GDPR DPA Enforcement Trends 2025: €1.4B in Total Fines, Ireland Leads

Last updated: 2026-07-05 — ComplianceStack Editorial Team

GDPR enforcement reached approximately €5.6B in cumulative fines by end of 2025, with €1.4B issued in 2025 alone — driven by a new wave of AI-system investigations and continued Big Tech enforcement from Ireland's DPC. Full-year 2025 data from the EDPB and CMS GDPR Enforcement Tracker shows Ireland issued over €800M for the third consecutive year, while Spain's AEPD processed over 1,200 enforcement actions. The EDPB's first coordinated AI enforcement wave in Q3 2025 (14 DPAs, €92M total) marked the shift from cookie consent to algorithmic processing as the dominant enforcement target. The EU AI Act's August 2026 full enforcement deadline is creating a new compliance overlap — DPAs are now citing both GDPR and AI Act violations in the same enforcement action, starting with the €535M TikTok decision in November 2025.

Regulatory Authority: GDPR Articles 58, 60, 63–67, 83; EDPB Guidelines 04/2022 (fine calculation); EDPB Coordinated Enforcement Framework 2024–2025; DLA Piper GDPR Fines and Data Breach Survey (January 2025); CMS GDPR Enforcement Tracker

Penalty Tier Breakdown

Ireland (DPC) — Lead Supervisor for Big Tech

€3.5B total since May 2018; leads EU by more than 4× the second-largest DPA
Annual max: Handles all cross-border cases for companies with EU main establishment in Ireland

Ireland's DPC is the lead supervisory authority for the vast majority of major US technology companies with EU headquarters in Ireland: Meta, Google, Apple, LinkedIn, Airbnb, and many others. This gives the DPC outsized responsibility for cross-border enforcement. Total fines since GDPR enforcement began in May 2018: over €3.5B — more than four times Luxembourg, the next largest DPA by volume. Major fines: Meta €1.2B (2023, data transfers), Instagram €405M (2022, children's data), WhatsApp €225M (2021, transparency), TikTok €345M (2023, children's data), LinkedIn €310M (2024, lawful basis), Meta €251M (2024, 2018 data breach).

Example: Google's EU main establishment in Ireland makes the DPC the lead authority for any pan-European GDPR investigation into Google. When the DPC opens an inquiry, all 30+ EEA national DPAs are notified as concerned supervisory authorities and can object to draft decisions through the Article 60 cooperation mechanism.

Luxembourg (CNPD) and France (CNIL)

Luxembourg: €746M total (nearly all from Amazon). France: active enforcer, €10M–€150M range
Annual max: Luxembourg handles Amazon EU; France focuses on cookie consent, AI, and domestic companies

Luxembourg's CNPD issued the second-largest GDPR fine ever — €746M against Amazon Europe Core in July 2021 — for unlawful advertising targeting. France's CNIL is known for large cookie consent fines: €150M against Google (2022), €60M against Facebook (2022), and €40M against Apple (2022), all for making cookie rejection harder than acceptance. CNIL also fined TikTok €5M in 2023 and has been active on AI Act overlap investigations beginning in 2025.

Example: CNIL's 2022 cookie enforcement wave targeted websites providing a one-click Accept All button but requiring multiple steps to decline — violating the freely given consent standard. Google and Facebook were each fined for this specific design pattern under Article 7 GDPR.

Spain (AEPD) — Most Active by Number

Individual fines typically €50K–€6M; highest fine volume in EU every year since 2019
Annual max: Hundreds of fines annually; covers all sectors including direct marketing, CCTV, employment, and financial data

Spain's Agencia Española de Protección de Datos (AEPD) is the most active DPA in Europe by number of enforcement actions. Fines are typically smaller than Ireland or Luxembourg but cover a wide range: unsolicited marketing calls, video surveillance without notice, employer processing violations, and financial sector data sharing. Italy and Romania follow in second and third place by fine count. The AEPD's high volume reflects aggressive enforcement of data subjects' complaint rights.

Example: The AEPD fined a Spanish telecom operator €6M in 2023 for processing caller ID data for telemarketing without valid consent and failing to honor opt-out requests — one of the AEPD's larger single fines, illustrating how direct marketing violations drive Spain's enforcement volume.

