What is the most common GDPR violation?

Consent violations are the most frequently fined, particularly around cookies and telemarketing. Cross-border transfer violations attract the highest average fines due to the systemic nature of the infringement.

What is a GDPR cross-border transfer violation?

A cross-border transfer violation occurs when personal data of EU residents is transferred to third countries (outside the EEA) without adequate safeguards — such as Standard Contractual Clauses, Binding Corporate Rules, or an adequacy decision.

Do you need a DPO under GDPR?

A Data Protection Officer is mandatory for public authorities, organisations that carry out large-scale systematic monitoring of individuals, or those that process special categories of data at large scale. Failure to appoint one when required can trigger fines.

GDPR Violations — Breakdown by Type

What actually triggers GDPR fines? Each violation type carries different risk levels, average fine sizes, and remediation paths. Use this to prioritise your compliance roadmap.

Average fine by violation type

Cross-Border Transfer Violations€557.0M avg

Unlawful Data Processing€270.0M avg

Consent Violations€73.0M avg

Inadequate Security Measures€24.0M avg

Breach Notification Failure€8.5M avg

Failure to Appoint DPO€3.2M avg

Cross-Border Transfer Violations

Art. 44–49 — Upper (Art. 83(5))

Critical Risk

€557.0M

avg fine

Transferring EU personal data to countries without adequate protections. The most expensive GDPR violation category, accounting for the two largest fines ever issued.

What triggers this violation

•Sending EU data to US servers without SCCs or adequacy decision
•Using US-based SaaS tools without data processing agreements
•Storing EU customer data in jurisdictions without adequate laws
•Post-Schrems II non-compliance with Privacy Shield reliance

How to avoid it

✓Conduct a data transfer impact assessment (TIA/DTIA)
✓Implement Standard Contractual Clauses (SCCs) for all third-country transfers
✓Map all data flows including third-party processors
✓Check vendor sub-processor lists for US transfer exposure
✓Evaluate EU-based alternatives for high-risk data categories

Notable enforcement cases

Meta (Facebook) — €1.2B (2023)Amazon — €746.0M (2021)Meta (WhatsApp) — €225.0M (2021)

Unlawful Data Processing

Art. 6, 9 — Upper (Art. 83(5))

Critical Risk

€270.0M

avg fine

Processing personal data without a valid legal basis under Article 6, or processing special category data (health, biometric, children's) without explicit consent or other legal grounds.

What triggers this violation

•Behavioural advertising without valid consent
•Processing special category data (health, biometrics) without explicit consent
•Retaining data beyond stated retention periods
•Using legitimate interests where it is clearly overridden by individual rights

How to avoid it

✓Document a legal basis for every data processing activity
✓Maintain a Records of Processing Activities (RoPA)
✓Implement data minimisation and purpose limitation
✓Conduct Legitimate Interests Assessments (LIAs) where applicable
✓Enforce retention schedules with automated deletion

Notable enforcement cases

Meta (Instagram) — €405.0M (2022)TikTok — €345.0M (2023)TIM Telecom — €27.8M (2020)

Consent Violations

Art. 7, 6(1)(a) — Upper (Art. 83(5))

High Risk

€73.0M

avg fine

Consent must be freely given, specific, informed, and unambiguous. Cookie banners, telemarketing consent, and opt-in/opt-out design are the most common failure points.

What triggers this violation

•Cookie banners where refusal is harder than acceptance
•Pre-ticked consent boxes
•Bundled consent for multiple purposes
•Telemarketing without clear prior opt-in
•No valid withdrawal mechanism

How to avoid it

✓Implement a properly configured Consent Management Platform (CMP)
✓Make rejecting cookies as easy as accepting
✓Use granular consent per processing purpose
✓Audit your third-party cookie and tag inventory
✓Test consent flows for dark patterns

Notable enforcement cases

Google (France) — €150.0M (2022)Google LLC — €100.0M (2021)Criteo — €40.0M (2023)

Inadequate Security Measures

Art. 32 — Upper (Art. 83(5))

High Risk

€24.0M

avg fine

Failure to implement appropriate technical and organisational measures to protect personal data. Typically triggered by data breaches that expose inadequate controls.

What triggers this violation

•Unencrypted or poorly encrypted databases
•Failure to patch known vulnerabilities
•Insufficient access controls and privilege management
•No intrusion detection or monitoring
•Third-party vendor security failures without adequate oversight

How to avoid it

✓Conduct regular penetration testing
✓Implement encryption at rest and in transit
✓Apply least-privilege access principles
✓Run vulnerability management programme
✓Include security requirements in vendor contracts

Notable enforcement cases

British Airways — €22.0M (2020)Marriott International — €20.4M (2020)Deutsche Wohnen — €14.5M (2019)

Breach Notification Failure

Art. 33–34 — Lower (Art. 83(4))

Medium Risk

€8.5M

avg fine

Failing to notify the supervisory authority within 72 hours of discovering a personal data breach, or failing to notify affected individuals when the breach poses a high risk.

What triggers this violation

•Breach discovered but delayed reporting beyond 72 hours
•Breach underreported to minimise perceived severity
•No incident response plan or breach register
•Failing to notify affected high-risk individuals

How to avoid it

✓Implement a documented breach response procedure
✓Define breach severity tiers and notification thresholds
✓Appoint a breach response owner
✓Test breach notification procedures in tabletop exercises
✓Maintain a breach register even for near-misses

Notable enforcement cases

H&M — €35.0M (2020)British Airways — €22.0M (2020)Marriott International — €20.4M (2020)

Failure to Appoint DPO

Art. 37–39 — Lower (Art. 83(4))

Low Risk

€3.2M

avg fine

Public authorities and organisations processing personal data at large scale or processing special categories must appoint a Data Protection Officer. Failure is a straightforward compliance gap.

What triggers this violation

•Organisation meets DPO criteria but hasn't appointed one
•DPO not properly positioned or resourced
•DPO lacks required expertise
•DPO has conflicting roles (e.g. also the CISO or General Counsel)

How to avoid it

✓Assess whether your processing activities require a DPO
✓If required, formally appoint and register the DPO with your DPA
✓Ensure DPO has sufficient resources and access to senior management
✓Consider an external DPO-as-a-service if in-house expertise is lacking

Notable enforcement cases

Various public bodies — €500K (2022)Healthcare processors — €1.2M (2021)

Not sure which violations you're exposed to?

Digital Signet offers a free GDPR gap assessment — we identify your highest-risk violation areas and prioritise what to fix first.

Get Your Free GDPR Exposure Assessment →