Which company has paid the highest GDPR fine?

Meta (Facebook) holds the record for the largest GDPR fine at €1.2 billion, issued by Ireland's DPC in 2023 for illegal transfer of EU personal data to the US.

Which country issues the most GDPR fines?

Ireland (IE), as the lead supervisory authority for many large tech companies, has issued the highest-value fines. Luxembourg issued the Amazon fine. Spain (AEPD) issues the highest volume of individual fines.

Has Amazon received a GDPR fine?

Yes. Amazon received a €746 million GDPR fine from Luxembourg's CNPD in 2021, making it the second-largest GDPR fine ever issued at that time.

Biggest GDPR Fines Database

Every major GDPR enforcement action since 2018. Sortable and searchable. Total shown: €3.81B

€3.81B

Total fines shown

Cases tracked

€1.20B

Largest single fine

€165.5M

Average fine

Company	Country	Year	Violation	Fine
Meta (Facebook)(DPC Ireland) Illegal transfer of EU personal data to the United States via Standard Contractual Clauses.	IE	2023	Cross-border transfer	€1.20B
Amazon(CNPD Luxembourg) Non-compliant advertising targeting and consent practices on Amazon.com.	LU	2021	Unlawful processing	€746.0M
Meta (Instagram)(DPC Ireland) Exposed children's phone numbers and email addresses via business account settings.	IE	2022	Children's data	€405.0M
TikTok(DPC Ireland) Failure to protect children's data, including public-by-default settings for minors.	IE	2023	Children's data	€345.0M
Meta (Facebook)(DPC Ireland) Scraping of Facebook user data exposed in a 533-million-record breach.	IE	2022	Data breach	€265.0M
Meta (WhatsApp)(DPC Ireland) Inadequate transparency about data sharing between WhatsApp and Meta companies.	IE	2021	Transparency	€225.0M
Google (France)(CNIL) Cookie consent mechanism was too difficult to refuse compared to accepting.	FR	2022	Consent violation	€150.0M
Google LLC(CNIL) Placing advertising cookies without prior consent on google.fr and youtube.com.	FR	2021	Consent violation	€100.0M
Facebook (France)(CNIL) Cookies rejected without sufficient ease alongside the Google France case.	FR	2022	Consent violation	€60.0M
Facebook Ireland(CNIL) No easy mechanism to refuse cookies, alongside Google in coordinated enforcement.	FR	2021	Consent violation	€60.0M
Criteo(CNIL) No valid consent for retargeting cookies; failure to honour withdrawal requests.	FR	2023	Consent tracking	€40.0M
H&M(HmbBfDI Hamburg) Extensive covert monitoring of employees' personal and family lives at Nuremberg service centre.	DE	2020	Employee surveillance	€35.5M
TIM (Telecom Italia)(Garante) Aggressive telemarketing campaigns without valid consent and retention of blacklisted numbers.	IT	2020	Unlawful processing	€27.8M
Enel Energia(Garante) Telemarketing without consent and use of insufficiently verified third-party lead lists.	IT	2023	Unlawful processing	€26.5M
British Airways(ICO) Breach affecting 500,000 customers via skimming attack; inadequate security measures.	GB	2020	Data breach	€22.0M Reduced: €20.0M
Marriott International(ICO) Legacy Starwood breach exposing 339 million guest records; failure to perform adequate due diligence.	GB	2020	Data breach	€20.4M
Clearview AI(Garante) Scraping facial recognition data without legal basis; biometric processing without consent.	IT	2022	Biometric data	€20.0M
Clearview AI(CNIL) Unlawful processing of biometric data and facial recognition of French residents.	FR	2022	Biometric data	€20.0M
Deutsche Wohnen(BlnBDI Berlin) Stored tenant personal data in archiving system without the ability to delete when no longer needed.	DE	2019	Inadequate security	€14.5M
Google (Spain)(AEPD) YouTube's failure to obtain valid consent for personalised advertising to minors.	ES	2022	Consent violation	€10.0M
Vodafone Spain(AEPD) Sending commercial communications without consent; failure to respond to opt-out requests.	ES	2021	Unlawful processing	€8.2M
Spotify(IMY Sweden) Inadequate response to data subject access requests and lack of transparency.	SE	2023	Access rights	€5.0M
Meta (Facebook)(Datatilsynet) Behavioural advertising without consent; temporary national ban imposed before EU-level resolution.	NO	2023	Consent violation	€1.0M

■ ≥€500M■ ≥€100M■ ≥€20M■ <€20M

Frequently Asked Questions

What is the largest GDPR fine in history?

The largest GDPR fine to date is €1.2 billion, issued to Meta (Facebook) in May 2023 by the Irish Data Protection Commission for unlawful transfers of EU user data to the United States.

Which DPA issues the most fines?

Spain's AEPD issues the highest volume of fines, primarily for telemarketing and consent violations. Ireland's DPC handles the largest-value fines given its jurisdiction over major US tech companies.

Can GDPR fines be appealed or reduced?

Yes. Companies can appeal fines through national courts. British Airways' fine was reduced from the original figure following Covid-19 financial impact representations. Some fines are suspended pending appeal.

Could your organisation appear in this list?

Get a free GDPR exposure assessment from Digital Signet and find out your highest-risk areas before a regulator does.

Get Your Free GDPR Exposure Assessment →