Calculate GDPR fine

On this page, you can calculate the range of GDPR fines for data protection violations. These are based on the Guidelines 04/2022 (V 2.1) of the European Data Protection Board (EDPB).

How accurate is the calculator?

The purpose of this calculator is to calculate the range of GDPR fines based on the EDPB's Guidelines 02/2022.

At the same time, according to Art. 83(1) GDPR, it is the responsibility of the respective supervisory authority to ensure that a fine is effective, proportionate, and dissuasive in each individual case.

Therefore, the calculation is only an approximation to which the respective supervisory authority is not bound.

More about how gdpr fines are calculated →

Any further questions?

In our Frequently Asked Questions about GDPR fines, we have compiled the most common answers to questions about GDPR violations.

FAQ GDPR-Fines →

GDPR fine-Calculator:

1. Determination of the statutory upper limit

Previous year's turnover of the undertaking (€):

An undertaking is defined as any entity engaged in economic activity, regardless of its legal form and the way in which it is financed. In particular, it may also be several legally independent legal entities. When calculating fines under Article 83 GDPR, the ECJ applies the competition law definition of an undertaking under Articles 101 and 102 TFEU and not the definition under Article 4 No. 18 GDPR (ECJ, C-383/23, ECLI:EU:C:2025:84 – ILVA, para. 36).

Type of infringement

Infringements under Article 83(4) (formal infringements)

Infringements under Article 83(5) (material infringements)

Infringements under Article 83(6) (failure to comply with instructions from supervisory authorities)

Expanded view

Group I (infringements under Article 83(4))

Art. 8 – Consent of children

Art. 11 – Processing that does not require identification

Data protection by design

Art. 26 – Joint Controllership

Art. 27 – Representatives of companies not established in the Union

Art. 28 – Processor

Art. 29 – Processing only on instructions from the controller

Art. 30 – Record of processing activities

Art. 31 – Cooperation with supervisory authorities

Art. 32 – Security of processing

Art. 33 – Notification of data breaches

Art. 34 – Notification of data subjects

Art. 35 – Data protection impact assessment (DPIA)

Art. 36 – Consultation with the supervisory authority following a DPIA

Art. 37 – Appointment of a data protection officer

Art. 38 – Position of the data protection officer

Art. 39 – Tasks of the data protection officer

Group II (infringements under Article 83(5))

Art. 5 – Violation of the principles (lawfulness, processing in good faith, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality)

Art. 6, 7 – Legality (e.g., lack of legal basis)

Art. 9 – Lawfulness of special categories

Art. 12 – Transparency, modalities of data subject rights

Art. 13 – Information (collection from the data subject)

Art. 14 – Information (collection from third parties)

Art. 15 – Right to access

Art. 16 – Right of rectification

Art. 17 – Right to erasure

Art. 18 – Right to restriction of processing

Art. 19 – Obligation to notify in the event of correction or deletion

Art. 20 – Right to data portability

Art. 21 – Right to object

Art. 22 – Automated individual decision-making

Art. 44–49 – Transfer to third country (e.g. missing appropriate safeguards)

Articles 85–91 – Violation of certain national provisions

Violation of certain instructions issued by the supervisory authority or failure to grant access

Infringement III (infringements under Article 83(6))

Non-compliance with instructions from the supervisory authority pursuant to Art. 58(2) GDPR

Statutory upper limit

0,00 €

2. Determination of the seriousness

Seriousness of the infringement

The EDPB gives the following examples in its guidelines:

High level of seriousness (Example 5a)

After investigating numerous complaints about unsolicited calls from customers of a telephone company, the competent supervisory authority found that the telephone company used contact details of its customers for telemarketing purposes without a valid legal basis (infringement of Article 6 GDPR). In particular, the telephone company had offered the names and registered phone numbers of its customers to third parties for marketing purposes. The telephone company did this despite advice against it from the data protection officer, without undertaking any efforts to curb the practice or to offer customers a way of objecting. In fact, the practice had been going on since May 2018 and was still ongoing at the time of the investigation. The telephone company in question operated nationwide and the practice affected all of its 4 million customers. The supervisory authority found that all of these customers had been regularly subjected to unsolicited calls by third parties, without any effective means to stop them.

