EU Regulation 2016/679 - Decision Register
REF / EU REG 2016/679 / ART. 83(4) - 83(5)ISSUED 2018-05-25 / IN FORCE

The Article 83 Fine Calculator& DPA Decision Register

Every major GDPR fine issued by the 27 EU data protection authorities, the UK ICO, and EEA regulators since May 2018, sourced to the original published decision. Estimate your Article 83(4) or 83(5) exposure, or browse the register.

Calculate exposureBrowse decisions
Article 83 - Maximum Administrative Fines

Tier 1 - Art. 83(4)

€10M

or 2% of global annual turnover (whichever is higher). Records, DPO, certification, DPIA breaches.

Tier 2 - Art. 83(5)

€20M

or 4% of global annual turnover (whichever is higher). Principles, consent, rights, transfers.

SECTION I / EXPOSURE ESTIMATE / FORM

Article 83 Fine Calculator

Indicative estimate of the administrative fine a supervisory authority could impose under Regulation (EU) 2016/679 Article 83. Inputs reflect the ten criteria set out in Article 83(2). Estimates are not legal advice.

FORM 83 / INPUTSArticle 83(5) upper tier (4% or €20M)

Group-wide global revenue, used for the percentage cap.

Article 83(2)(a): nature, gravity, number affected.

Article 83(5) upper tier (4% or €20M)

Longer infringements weigh against the controller.

F.Mitigating measures (Art. 83(2)(c), (f), (h))

PROCEDURAL NOTE / CALCULATION

How a supervisory authority sets a fine

Under Article 83(1) GDPR, an administrative fine must be effective, proportionate and dissuasive. Authorities first determine which statutory cap applies, then apply the ten Article 83(2) criteria to arrive at a specific amount within that cap. The criteria include both aggravating factors (intentional conduct, prior infringements, obstruction) and mitigating factors (prompt notification, full cooperation, remedial measures, an effective DPO).

i.

Identify the violated article

Determine which GDPR provision was breached. This sets the tier under 83(4) or 83(5).

ii.

Apply the statutory cap

Compare the percentage-of-turnover cap to the absolute Euro cap. The higher of the two is the ceiling.

iii.

Apply Article 83(2) criteria

Weigh the ten factors to arrive at a specific fine within the cap. Document every factor in the decision.

Read the full calculation methodology →

EXPLORE THE REGISTER

Browse fines, filtered by the lens that matters

SECTION

Decision register

Searchable list of every indexed fine. Filter by company, year, country, violation, and status.

Open section →

SECTION

By supervisory authority

Compare DPA enforcement across Ireland, Spain, France, Germany, Italy, the UK and others.

Open section →

SECTION

By violation type

Consent, transfers, security, processing, transparency, DPO failures, breach notification.

Open section →

SECTION

By industry sector

Technology, finance, healthcare, telecom, retail, energy and the public sector compared.

Open section →

SECTION

Statistics & trends

Annual totals, trend lines, headline benchmarks, and the state of GDPR enforcement.

Open section →

SECTION

Compliance vs fines

What does GDPR compliance cost, and how does that compare to the fine you would face?

Open section →

FREQUENTLY ASKED

About GDPR fines

What is the maximum GDPR fine?
Under Article 83(5), the maximum administrative fine is €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher. Lower-tier infringements under Article 83(4) are capped at €10 million or 2% of turnover, whichever is higher.
What is the largest GDPR fine ever issued?
Meta Platforms received a €1.2 billion fine from Ireland's Data Protection Commission in May 2023 for unlawful transfers of EU personal data to the United States, contrary to Article 46(1).
How are GDPR fines calculated?
Supervisory authorities apply the ten criteria in Article 83(2): nature, gravity and duration of the infringement; intentional or negligent character; mitigating actions; degree of responsibility; relevant previous infringements; cooperation; categories of data; manner the breach became known; compliance with prior corrective measures; and any other aggravating or mitigating factor.
Can small businesses be fined under GDPR?
Yes. The 2% / 4% turnover cap means percentage-based fines scale to the size of the controller, but the €10M / €20M alternative cap applies regardless of size. Spain's AEPD has issued hundreds of small-business fines, typically in the €1,000 to €50,000 range.
Is the UK GDPR the same as the EU GDPR?
No, although they remain substantively similar. Post-Brexit, the UK GDPR is a separate domestic regime enforced by the ICO. Decisions of the EU DPAs do not bind the UK and vice versa, though they are often cross-referenced.

REGISTER UPDATED 2026-04-28