GDPR Data Breach Fines: Notification Failures, Security Failures, and Real Enforcement Penalties

Last updated: 2026-04-06 — ComplianceStack Editorial Team

GDPR imposes two overlapping obligations when a personal data breach occurs: notify the supervisory authority (DPA) within 72 hours of becoming aware (Article 33), and notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms (Article 34). Failure to comply with either notification obligation attracts fines under Article 83(4) — up to €10 million or 2% of total worldwide annual turnover. The underlying security failures that allowed the breach to occur (inadequate technical measures under Article 32) fall under Article 83(4) as well if they involve obligations of controllers and processors, but the most serious security failures may qualify under Article 83(5) (up to €20 million or 4% of global turnover). In practice, DPAs increasingly fine organizations not just for the breach itself but for the inadequate security measures that enabled it — effectively layering Article 32 and Article 5 violations on top of the notification failure. The Irish Data Protection Commission (DPC) — regulator for most major U.S. tech companies' EU operations — issued over €2.4 billion in fines between 2022 and 2025, the majority related to data handling practices connected to breaches or unauthorized disclosures.

Regulatory Authority: GDPR Articles 33 (DPA notification), 34 (individual notification), 32 (security measures), 83(4), 83(5); EDPB Guidelines 9/2022 on personal data breach notification; EDPB Guidelines 04/2022 on calculation of administrative fines; Recitals 85–88 (breach risk assessment); EDPB Guidelines 01/2021 on examples of personal data breach notification

Penalty Tier Breakdown

Failure to Notify DPA Within 72 Hours (Article 33)

Up to €10M or 2% of global annual turnover (whichever is higher) — Article 83(4)

Annual max: €10M / 2% of global turnover cap applies per violation. Multiple notification failures are often aggregated

Article 33 requires controllers to notify their lead DPA 'without undue delay and, where feasible, not later than 72 hours after having become aware' of a personal data breach. If notification occurs after 72 hours, the notification must include reasons for the delay. The 72-hour clock starts from the moment the controller 'becomes aware' — which courts and DPAs have interpreted as when there is a reasonable degree of certainty that a breach has occurred, not when an investigation definitively confirms it. DPAs are increasingly penalizing delayed notifications even where eventual disclosure was full and complete. The fine is not automatic — DPAs consider how quickly the controller notified after the 72-hour window, cooperation quality, size of organization, and whether the delay caused harm to affected individuals.

Example: A mid-size fintech operating in Germany discovers on Day 1 that an unauthorized party accessed a database containing names, email addresses, and account balances of 45,000 customers. The company's CISO initiates an internal investigation before notifying. By Day 8 — six days past the 72-hour deadline — the company notifies the Bundesbeauftragter für den Datenschutz (BfDI). The BfDI finds that the breach was clear within 24 hours of discovery; the investigation delay did not justify withholding notification. Fine: €280,000 for the delayed notification under Article 33, plus a separate assessment of the security measures that allowed unauthorized access.

Failure to Notify Affected Individuals (Article 34)

Up to €10M or 2% of global annual turnover — same cap as Article 33

Annual max: Applied independently from DPA notification failures; total exposure can stack to €20M (2% + 2%) if both obligations are violated

Article 34 requires controllers to communicate a breach to affected individuals 'without undue delay' when the breach is 'likely to result in a high risk to the rights and freedoms of natural persons.' High risk indicators: breach of financial data, health data, passwords, location data, children's data, or any combination that could enable identity theft, financial loss, discrimination, or physical harm. Controllers can avoid individual notification if they implement effective technical measures (encryption, pseudonymization) that render the data unintelligible to unauthorized parties — or if individual notification would require disproportionate effort (in which case a public communication is sufficient). Many organizations fail to assess Article 34 applicability rigorously — focusing on DPA notification while neglecting individual notification requirements.

Example: A healthcare SaaS provider suffers a ransomware attack that encrypts and exfiltrates 12,000 patient records including diagnoses and treatment histories. The company notifies the relevant DPA within 48 hours (within 72-hour window). However, the company does not notify affected patients, concluding internally that the breach doesn't meet the 'high risk' threshold. Upon investigation, the DPA determines that health data exposure clearly meets the high-risk standard under Article 34. Fine: €520,000 for failure to notify individuals, separate from a €1.2M fine for inadequate technical security measures (Article 32 violation).