The supervisory authority was tasked with assessing the seriousness of this case. As a starting point, the supervisory authority noted that an infringement of Article 6 GDPR is listed among the infringements of Article 83(5) GDPR and therefore falls within the higher tier of Article 83 GDPR. Secondly, the supervisory authority assessed the circumstances of the case. In that regard, the supervisory authority attributed significant weight to the nature of the infringement, as the infringed provision (Article 6 GDPR) underpins the legality of the data processing as a whole. Non-compliance with this provision removes the lawfulness of the processing as a whole. Also, the supervisory authority attributed significant weight to the duration of the infringement, which started at the entry into force of the GDPR and had not ceased at the time of the investigation. The fact that the telephone company operated nationwide increased the weight of the scope of the processing. The number of data subjects involved was considered very high (4 million, offset against a total population of 14 million people), while the level of damage suffered by them was considered moderate (non-material damage, in the form of nuisance). The latter assessment was made taking into account the categories of data affected (name and phone number). The seriousness of the infringement was increased, however, by the fact that the infringement was committed in contrary to an advice from the data protection officer and, thus, considered intentional.

Taking all the above into account (serious nature, long duration, high number of data subjects, nationwide scope, intentional nature, vis-à-vis moderate damage), the supervisory authority concludes that the infringement is considered to be at a high level of seriousness. The supervisory authority will determine the starting amount for further calculation at a point between 20 and 100% of the legal maximum included in Article 83(5) GDPR.

Medium level of seriousness (Example 5b)

A supervisory authority received a personal data breach notification from a hospital. From this notification, it appeared that several staff members had been able to view parts of patients’ health files that – based on their department – should not have been accessible to them. The hospital had been working on procedures to regulate access to patient files, and had implemented strict measures for restricted access. That entailed that staff from one department could only access medical information relevant to that specific department. In addition, the hospital had invested in privacy awareness amongst its staff members. However, as it turned out, there were issues concerning the monitoring of authorisations. Staff members that transferred between departments were still able to gain access to the patient files from their “old” departments and the hospital had no procedures in place to match the current position of the staff member with their authorisation. Internal investigation by the hospital showed that at least 150 staff members (out of the 3500) had inaccurate authorisations, affecting at least 20,000 of the 95,000 patient files. The hospital could show that in at least 16 instances staff members had used their authorisations to view patient files. The supervisory authority considers that there has been a breach of Article 32 GDPR.

In assessing the seriousness of the case, the supervisory authority first noted that an infringement of Article 32 GDPR is listed among the infringements of Article 83(4) GDPR and therefore falls within the lower tier of Article 83 GDPR. Secondly, the supervisory authority assessed the circumstances of the case. In that regard, the supervisory authority considered that even though the number of data subjects affected by the breach was only 16, this could potentially have been 20,000 in the circumstances of the case and even 95,000 given the systemic nature of the issue. Furthermore, the supervisory authority categorised the infringement as negligent, but to a low degree, which was considered a neutral factor in the circumstances of this particular case due to the fact that the hospital failed to adopt authorisation policies where it surely should have done so but had, otherwise, taken steps to implement strict measures to restrict access. This evaluation was not impacted by the fact that other data protection and security policies were implemented successfully, as the GDPR requires. Lastly, the supervisory authority attributed significant weight to the fact that the patient files include health data, which are special categories of data according to Article 9 GDPR.

Taking all the above into account (nature of the processing and special categories of data vis-à-vis the number of data subjects actually and potentially affected), the supervisory authority concludes that the infringement is considered to be at a medium level of seriousness. The supervisory authority will determine the starting amount for further calculation at a point between 10 and 20% of the legal maximum included in Article 83(4) GDPR.

Low level of seriousness) (Example 5c)

A supervisory authority has received numerous complaints about the way in which an online store handles the right of access of its data subjects. According to the complainants, the handling of their access requests has taken between 4 and 6 months, which is outside the timeframe permitted by the GDPR. The supervisory authority investigates the complaints and finds that the online store responds to access requests a maximum of three months too late in 5% of the cases. In total, the store received around 1,000 access requests on an annual basis and confirmed that 950 of these were handled on time. Moreover, the online store had policies in place to safeguard that all access requests were handled correctly and fully. Nevertheless, the supervisory authority concluded that the online store infringed Article 12(3) GDPR and decided to impose a fine.

During the calculation of the amount of the fine to be imposed, the supervisory authority was tasked with assessing the seriousness of this case. As a starting point, the supervisory authority noted that an infringement of Article 12 GDPR is listed among the infringements of Article 83(5) GDPR and therefore falls within the higher tier of Article 83 GDPR. Secondly, the supervisory authority assessed the circumstances of the case. In that regard, the supervisory authority carefully analysed the nature of the infringement. Even though the timely right to access personal data is one of the cornerstones of the data subject rights, the supervisory authority considered that the infringement was of limited seriousness in this respect, given that all requests were handled eventually and with a limited delay. Considering the purpose of the processing, the supervisory authority found that the processing of personal data was not the core activity of the online store, but still an important ancillary in fulfilling its objective of selling goods online. The supervisory authority considered this to increase the seriousness of the infringement. On the other hand, the level of damage suffered by the data subjects was considered minimal, as all access requests were handled within 6 months.

