On this page, we explain how data protection authorities calculate fines for GDPR violations in accordance with Guidelines 04/2022 of the European Data Protection Board (EDPB). For Germany in particular, the EDPB guidelines have replaced the fine concept of the German Data Protection Conference since May 24, 2023.
1. Determination of the statutory upper limit
As a first step, the competent data protection authority determines the relevant legal upper limit for fines for the violation in question.
Formal violation (Art. 83(4) GDPR)
If a controller has violated one of the provisions specified in Art. 83 (4) GDPR (e.g., lack of a data processing agreement), the fine is up to €10,000,000 for companies that generated less than €500,000,000 in revenue in the previous year, and otherwise 2% of the previous year's revenue.
Material violation (Art. 83(5) and (6) GDPR)
If the controller has violated one of the provisions specified in Art. 83(5) GDPR (e.g., failure to respond to requests for access pursuant to Art. 15 GDPR) or, pursuant to Art. 83(6) GDPR, the upper limit for companies with a previous year's turnover of less than €500,000,000 is €20,000,000, otherwise 4% of the previous year's turnover.
2. Determination of the seriousness of the violation
Once the respective legal upper limit has been determined as a reference value, the seriousness of the violation must then be assessed. The guidelines distinguish between low, medium an high level of seriousness.
Depending on the seriousness, a fraction of the legal upper limit is then used as basis for the calculation:
low seriousness: 0–10 %
medium seriousness: 10–20 %
high seriousness: 20–100 %
Examples from the guidelines:
3. Determining the size of the undertaking
Depending on the previous year's turnover of the undertaking concerned, a fraction of the initial amount ultimately forms the basic framework for the fine.
For the calculation of fines, the definition of an undertaking under competition law in Articles 101 and 102 TFEU applies, and not the definition in Article 4(18) GDPR (ECJ, C-383/23, ECLI:EU:C:2025:84 – ILVA, para. 36).
An undertaking is defined as any entity engaged in economic activity, regardless of its legal form and the way in which it is financed. In particular, it may also be several legally independent legal entities.
| Annual turnover in million € | Fraction of the calculation basis |
|---|---|
| ≤ 2 | 0,2–0,4 % |
| 2–10 | 0,3–2 % |
| 10–50 | 1,5–10 % |
| 50–100 | 8–20 % |
| 100–250 | 15–50 % |
| 250–500 | 40–100 % |
| >500 | 100 % |
4. Aggravating and mitigating circumstances
According to Art. 83(2) sentence 2 GDPR, the supervisory authority must take certain criteria into account when determining the fine:
Actions taken to mitigate damage
If the controller independently takes action to mitigate the damage caused to data subjects by the data breach, this may be taken into account as a mitigating factor.
Degree of responsibility
In the opinion of the EDPB, the degree of responsibility only works in favor of the controller in exceptional cases due to the increased accountability requirements under the GDPR. Namely, when the controller's diligence clearly exceeds the required level.
Previous infringements
In the opinion of the EDPB, previous data protection violations may also be relevant for determining the amount of the fine. The more similar and the less distant in time a previous violation is, the more aggravating its effect.
Other types of violations may also have an aggravating effect, as they may indicate deficiencies in the data protection organization of the controller.
Profit derived from the infringement
In order for a fine to be effective and deterrent, the data protection authority will take into account any profit made as a result of the violation. A fine will then regularly exceed the profit.
Degree of cooperation with the supervisory authority
Since the controller is obliged to cooperate with the supervisory authority, cooperation with the supervisory authority only has a positive effect in exceptional cases. Namely, when particularly good cooperation can prevent or mitigate specific damage to the data subjects.
If the controller fails to cooperate, this may have an aggravating effect or constitute a separate violation subject to sanctions.
Report to the supervisory authority
If the supervisory authority becomes aware of the infringement through a complaint or an investigation, this has a neutral effect. The same applies if the controller reports the infringement itself due to a reporting obligation.
Only if the controller reports a infringement that is not subject to reporting to the supervisory authority can this have a mitigating effect.
Compliance with measures previously ordered by the supervisory authority
If the controller has complied with previous orders issued by the supervisory authority on the same matter, this shall not have any effect. If the controller has shown increased commitment in implementing these orders, this may, in exceptional cases, be taken into account as a mitigating factor.
Non-compliance shall be considered an aggravating factor or shall be sanctioned as a separate violation.
5. Conclusive determination
According to Art. 83(2) sentence 1 GDPR, data protection authorities must ensure that fines are effective, proportionate, and dissuasive in each individual case. This means that determining fines is not a strictly mathematical process.
Using the criteria explained above, the data protection authority can determine a range within which a fine can fall. The criteria for increasing and reducing fines give an impression of where a specific fine might fall within the previously determined range.
At the same time, in individual cases, it may be necessary for the data protection authority to impose a fine outside this range in order for the fine to be effective, proportionate, and dissuasive.