Inadequate Security Measures Enabling Breach (Article 32)

Up to €10M or 2% of global annual turnover under Article 83(4); may qualify for Article 83(5) up to €20M/4% if framed as data processing principles violation

Annual max: DPAs often apply Article 83(5) to security failures that involve processing in violation of basic data protection principles, significantly increasing the fine ceiling

Article 32 requires controllers and processors to implement 'appropriate technical and organisational measures' to ensure a level of security appropriate to the risk — considering encryption, pseudonymization, ongoing confidentiality and integrity assurance, resilience, and ability to restore data access after incidents. Common Article 32 failures that lead to breaches: storing passwords in cleartext (or weakly hashed), failing to patch known vulnerabilities, inadequate access controls, transmitting personal data over unencrypted channels, and using outdated authentication methods. When a breach occurs, DPAs investigate Article 32 compliance as a standard part of the breach investigation. A breach caused by predictable, preventable security failures attracts significantly higher fines than a breach resulting from a sophisticated, novel attack.

Example: A major social media platform is found to have stored hundreds of millions of user passwords in plaintext in internal logs accessible to thousands of employees — a violation discovered during a routine security audit following a separate breach event. No external unauthorized access to the passwords is proven, but storage of plaintext passwords violates Article 32 as a fundamental security failure. Fine: €91 million (Meta Ireland, September 2024) for GDPR violation of Article 32 by storing passwords without appropriate security measures.

Cross-Border Breach — One-Stop-Shop Enforcement with Lead DPA

Lead DPA (typically Irish DPC for major tech companies) sets fine; affected DPAs submit objections; European Data Protection Board (EDPB) can override with higher fine

Annual max: No independent cap beyond Article 83 maximums — EDPB binding decisions have resulted in fines significantly higher than lead DPAs initially proposed

Under GDPR's One-Stop-Shop mechanism, organizations with EU establishment in one member state have a single lead DPA for cross-border processing. For breaches affecting individuals in multiple EU countries, the lead DPA coordinates the investigation and proposes the fine. Concerned DPAs in other member states can object — and have increasingly done so, arguing lead DPA decisions are insufficiently punitive. When objections are filed that the lead DPA refuses to accept, the matter goes to the EDPB for binding resolution. EDPB binding decisions have consistently ordered higher fines than initially proposed — with Meta, WhatsApp, and LinkedIn all subject to EDPB-increased fines. For breach cases involving multinational organizations, this process can take 2–4 years from notification to final fine decision.

Example: A cloud storage provider suffers a breach exposing EU user data across 20 countries. The Irish DPC investigates (lead DPA for the company's EU operations) and proposes a €45M fine. Twelve concerned DPAs in Germany, France, Spain, and other countries object — arguing the fine is insufficient relative to the turnover and severity. The EDPB issues a binding decision requiring the Irish DPC to impose a fine of €310M. The company pays €310M. (This mirrors the LinkedIn €310M fine structure resolved in October 2024.)

How Penalties Are Calculated

GDPR breach fines are calculated using a two-step approach under Article 83. Step 1: Determine the maximum fine level — Article 83(4) (€10M / 2% turnover) applies to notification failures and inadequate security measures; Article 83(5) (€20M / 4% turnover) applies when the breach also reveals violations of basic processing principles (Article 5) or data subjects' rights. Step 2: Apply the Article 83(2) factors to determine the actual fine: (a) nature, gravity, and duration of the violation; (b) intentional or negligent character; (c) actions taken to mitigate damage; (d) degree of responsibility; (e) prior infringements; (f) cooperation with supervisory authority; (g) categories of personal data affected; (h) notification to supervisory authority; (i) adherence to approved codes of conduct; (j) any other aggravating or mitigating factors. DPAs across EU member states have adopted the EDPB's fine-setting methodology (adopted April 2023): starting from a base fine tier, applying aggravating/mitigating multipliers, and ensuring the final fine is effective, proportionate, and dissuasive relative to the organization's turnover.

Recent Enforcement Actions

2024 — Meta Platforms Ireland — Plaintext Password Storage

Meta stored hundreds of millions of Facebook and Instagram user passwords in plaintext in internal logging systems. The passwords were accessible to Meta employees but were not publicly exposed. The Irish DPC investigated following a self-reported incident disclosure and found a fundamental Article 32 security failure.

Penalty: €91 million (approximately $100M) — Irish DPC final decision, September 2024. The fine was calculated as approximately 0.1% of Meta's global annual revenue, reflecting that no unauthorized external access to passwords was proven but that the practice was a serious and systemic violation of GDPR security requirements.