Taking all the above into account (nature of the infringement, purpose of the processing and level of damage), the supervisory authority concludes that the infringement is considered to be at a low level of seriousness. The supervisory authority will determine the starting amount for further calculation at a point between 0 and 10% of the legal maximum included in Article 83(5) GDPR.

Basis for calculation (lower/upper limit):

0,00 € / 0,00 €

Interim limits (lower/upper):

0,00 € / 0,00 €

3. Aggravating and mitigating circumstances

The interim fine limits determined so far generally represent the framework within which a fine is likely to fall. According to Art. 83 (2) GDPR, a number of factors must be considered when specifically determining the fine. You can assess these factors to get an impression of where within the fine framework the data protection authority might set the penalty.

At the same time, determining a fine is not a purely mathematical process. The supervisory authority must always ensure that a fine is effective, proportionate, and dissuasive. If necessary in individual cases, it can therefore also impose fines outside the determined limits.

Assess factors

1. Were actions taken to mitigate the damage suffered by data subjects? ?

If the controller takes measures to mitigate the damage suffered by the data subjects, this may be considered a mitigating factor. If such measures are only taken after the supervisory authority has commenced its investigation, this does not necessarily have any effect. (Guidelines 04/2022, paras. 73–76).

yes no Not possible/necessary

2. Degree of responsibility of the controller or processor: ?

Due to the high level of accountability required by the GDPR, the degree of responsibility generally has a neutral or aggravating effect. Only if the controller has gone significantly beyond the required level of care can this be taken into account as a mitigating factor in exceptional cases. (Guidelines 04/2022, paras. 77–81)

low medium high

3. Should the fine be increased due to previous infringements? ?

Previous violations may have an aggravating effect. This applies all the more if (a) the violations are similar to the violation under consideration in the administrative fine proceedings and (b) the less time has elapsed since they occurred. However, other types of violations may be taken into account because they may indicate organizational deficiencies on the part of the controller. The longer ago the violations occurred, the less likely they are to be taken into account. (Guidelines 04/2022, paras. 82-94)

no low medium strong

4. How was cooperation with the supervisory authority conducted with regard to the violation? ?

Since the controller is obliged to cooperate with the supervisory authorities, this cooperation only has a positive effect in exceptional cases where it has prevented damage to the data subjects. If the controller does not cooperate with the supervisory authority, this must be taken into account as an aggravating factor or may constitute a separate infringement (failure to comply with instructions). (Guidelines 04/2022, paras. 95-97)

Not necessary refused normal Excellent

5. How did the infringement became known to the supervisory authority? ?

Erhält die Aufsichtsbehörde durch eine Beschwerde oder eigene Untersuchung Kenntnis von einem Verstoß, so wirkt sich dies neutral aus. Dasselbe gilt, wenn der Verantwortliche den Verstoß meldet und für diesen eine Meldepflicht besteht. Lediglich wenn die Aufsichtsbehörde durch den Verantwortlichen Kenntnis erhält, obwohl keine Meldepflicht besteht, kann sich dies mildernd auswirken. (Leitlinien 04/2022, Rn. 98-99)

Complaint or investigation Notification (if notification is non-mandatory) Notification (if notification is mandatory)

6. Were measures previously ordered by the supervisory authority on the same subject matter complied with? ?

If the supervisory authority has already issued orders in relation to the same subject matter, compliance with these orders will have a neutral effect. Only if the controller demonstrates increased commitment to complying with the orders can this be taken into account as a mitigating factor. If the controller fails to comply with the orders, this may either have an aggravating effect or be sanctioned as a separate infringement. (Guidelines 04/2022, paras. 100-103)

no orders no yes Yes, exceeded

7. Was profit made as a result of the infringement? ?

If a profit was made as a result of the violation, the supervisory authority will generally impose a fine that at least skims off the profit. (Guidelines 04/2022, margin numbers 110, 111, example 7d)

yes no

Profit made from the violation (€):

Total factor score:

0 Points

Note: The fine will generally be at least equal to the profit made.

Final amount limits (range of fines):

0,00 € / 0,00 €

Developed by experts

The fine calculator was developed by Fabian Müller, M. Iur.
Over 3 years of experience in data protection law.