GDPR fines overview
The GDPR empowers supervisory authorities to impose administrative fines, structured in two tiers with caps tied to fixed amounts or a percentage of worldwide annual turnover, whichever is higher. Fines are one of several corrective powers. This page explains, educationally, how the penalty framework is built and the factors that shape it.
How the tiers work
Article 83 sets two tiers of administrative fines. The lower tier caps at a fixed euro amount or a percentage of worldwide annual turnover, whichever is higher, for certain obligations; the higher tier applies a larger fixed cap or higher turnover percentage for breaches of core principles, data-subject rights, and transfer rules. The 'whichever is higher' construction means large organisations face turnover-scaled exposure.
- Two tiers with different caps
- Caps are the greater of a fixed sum or a turnover percentage
- Higher tier covers core principles, rights, and transfers
What regulators weigh
Article 83 lists factors authorities must consider, including the nature, gravity, and duration of the infringement, whether it was intentional or negligent, mitigation efforts, the categories of data involved, and cooperation with the authority. Fines are also only one corrective power — warnings, orders, and processing bans are available too. Because outcomes are case-specific, this page deliberately avoids citing made-up benchmark amounts.
How it appears in analytics and logs
Severity under the GDPR depends on factors like the nature and gravity of the infringement, not a flat schedule — context matters more than any single headline number.
Diagnostic use case
Understand how GDPR penalties are scaled and assessed so you can frame analytics and consent compliance risk realistically, without relying on invented figures.
What WebmasterID can help detect
WebmasterID's privacy-first design reduces the high-risk data flows (cross-border transfers, unconsented tracking) most associated with enforcement, but is not a compliance guarantee.
Common mistakes
- Quoting a flat 'GDPR fine amount' as if it were fixed.
- Ignoring the turnover-based 'whichever is higher' rule.
- Forgetting that fines are one of several corrective powers.
Privacy and accuracy notes
This page is educational and not legal advice. It describes the statutory framework, not the outcome of any specific case; consult the regulation and counsel for your situation.
Related pages
- GDPR and web analytics: the practical picture
The GDPR governs processing of personal data of people in the EU. For analytics that means: identifiers and IP addresses can be personal data, consent is often required for cookie-based tracking, and minimisation matters. Cookieless, first-party, anonymised measurement reduces the surface — but this is a factual overview, not legal advice.
- GA and EU DPA rulings
Following the Schrems II ruling, several EU data protection authorities (DPAs) assessed complaints about Google Analytics and found specific deployments unlawful because personal data was transferred to the US without adequate safeguards. This page summarises the pattern of those decisions, educationally, and the transfer lessons they hold for analytics.
- Lawful basis for analytics processing
The GDPR requires a lawful basis for processing personal data. For analytics the realistic candidates are consent and legitimate interests, each with conditions: consent must be valid and is often required where ePrivacy applies to cookies, while legitimate interests demands a balancing test and grants the visitor a right to object. Picking and documenting the basis is the operator's job. This is educational, not legal advice.
- Privacy-first analytics
Reduce the data flows most tied to enforcement.
Sources and verification notes
- EUR-Lex — GDPR Article 83 (general conditions for fines)Regulation text setting the fine tiers and assessment factors.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.