. Tier 1 violations cap at 10M EUR or 2% of total worldwide annual turnover of the preceding financial year, whichever is higher.

Tier 2 covers substantive violations such as breach of the data-processing principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, accountability), violations of the rights of data subjects, unlawful international transfers, and non-compliance with an enforcement order. Tier 2 violations cap at 20M EUR or 4% of total worldwide annual turnover, whichever is higher. The Meta 1.2B EUR fine was issued under Tier 2 for unlawful Schrems-II-relevant international data transfers.

For breach response specifically, three Article 83 considerations dominate. The nature, gravity, and duration of the infringement set the baseline fine. The intentional or negligent character of the infringement increases or decreases the fine. The actions taken to mitigate the damage caused to data subjects can reduce the fine substantially. The 72-hour breach notification rule under Article 33 is a Tier 1 violation if missed, but the proportional impact on the final Article 83 calculation can be material because late notification typically reflects negligent posture.

The full enforcement register is maintained by the European Data Protection Board (EDPB register) and supplemented by member-state DPA bulletins. The largest fines have come from the Irish DPC reflecting the concentration of US tech companies' EU establishments in Ireland under the one-stop-shop mechanism.

GDPR Article 33 requires notification to the lead supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The clock starts at the moment the controller becomes aware that a breach has occurred, which the European Data Protection Board has interpreted as the moment the controller has a reasonable degree of certainty that a security incident has occurred and that the incident has led to personal data being compromised.

The 72-hour clock compresses the IR investigation window materially. Within 72 hours the controller has to determine the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate number of personal data records affected, the likely consequences, and the measures taken or proposed to address the breach. The EDPB's Guidelines 9/2022 on personal data breach notification provide detailed guidance on what counts as awareness and what level of detail is required in the initial notification.

Article 34 imposes a separate obligation to communicate the breach to affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms. The trigger for Article 34 is higher than for Article 33 (a high risk versus any risk). Notification under Article 34 is not required if the data was encrypted such that it is unintelligible to unauthorised persons, or if the controller has taken subsequent measures that ensure the high risk is no longer likely to materialise.

The UK left the EU on 31 January 2020, with the UK's implementation of the GDPR (the Data Protection Act 2018) preserving the substantive law of the GDPR domestically. The UK ICO operates parallel enforcement powers under UK GDPR with a maximum fine of £17.5M or 4% of global revenue, slightly lower than the EU equivalent due to exchange-rate differences. The ICO's enforcement pattern has been observably different from EU DPAs in two respects.

First, the ICO has frequently reduced proposed penalties materially between Notice of Intent and final monetary penalty. The Marriott penalty was reduced from £124M proposed to £18.4M final (85% reduction). The British Airways penalty was reduced from £183M proposed to £20M final (89% reduction). The pattern reflects the ICO's greater willingness to engage with respondents on mitigation factors during the appeal window, an approach that has been criticised as inconsistent with the Article 83 framework but that has not been challenged at the legal level.

Second, the ICO has produced relatively few mega-fines compared to EU DPAs since 2021. The ICO leadership change in late 2021 (John Edwards replacing Elizabeth Denham as Information Commissioner) coincided with a shift toward enforcement notices and reprimands rather than large monetary penalties. The 2024 Edwards strategy update committed to closing the proposed-vs-final penalty gap, but the practical impact had not been fully visible by mid-2026.