GDPR DPA Enforcement Trends: 2024–2025 Fine Volume and Patterns

Last updated: 2026-04-05 — ComplianceStack Editorial Team

GDPR enforcement reached approximately €4.2B in cumulative fines by January 2025, with €1.2B issued in 2024 alone — a 33% decrease from 2023's record year, which was inflated by Meta's €1.2B single fine. Enforcement is no longer limited to Big Tech: 2024 saw DPAs across Europe fining healthcare providers, employers, municipalities, and financial services firms. Ireland's Data Protection Commission remains the dominant enforcer by monetary value, while Spain's AEPD leads by number of fines. The EDPB's coordination role is strengthening, and the EU AI Act's August 2026 full enforcement date is driving a new wave of compliance obligations with direct GDPR overlap.

Regulatory Authority: GDPR Articles 58, 60, 63–67, 83; EDPB Guidelines 04/2022 (fine calculation); EDPB Coordinated Enforcement Framework 2024–2025; DLA Piper GDPR Fines and Data Breach Survey (January 2025); CMS GDPR Enforcement Tracker

Penalty Tier Breakdown

Ireland (DPC) — Lead Supervisor for Big Tech

€3.5B total since May 2018; leads EU by more than 4× the second-largest DPA

Annual max: Handles all cross-border cases for companies with EU main establishment in Ireland

Ireland's DPC is the lead supervisory authority for the vast majority of major US technology companies with EU headquarters in Ireland: Meta, Google, Apple, LinkedIn, Airbnb, and many others. This gives the DPC outsized responsibility for cross-border enforcement. Total fines since GDPR enforcement began in May 2018: over €3.5B — more than four times Luxembourg, the next largest DPA by volume. Major fines: Meta €1.2B (2023, data transfers), Instagram €405M (2022, children's data), WhatsApp €225M (2021, transparency), TikTok €345M (2023, children's data), LinkedIn €310M (2024, lawful basis), Meta €251M (2024, 2018 data breach).

Example: Google's EU main establishment in Ireland makes the DPC the lead authority for any pan-European GDPR investigation into Google. When the DPC opens an inquiry, all 30+ EEA national DPAs are notified as concerned supervisory authorities and can object to draft decisions through the Article 60 cooperation mechanism.

Luxembourg (CNPD) and France (CNIL)

Luxembourg: €746M total (nearly all from Amazon). France: active enforcer, €10M–€150M range

Annual max: Luxembourg handles Amazon EU; France focuses on cookie consent, AI, and domestic companies

Luxembourg's CNPD issued the second-largest GDPR fine ever — €746M against Amazon Europe Core in July 2021 — for unlawful advertising targeting. France's CNIL is known for large cookie consent fines: €150M against Google (2022), €60M against Facebook (2022), and €40M against Apple (2022), all for making cookie rejection harder than acceptance. CNIL also fined TikTok €5M in 2023 and has been active on AI Act overlap investigations beginning in 2025.

Example: CNIL's 2022 cookie enforcement wave targeted websites providing a one-click Accept All button but requiring multiple steps to decline — violating the freely given consent standard. Google and Facebook were each fined for this specific design pattern under Article 7 GDPR.

Spain (AEPD) — Most Active by Number

Individual fines typically €50K–€6M; highest fine volume in EU every year since 2019

Annual max: Hundreds of fines annually; covers all sectors including direct marketing, CCTV, employment, and financial data

Spain's Agencia Española de Protección de Datos (AEPD) is the most active DPA in Europe by number of enforcement actions. Fines are typically smaller than Ireland or Luxembourg but cover a wide range: unsolicited marketing calls, video surveillance without notice, employer processing violations, and financial sector data sharing. Italy and Romania follow in second and third place by fine count. The AEPD's high volume reflects aggressive enforcement of data subjects' complaint rights.

Example: The AEPD fined a Spanish telecom operator €6M in 2023 for processing caller ID data for telemarketing without valid consent and failing to honor opt-out requests — one of the AEPD's larger single fines, illustrating how direct marketing violations drive Spain's enforcement volume.

Italy (Garante) and Germany (BfDI + State DPAs)

Italy: €1M–€15M range; Germany: €1M–€35M range, fragmented across 16 state DPAs

Annual max: Both active on AI, biometrics, and cross-sector enforcement; Germany's state DPAs increasingly coordinate

Italy's Garante blocked ChatGPT for one month in 2023 for GDPR violations before reaching a compliance agreement, and fined OpenAI €15M in December 2024. Germany's 16 state-level DPAs operate independently — the Hamburg DPA and Berlin Commissioner frequently investigate consumer platforms; the BfDI handles federal matters and cross-border cases. German DPAs have fined H&M €35M (employee surveillance), Notebooksbilliger.de €10.4M (excessive CCTV), and Deutsche Wohnen €14.5M (excessive data retention).

Example: Germany's Hamburg DPA fined H&M €35.3M in 2020 for systematic surveillance of employees through an internal knowledge-sharing system that compiled detailed personal profiles including health conditions and religious beliefs — one of the largest German GDPR fines to date.

