Key GDPR Statistics Explained

Key GDPR Statistics Explained

The General Data Protection Regulation (GDPR) came into effect in May 2018, aimed at protecting the personal data of individuals within the European Union. Since then, there has been a significant increase in the number of data protection breaches reported to regulators, resulting in fines for companies and organisations that have infringed on the GDPR.

Below we present a brief summary of fines levied by GDPR regulators across Europe over the past five years.

Total GDPR Fines

According to official reports, GDPR regulators across Europe have now imposed a total of € 2 762 294 582, or € 2.7 billion, in fines, from a total of 1 560 fines on various companies in multiple industries since May 2018.

Spain has, by far, the highest number of fines with 610 imposed fines at a total sum of € 58 million, but Ireland holds the record for highest fines with € 1.3 billion from only 24 imposed fines. The explanation for this is of course the establishment of many global companies in Ireland, but it may also give an insight on difference in strategy for supervision and imposing fines in the different countries.

Top of the list

As could be expected, companies such as Amazon, Meta, Google etc., with global revenues, are the companies that you will find at the top of the list, with the highest fines. Amazon has been fined with the most substantial fine of them all, a whopping € 746 million, in Luxembourg in 2021. The fine was issued for processing of personal data without obtaining legal ground and failure to provide adequate information to data subjects. 

Meta (including Facebook and WhatsApp) holds 5 of the top 10 places on the list and has in total been fined intangible € 1.3 billion for GDPR violations. That is half of the total sum of fines imposed in all of Europe for the entire 5 years. The fines imposed on Meta have been issued for violating general data processing principles including insufficient technical and organizational security measures, insufficient information to the data subjects and lack of legal basis for processing personal data. 

Google holds 3 of the top 10 places and has been fined € 200 million in France only. The fines have been issued for insufficient legal basis for processing personal data.  

The top 10 list also shows that the sector “Media, telecom and broadcasting” is in the lead, concerning violations of the GDPR. Second on the list you will find “Industry and commerce” with approximately half of the issued sum of fines, but with a larger number of fines, 363 compared to 268.  

Types of GDPR breaches 

Since many of the administrative fines that are imposed originates from complaints from the data subjects, it is important to keep track of what the most common breaches has been over the years. Looking at the statistics, the most common GDPR breaches within the first 5 years with the GDPR, has been insufficient legal basis for personal data processing with a total of 510 fines and a total sum of € 431 million.

Non-compliance with general data processing principles ends up in second place with 395 fines but with a total of € 1.6 billion. It seems logical and somewhat fulfilling that the general principles of privacy also are the most expensive for companies to violate, both since article 5 of the GDPR is one of the articles that has the 4 percent of the global revenues or € 20 million, whichever is higher, possible fine, and also since this is the absolute foundation of the legislation.  


This short summary of GDPR breach fines in Europe over the last 5 years, shows that regulators are taking data protection seriously, and more businesses are facing significant penalties for GDPR breaches. Companies need to ensure that they have comprehensive data protection policies and security measures in place to avoid GDPR breaches and potential financial repercussions. 

It is also essential for businesses to understand that a GDPR breach can lead to damage to their reputation and loss of customer trust. Therefore, it is crucial to continue educating both employees and management about data protection to ensure compliance with GDPR regulations. 

In conclusion, GDPR regulators across Europe have demonstrated a willingness to enforce the regulation and levy hefty fines on companies that do not comply with the GDPR, and companies need to take steps to ensure that they refrain from violating the GDPR.  

Five years down the road we know much more about what we need to do to be compliant with the GDPR and also how the authorities assess the different breaches. We therefore advise organizations to implement a sustainable privacy strategy. It is clear that we need to prioritize secure processing of personal data, to stay updated and, if we can, ahead of the legislator, since digitalization and new tech solutions will evolve and thus challenge privacy through the intense use of personal data.