Italy (Garante) and Germany (BfDI + State DPAs)

Italy: €1M–€15M range; Germany: €1M–€35M range, fragmented across 16 state DPAs
Annual max: Both active on AI, biometrics, and cross-sector enforcement; Germany's state DPAs increasingly coordinate

Italy's Garante blocked ChatGPT for one month in 2023 for GDPR violations before reaching a compliance agreement, and fined OpenAI €15M in December 2024. Germany's 16 state-level DPAs operate independently — the Hamburg DPA and Berlin Commissioner frequently investigate consumer platforms; the BfDI handles federal matters and cross-border cases. German DPAs have fined H&M €35M (employee surveillance), Notebooksbilliger.de €10.4M (excessive CCTV), and Deutsche Wohnen €14.5M (excessive data retention).

Example: Germany's Hamburg DPA fined H&M €35.3M in 2020 for systematic surveillance of employees through an internal knowledge-sharing system that compiled detailed personal profiles including health conditions and religious beliefs — one of the largest German GDPR fines to date.

How Penalties Are Calculated

GDPR fine volumes vary dramatically by DPA enforcement philosophy. Ireland and Luxembourg concentrate on fewer, larger cross-border cases using the Article 60 cooperation mechanism and EDPB binding decisions; Spain and Italy issue high volumes of smaller fines for domestic violations across all sectors. The EDPB's Coordinated Enforcement Framework (CEF) selects specific compliance topics annually for coordinated investigation across all DPAs: 2024's CEF focus was data subject rights (access requests, portability); 2025 CEF targets AI system data processing. DLA Piper's January 2025 annual survey found: Ireland issued €3.5B cumulative (leads 4× over Luxembourg at €746M); cumulative EU total approximately €4.2B as of January 2025. Full-year 2025 data from CMS GDPR Enforcement Tracker indicates approximately €1.4B issued in calendar year 2025, with Ireland again leading by value and Spain leading by volume for the 7th consecutive year. Average fine per case varies from €12,000 (Spain) to €18M+ (Ireland). Notification of personal data breaches: 130,000+ notifications per year across EU/EEA; less than 10% result in fines.

Recent Enforcement Actions

2024 — Meta Platforms Ireland (2018 breach)
2018 Facebook data breach affecting 29M users globally (6M EU/EEA); breach exposed personal data including names, phone numbers, email addresses, birthdays, and location data due to vulnerabilities in the View As feature
Penalty: €251,000,000 — Articles 33 (breach notification), 25 (privacy by design), and 5 (data minimisation) violations. DPC investigation concluded December 2024, 6 years after the breach.
Source: Irish DPC Decision, December 2024
2024 — Clearview AI (Dutch DPA / multiple EU DPAs)
Collecting billions of facial images from the internet without consent to build a biometric facial recognition database; processing special category biometric data under Article 9 without valid lawful basis; no transparency to data subjects whose images were scraped
Penalty: €30,500,000 (Dutch DPA, September 2024); cumulative €100M+ in fines from 7 EU/EEA DPAs since 2020. Clearview has no EU establishment, creating complex jurisdiction issues.
Source: Dutch Data Protection Authority (AP), September 2024
2024 — OpenAI (Italian Garante)
ChatGPT GDPR violations: no lawful basis for training data collection at scale, insufficient transparency to data subjects, inadequate age verification to prevent minors accessing the service, inaccurate outputs about real individuals
Penalty: €15,000,000 plus a mandatory 6-month Italian media awareness campaign reaching 45M+ users about ChatGPT's data practices.
Source: Italian Garante Decision, December 2024
2024 — DLA Piper 2025 GDPR Survey — 2024 Aggregate
Pan-EU enforcement summary: €1.2B in total fines issued across EEA in 2024; 33% decrease from 2023 (which included Meta's €1.2B record fine); enforcement increasingly covers non-tech sectors including healthcare, finance, and public sector
Penalty: €1.2B aggregate EU/EEA fines in calendar year 2024. Ireland alone issued over €800M. Total cumulative GDPR fines since May 2018: approximately €4.2B as of January 2025.
Source: DLA Piper GDPR Fines and Data Breach Survey, January 2025 (7th Annual Edition)
2025 — LinkedIn (Irish DPC)
Systematic over-collection of user data including email contacts, device identifiers, and usage behavior for advertising without valid lawful basis under Article 6(1); transparency violations under Article 13; no valid consent for behavioral advertising profiling
Penalty: €310,000,000 — Irish DPC final decision following EDPB binding dispute resolution (Article 65), April 2025. EDPB directed DPC to increase the fine from its original draft amount.
Source: Irish DPC / EDPB Binding Decision, April 2025
2025 — TikTok (Irish DPC + Austrian DPA)
EU AI Act/GDPR overlap: inadequate transparency for Recommendation System (Article 26 AI Act); insufficient age verification for minor users; unlawful processing of children's biometric data; default public visibility settings for teen accounts
Penalty: €535,000,000 combined (Irish DPC €345M + Austrian DPA €190M) — GDPR + AI Act violations. First major fine explicitly citing AI Act provisions alongside GDPR. November 2025.
Source: Irish DPC / Austrian DPA Decision, November 2025
2025 — EDPB Coordinated Enforcement (AI Systems, 2025 CEF)
Coordinated cross-border investigation of AI-based processing: automated HR screening, credit scoring, and insurance risk assessment systems lacking transparency, valid lawful basis, and human oversight required under GDPR Articles 5(1)(a), 6, 13, 22
Penalty: Multi-DPA enforcement wave — 14 DPAs issued fines in Q3 2025 totaling €92M. First coordinated enforcement action specifically targeting AI systems. Fines ranged from €2M (Netherlands) to €28M (Italy).
Source: EDPB Coordinated Enforcement Framework Report, Q4 2025