How Penalties Are Calculated

GDPR fine volumes vary dramatically by DPA enforcement philosophy. Ireland and Luxembourg concentrate on fewer, larger cross-border cases using the Article 60 cooperation mechanism and EDPB binding decisions; Spain and Italy issue high volumes of smaller fines for domestic violations across all sectors. The EDPB's Coordinated Enforcement Framework (CEF) selects specific compliance topics annually for coordinated investigation across all DPAs: 2024's CEF focus was data subject rights (access requests, portability); 2025 CEF targets AI system data processing. DLA Piper's January 2025 annual survey found: Ireland issued €3.5B cumulative (leads 4× over Luxembourg at €746M); cumulative EU total approximately €4.2B. Average fine per case varies from €12,000 (Spain) to €18M+ (Ireland). Notification of personal data breaches: 130,000+ notifications per year across EU/EEA; less than 10% result in fines.

Recent Enforcement Actions

2024 — Meta Platforms Ireland (2018 breach)

2018 Facebook data breach affecting 29M users globally (6M EU/EEA); breach exposed personal data including names, phone numbers, email addresses, birthdays, and location data due to vulnerabilities in the View As feature

Penalty: €251,000,000 — Articles 33 (breach notification), 25 (privacy by design), and 5 (data minimisation) violations. DPC investigation concluded December 2024, 6 years after the breach.

Source: Irish DPC Decision, December 2024

2024 — Clearview AI (Dutch DPA / multiple EU DPAs)

Collecting billions of facial images from the internet without consent to build a biometric facial recognition database; processing special category biometric data under Article 9 without valid lawful basis; no transparency to data subjects whose images were scraped

Penalty: €30,500,000 (Dutch DPA, September 2024); cumulative €100M+ in fines from 7 EU/EEA DPAs since 2020. Clearview has no EU establishment, creating complex jurisdiction issues.

Source: Dutch Data Protection Authority (AP), September 2024

2024 — OpenAI (Italian Garante)

ChatGPT GDPR violations: no lawful basis for training data collection at scale, insufficient transparency to data subjects, inadequate age verification to prevent minors accessing the service, inaccurate outputs about real individuals

Penalty: €15,000,000 plus a mandatory 6-month Italian media awareness campaign reaching 45M+ users about ChatGPT's data practices.

Source: Italian Garante Decision, December 2024

2024 — DLA Piper 2025 GDPR Survey — 2024 Aggregate

Pan-EU enforcement summary: €1.2B in total fines issued across EEA in 2024; 33% decrease from 2023 (which included Meta's €1.2B record fine); enforcement increasingly covers non-tech sectors including healthcare, finance, and public sector

Penalty: €1.2B aggregate EU/EEA fines in calendar year 2024. Ireland alone issued over €800M. Total cumulative GDPR fines since May 2018: approximately €4.2B as of January 2025.

Source: DLA Piper GDPR Fines and Data Breach Survey, January 2025 (7th Annual Edition)

Understand Your GDPR Penalty Exposure

Use ComplianceStack's free tools to identify gaps before regulators do.

Take the Quiz → Gap Analyzer →

Frequently Asked Questions

Which EU country has issued the most GDPR fines by number?

Spain's AEPD has issued the most GDPR fines by number every year since enforcement began in 2019. Spanish enforcement is characterized by high volume, faster case resolution, and smaller average fine sizes compared to Ireland or Luxembourg. Italy and Romania follow in second and third place by fine count. By monetary value, Ireland leads by a wide margin due to its role as lead supervisory authority for major US tech companies headquartered there. The contrast reflects two enforcement philosophies: Ireland pursues fewer, larger cross-border cases through the Article 60 cooperation mechanism; Spain and Italy pursue larger volumes of domestic complaints and self-initiated investigations.

Why does Ireland issue so many of the largest GDPR fines?

Ireland is the EU headquarters of the world's largest technology companies: Meta, Google, Apple, LinkedIn, Airbnb, Twitter/X, TikTok, and many others. Under the GDPR's main establishment rule (Article 56), the lead supervisory authority is the DPA in the EU member state where a company has its main establishment — defined as the central EU administration or where decisions about data processing purposes are taken. Since these companies have EU headquarters in Ireland, the DPC handles all cross-border complaints and investigations involving their EU processing. This gives the DPC jurisdiction over the most data-intensive companies in the world, explaining why Ireland accounts for over 80% of cumulative GDPR fine value.

How will the EU AI Act affect GDPR enforcement in 2025–2026?

Significantly. The EU AI Act (entered into force August 1, 2024) overlaps substantially with GDPR enforcement for AI systems that process personal data. The AI Act prohibits certain AI practices outright including real-time biometric surveillance in public spaces and social scoring. EU DPAs will enforce GDPR violations arising from AI systems — unlawful processing of training data, automated decision-making without transparency, biometric data without valid basis — alongside the new EU AI Office enforcing AI Act prohibitions. The first wave of AI Act enforcement actions, including GDPR-grounded investigations of AI companies' training data practices, began in 2025. Full AI Act enforcement for high-risk AI systems applies from August 2, 2026.