GDPR Maximum Fines: Article 83 Tier 2 Penalties Explained

Last updated: 2026-04-13 — ComplianceStack Editorial Team

GDPR's most severe fines apply under Article 83(5) — violations of fundamental data processing principles, consent requirements, data subject rights, and cross-border transfer rules. The cap is €20,000,000 or 4% of the undertaking's total worldwide annual turnover for the preceding financial year, whichever is higher. For global companies, the 4% revenue figure typically governs. The largest GDPR fine to date — €1.2 billion against Meta in 2023 — was assessed under Article 83(5) for unlawful data transfers from the EU to the US. This page covers the full Tier 2 fine structure, how DPAs calculate actual penalty amounts, and what factors determine where in the range your organization lands.

Regulatory Authority: GDPR Article 83 (General conditions for imposing administrative fines), Article 83(4) (Tier 1 violations), Article 83(5) (Tier 2 violations), Article 83(6) (Supervisory authority order non-compliance), EDPB Guidelines 04/2022 and 05/2023 on the application of Article 83

GDPR Fine Exposure Estimator

Tell us about your organization and the violation scenario. We'll estimate your GDPR fine range under Article 83, identify which fine tier applies, and outline the key mitigating factors that DPAs have historically used to reduce penalties.

Free · Instant · Based on real enforcement patterns

Penalty Tier Breakdown

Article 83(5) Tier 2 — Maximum Fine

Up to €20,000,000 or 4% of global annual turnover
Annual max: 4% of total worldwide annual turnover (whichever is higher)

The highest GDPR fine tier covers violations of: core data processing principles (Article 5), legal basis for processing (Article 6), consent conditions (Article 7), children's data (Article 8), data subject rights (Articles 12–22), international data transfer requirements (Chapter V), and orders from supervisory authorities.

Example: Meta Ireland was fined €1.2 billion by the Irish DPC in 2023 for transferring personal data of EU Facebook users to the US under Standard Contractual Clauses that were deemed inadequate following the Schrems II ruling — an Article 83(5) violation of Chapter V transfer requirements.

Article 83(4) Tier 1 — Lower Fine

Up to €10,000,000 or 2% of global annual turnover
Annual max: 2% of total worldwide annual turnover (whichever is higher)

Lower-tier violations covering: data controller/processor obligations (Articles 8, 11, 25–39, 42, 43), obligations of certification and monitoring bodies. Less severe but still substantial — Amazon's €746M fine for processing non-compliance was assessed in this range.

Example: A data processor failed to maintain Records of Processing Activities (RoPA) under Article 30, implement data protection by design (Article 25), and did not enter DPAs with all sub-processors. The DPA assessed a Tier 1 fine.

Article 83(6) — Supervisory Authority Non-Compliance

Up to €20,000,000 or 4% of global annual turnover
Annual max: 4% of total worldwide annual turnover

Non-compliance with DPA orders (access restriction orders, processing bans, data subject requests forwarded by DPAs). Violations of DPA orders can be charged separately from and in addition to the underlying violation that triggered the order.

Example: A company continued processing personal data for direct marketing after the German DPA issued a binding order to stop. The DPA imposed a separate Article 83(6) fine on top of the original Article 83(5) fine.

Article 58 — Processing Ban (Non-Monetary)

Temporary or permanent processing ban
Annual max: Full cessation of data processing operations

DPAs can impose temporary or permanent bans on data processing — effectively shutting down business operations that depend on personal data. Meta received a processing ban in 2023 requiring suspension of Facebook EU-US data transfers.

Example: The Austrian DPA ordered a company to delete all personal data transferred to US cloud providers that could not be protected under standard contractual clauses. Non-compliance triggered separate fines under Article 83(6).

How Penalties Are Calculated

GDPR fines are not automatic — DPAs must consider 10 factors under Article 83(2): nature, gravity, and duration of the violation; intentional or negligent character; mitigating actions taken; degree of responsibility; prior infringements; degree of cooperation with the DPA; categories of personal data affected; how the DPA learned of the violation; compliance with prior corrective measures; adherence to approved codes of conduct. The EDPB's 2023 Fine Guidelines (05/2023) establish a standardized methodology: starting point based on violation tier × mitigating/aggravating factors × proportionality cap based on company size. Cooperation, self-reporting, and implementing recommended safeguards before the investigation concludes are the most reliable ways to reduce the final fine.

Recent Enforcement Actions

2023 — Meta Platforms Ireland
Unlawful transfer of EU user data to US servers under Standard Contractual Clauses that did not adequately protect against US surveillance laws (Chapter V, Article 83(5))
Penalty: €1,200,000,000 — Article 83(5) / Chapter V
Source: Irish Data Protection Commission (DPC), May 2023
2021 — Amazon Europe Core S.à r.l.
Unlawful processing of personal data for advertising purposes; cookie consent mechanism did not meet GDPR standards
Penalty: €746,000,000 — Article 83(5) / Article 6 (legal basis)
Source: Luxembourg CNPD, July 2021
2022 — Instagram (Meta Platforms Ireland)
Processing children's data without adequate safeguards; public exposure of children's contact information through default account settings
Penalty: €405,000,000 — Article 83(5) / Articles 5, 6, 12, 13
Source: Irish Data Protection Commission, September 2022
2023 — TikTok Technology Limited (Ireland)
Unlawful processing of children's personal data; failure to implement data protection by design; inadequate transparency for child users
Penalty: €345,000,000 — Article 83(5) / Articles 5, 6, 12, 13, 14, 25
Source: Irish Data Protection Commission, September 2023

Run Your Free Penalty Exposure Assessment

Use the calculator above to get your organization-specific fine range in under 2 minutes.

 Compliance Quiz →
🔔

Get enforcement alerts before they hit the news

Weekly enforcement actions, penalty updates, and regulatory changes for GDPR. Free, no spam, unsubscribe anytime.

Frequently Asked Questions

Does the 4% global turnover cap apply to the parent company or just the violating entity?

The 4% cap applies to the 'undertaking' — which under EU competition law means the entire enterprise, including parent companies and affiliated entities. For multinational groups, regulators look at the global consolidated turnover of the ultimate parent company, not just the EU subsidiary. This is why Meta's €1.2B fine reflected 4% of Meta Platforms Inc.'s global revenue, not just Meta Ireland's turnover.

Can a company be fined under both Article 83(4) and 83(5) for the same incident?

Yes. GDPR Article 83(3) allows DPAs to impose fines for multiple violations arising from the same processing operation, but caps the total at the maximum applicable under the most severe violation tier. If a single incident violates both Tier 1 and Tier 2 provisions, the DPA can address both but the total fine cannot exceed the Tier 2 cap (€20M or 4%).

How long do GDPR investigations typically take before a fine is issued?

GDPR investigations vary widely. Simple cases can be resolved within 6–12 months. Complex cross-border cases involving large tech companies typically take 2–4 years. The Irish DPC's investigation of Meta's data transfers took over two years and required EDPB binding decisions before the €1.2B fine was issued. The one-stop-shop mechanism under Article 60 adds 4–8 months to cross-border cases.

More GDPR Resources