Source: Irish DPC Decision, IN-18-12-2, September 2024

2024 — LinkedIn Ireland — Behavioral Profiling Without Legal Basis

LinkedIn processed personal data of EU users for behavioral profiling and targeted advertising without a valid legal basis and failed to adequately protect against unauthorized processing of user data for ad targeting purposes. The case involved both a breach of data processing principles and Article 32 security failures.

Penalty: €310 million — Irish DPC decision, October 2024. Following EDPB involvement after objections from multiple concerned DPAs who found the initial proposed fine inadequate.

Source: Irish DPC Decision, IN-22-7-2, October 2024; EDPB binding decision

2023 — TikTok Technology Ltd — Children's Data and Consent Failures

TikTok processed children's personal data without adequate safeguards, used public-by-default settings for children's accounts that exposed their content, and failed to implement technical measures preventing children under 13 from creating accounts. The breach of Article 25 (data protection by design) and Article 32 triggered the Article 83(5) maximum fine level.

Penalty: €345 million — Irish DPC decision, September 2023. One of the largest GDPR fines imposed on a single breach/processing practice. TikTok appealed to the Irish courts.

Source: Irish DPC Decision IN-20-3-2, September 2023

2022 — Uber B.V. (Netherlands) — Delayed Breach Notification

Uber concealed a 2016 data breach affecting 57 million users worldwide (including 174,000 Dutch users) for over a year, paying hackers $100,000 to delete the data and keep the breach quiet. When the breach was eventually disclosed in November 2017, Uber notified the Dutch DPA — but the notification was 366 days after Uber became aware of the breach.

Penalty: €600,000 — Dutch Autoriteit Persoonsgegevens (AP), November 2018 (under GDPR transitional regime, capped at pre-GDPR maximum). Under current GDPR, the same breach could attract fines up to €10M or 2% of global turnover — approximately $288M at Uber's 2022 revenue.

Source: Dutch AP Decision, November 2018; cited as GDPR precedent case for Article 33 delayed notification

Understand Your GDPR Penalty Exposure

Use ComplianceStack's free tools to identify gaps before regulators do.

Take the Quiz → Gap Analyzer →

Frequently Asked Questions

What qualifies as a 'personal data breach' that triggers GDPR notification?

GDPR Article 4(12) defines a personal data breach as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.' This is broader than most people expect — it covers not only hacking and ransomware but also: accidentally emailing personal data to the wrong recipient; losing an unencrypted USB drive containing personal data; deleting personal data accidentally without backup; ransomware that encrypts (but perhaps doesn't exfiltrate) personal data; temporary unavailability of personal data where availability is critical to the purpose. The key question is whether there was a 'breach of security' — not just unauthorized external access. EDPB guidelines provide detailed examples for each breach type.

When does the 72-hour notification clock start?

The 72-hour clock starts when the controller 'becomes aware' of the breach — not when an investigation definitively concludes. EDPB Guidelines 9/2022 clarify that 'awareness' means there is a reasonable degree of certainty that a breach has occurred. Initial detection of an anomaly (a server error, an unusual access pattern, a ransomware note) does not by itself constitute awareness — controllers are entitled to a reasonable period of initial investigation to determine whether a breach has occurred. However, this initial assessment window should be brief (typically 24–48 hours). Once the controller concludes that a personal data breach has likely occurred — even if the full scope is unknown — the 72-hour clock starts. Controllers can submit an initial Article 33 notification with incomplete information (if the full scope is still being assessed) and supplement it later without incurring a delayed notification penalty.

Does encryption or pseudonymization eliminate GDPR breach notification obligations?

Encryption of data at rest and in transit can eliminate the Article 34 individual notification obligation under Article 34(3)(a) — if the encryption was state-of-the-art and the keys were not compromised. However, encryption does NOT eliminate the Article 33 DPA notification obligation: if a breach occurred (even if the exfiltrated data was encrypted), the controller must still notify the DPA within 72 hours. The DPA notification must describe the technical measures in place and explain why individual notification is not required. Pseudonymization (replacing identifying information with codes) provides similar protections if it is genuinely irreversible without access to the key — but pseudonymized data remains personal data under GDPR, so Article 33 notification is still required when pseudonymized data is breached. The encryption exception to Article 34 only applies when the controller can demonstrate the data is truly unintelligible to unauthorized parties.