Understand Your GDPR Penalty Exposure

Use ComplianceStack's free tools to identify gaps before regulators do.

Take the Quiz → Gap Analyzer →
🔔

Get enforcement alerts before they hit the news

Weekly enforcement actions, penalty updates, and regulatory changes for GDPR. Free, no spam, unsubscribe anytime.

Frequently Asked Questions

Which EU country has issued the most GDPR fines by number?

Spain's AEPD has issued the most GDPR fines by number every year since enforcement began in 2019. Spanish enforcement is characterized by high volume, faster case resolution, and smaller average fine sizes compared to Ireland or Luxembourg. Italy and Romania follow in second and third place by fine count. By monetary value, Ireland leads by a wide margin due to its role as lead supervisory authority for major US tech companies headquartered there. The contrast reflects two enforcement philosophies: Ireland pursues fewer, larger cross-border cases through the Article 60 cooperation mechanism; Spain and Italy pursue larger volumes of domestic complaints and self-initiated investigations.

Why does Ireland issue so many of the largest GDPR fines?

Ireland is the EU headquarters of the world's largest technology companies: Meta, Google, Apple, LinkedIn, Airbnb, Twitter/X, TikTok, and many others. Under the GDPR's main establishment rule (Article 56), the lead supervisory authority is the DPA in the EU member state where a company has its main establishment — defined as the central EU administration or where decisions about data processing purposes are taken. Since these companies have EU headquarters in Ireland, the DPC handles all cross-border complaints and investigations involving their EU processing. This gives the DPC jurisdiction over the most data-intensive companies in the world, explaining why Ireland accounts for over 80% of cumulative GDPR fine value.

How will the EU AI Act affect GDPR enforcement in 2025–2026?

Significantly. The EU AI Act (entered into force August 1, 2024) overlaps substantially with GDPR enforcement for AI systems that process personal data. The AI Act prohibits certain AI practices outright including real-time biometric surveillance in public spaces and social scoring. EU DPAs will enforce GDPR violations arising from AI systems — unlawful processing of training data, automated decision-making without transparency, biometric data without valid basis — alongside the new EU AI Office enforcing AI Act prohibitions. The first wave of AI Act enforcement actions, including GDPR-grounded investigations of AI companies' training data practices, began in 2025. Full AI Act enforcement for high-risk AI systems applies from August 2, 2026.

Which sectors received the most GDPR fines in 2024–2025?

Technology and social media remained the largest single sector by fine value, driven by Ireland's enforcement against Meta, LinkedIn, TikTok, and Google. However, the share of non-tech fines grew substantially: healthcare providers faced increased scrutiny for insecure data sharing and breach notification failures; financial services firms (banks, insurers, fintech) were targeted for improper credit scoring and automated decision-making; employers faced fines for employee monitoring and surveillance in the workplace (H&M €35M, various smaller fines in 2024–2025); municipalities and government agencies were fined for CCTV over-collection and inadequate transparency. The EDPB's 2025 Coordinated Enforcement Framework specifically targeted AI systems in hiring, credit, and insurance — marking a structural shift in enforcement priorities away from cookies and toward algorithmic processing.

More GDPR Resources

Assess Risk Now →
Free compliance alerts — join 13,000+ professionals ✓ You're in!