Risk GuideEU

EU GDPR Penalties and Fines

Penalty exposure under GDPR is shaped by both the fine tiers in Article 83 and the quality of your evidence when something goes wrong.

The fastest way to reduce enforcement pain is to control the common failure modes and keep the response file ready.

Back to main artifact Review sources

Author

Sorena AI

Published

Feb 21, 2026

Updated

Feb 21, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Feb 21, 2026

Updated Feb 21, 2026

Overview

Articles 83 and 84 set the penalty structure, but the real driver of outcomes is whether the organisation can show coherent control over the processing in question. GDPR fines operate in two principal tiers, up to EUR 10 million or 2 percent of worldwide annual turnover for one set of infringements, and up to EUR 20 million or 4 percent for the more serious set, with the higher amount applying where relevant. Authorities also consider factors such as gravity, duration, categories of data, intent, mitigation, prior infringements, and cooperation. That means your best penalty-reduction tool is not optimism, it is evidence.

Section 1

1) The Article 83 fine tiers

The law does not use one flat fine ceiling. It distinguishes between lower-tier and higher-tier infringements.

Your control map should understand which failures sit in which tier.

Lower-tier exposure can reach EUR 10 million or 2 percent of worldwide annual turnover, whichever is higher.
Higher-tier exposure can reach EUR 20 million or 4 percent of worldwide annual turnover, whichever is higher.
Article 84 allows Member States to set additional penalties for infringements not already subject to administrative fines.
Supervisory-authority corrective powers under Article 58 matter alongside fines and often shape the business impact immediately.

Section 2

2) Failure patterns that repeatedly increase exposure

The most expensive cases usually combine a substantive failure with poor accountability evidence.

The pattern is familiar: the processing is weak, and the file explaining it is worse.

No clear lawful-basis or purpose record for the processing in question.
Broken DSAR workflow or inability to explain what data was searched and disclosed.
Weak vendor and transfer governance, especially around sub-processors and third-country routes.
Poor incident timekeeping and unclear awareness logic in breach cases.
No up-to-date RoPA or DPIA for the activity under scrutiny.

Section 3

3) What the enforcement-ready pack should contain

If you can export this pack quickly, enforcement discussions stay factual rather than chaotic.

The goal is coherence, not volume.

RoPA extract for the processing activity and the relevant lawful-basis record.
Current and historical notice text, consent evidence where relevant, and policy versions.
DSAR logs or breach file if the case involves rights handling or incident response.
Vendor contract, sub-processor list, transfer mechanism, and TIA or adequacy evidence where relevant.
DPIA, mitigation tracking, and sign-off record for high-risk processing.

Recommended next step

Use EU GDPR Penalties and Fines as a cited research workflow

Research Copilot can take EU GDPR Penalties and Fines from understanding exposure and enforcement with cited answers to a reusable workflow inside Sorena. Teams working on EU GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow

Open Research Copilot for EU GDPR Penalties and Fines

Start from EU GDPR Penalties and Fines and answer scope, timing, and interpretation questions with cited outputs.

Explore next step

Talk to Sorena

Talk through EU GDPR

Review your current process, evidence gaps, and next steps for EU GDPR Penalties and Fines.

Explore next step

Primary sources