GDPR Tier 2 Fines: Article 83(5) Maximum Penalties Explained

Last updated: 2026-04-07 — ComplianceStack Editorial Team

GDPR Article 83(5) establishes the highest penalty tier in the EU's data protection framework: up to €20,000,000 or 4% of total worldwide annual turnover of the preceding financial year — whichever is higher. For a company with €10B in global revenue, 4% is €400M. Tier 2 violations target the most serious infringements: violations of the core data protection principles (Article 5), unlawful processing (Article 6), invalid consent (Article 7), special category data (Article 9), data subject rights failures (Articles 12–22), and prohibited international data transfers (Articles 44–49). The €1.2B Meta fine — the largest GDPR penalty ever — was a Tier 2 violation for unlawful cross-border data transfers.

Regulatory Authority: GDPR Article 83(5); Articles 5, 6, 7, 9, 12–22, 44–49 (triggering provisions); EDPB Guidelines 04/2022 on calculation of administrative fines; CJEU Schrems II (C-311/18, 2020)

Penalty Tier Breakdown

Core Principles Violations (Article 5)

Up to €20,000,000 or 4% of global annual turnover
Annual max: Per violation category; principles breaches often compound multiple subsections

Article 5 establishes six fundamental principles: (a) lawfulness, fairness, transparency; (b) purpose limitation; (c) data minimisation; (d) accuracy; (e) storage limitation; (f) integrity and confidentiality. Plus (g) accountability. Violations of any — collecting more data than necessary, retaining data beyond its stated purpose, failing to maintain data accuracy, or processing without transparency — trigger Tier 2 exposure. Article 5 violations are the most frequently cited in DPA decisions and are commonly bundled with other Tier 2 findings.

Example: A retail loyalty program collects purchase history, location data, and inferred lifestyle preferences. Investigation finds the company retains data for 10 years with no stated purpose justification and shares it with 200+ advertising partners never disclosed in the privacy notice. The DPA finds violations of Articles 5(1)(a), (b), (c), and (e) — transparency, purpose limitation, data minimisation, and storage limitation — resulting in a €15M fine.

Lawful Basis and Consent Failures (Articles 6, 7, 9)

Up to €20,000,000 or 4% of global annual turnover
Annual max: Per processing activity lacking valid lawful basis; concurrent with Article 5 findings

Processing personal data without a valid lawful basis under Article 6 is the fundamental GDPR violation. For consent-reliant processing under Article 7: consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, and consent that conditions a service on data processing are invalid. Special categories under Article 9 — health, biometric, racial/ethnic, religious data — require explicit consent or an enumerated exception. Invalid consent affecting millions of users routinely generates eight-figure fines.

Example: A social media platform relies on legitimate interests (Article 6(1)(f)) as the lawful basis for behavioral advertising — processing users' detailed behavioral profiles to serve targeted ads without offering a real opt-out. The DPC finds legitimate interests cannot override users' reasonable expectations, resulting in a €390M fine for unlawful processing.

Data Subject Rights Violations (Articles 12–22)

Up to €20,000,000 or 4% of global annual turnover
Annual max: Per category of rights violation; systemic failures multiply the finding

GDPR grants data subjects eight rights: access (Article 15), rectification (Article 16), erasure (Article 17 — right to be forgotten), restriction (Article 18), data portability (Article 20), objection (Article 21), not to be subject to automated decisions (Article 22), and the right to information (Articles 13–14). Systematic failure to respond to access requests within 30 days, denying erasure requests without valid grounds, or refusing portability for data subjects triggers Tier 2 liability — especially when the failure affects large numbers of users.

Example: A streaming service receives 47,000 data subject access requests over 18 months. Investigation reveals the company's legal team rejected 62% of requests on spurious disproportionate effort grounds. The DPA finds systematic violation of Article 15 rights and imposes an €8.5M fine.

International Data Transfer Violations (Articles 44–49)

Up to €20,000,000 or 4% of global annual turnover
Annual max: Per transfer mechanism found invalid; applies to all EU data flows to non-adequate countries

Transferring EU personal data to countries outside the EEA without an adequate protection mechanism is a core GDPR violation. Valid transfer mechanisms include: EU adequacy decision (UK, Canada, Japan, etc.), Standard Contractual Clauses (SCCs updated 2021), Binding Corporate Rules, or derogations. Transferring EU data to the US relying solely on the invalidated Privacy Shield — after the CJEU Schrems II ruling in 2020 — resulted in the largest GDPR fine in history. Even with post-Schrems II SCCs, companies must conduct Transfer Impact Assessments to assess the legal framework in the destination country.

Example: A company continues routing EU customer data to US servers under the invalidated Privacy Shield mechanism after the Schrems II ruling, without a Transfer Impact Assessment. The lead DPA orders cessation of transfers within 5 months and imposes a €1.2B fine — by far the largest GDPR penalty on record.

How Penalties Are Calculated

Article 83(2) requires supervisory authorities to assess Tier 2 fines based on 10 specific factors: (a) nature, gravity, duration; (b) intentional vs. negligent character; (c) actions taken to mitigate damage; (d) degree of responsibility considering technical/organizational measures; (e) prior infringements; (f) cooperation with the supervisory authority; (g) categories of data affected; (h) how the infringement became known; (i) prior orders; (j) adherence to approved codes of conduct. For large companies, the 4% global turnover cap is almost always higher than €20M, making turnover the binding constraint. The undertaking concept from EU competition law means the fine is calculated on the entire corporate group's worldwide turnover. EDPB Guidelines 04/2022 provide the methodology DPAs must follow.

Recent Enforcement Actions

2023 — Meta Platforms Ireland Limited
Continued transferring EU Facebook users' personal data to Meta's US servers under Standard Contractual Clauses that the DPC — following an EDPB binding Article 65 instruction — found insufficient to protect against US government surveillance access
Penalty: €1,200,000,000 — the largest GDPR fine ever issued. Plus an order to suspend data transfers to the US within 5 months and bring processing into compliance.
Source: Irish Data Protection Commission Decision, May 2023 (DPC Inquiry Reference: IN-18-5-5)
2021 — Amazon Europe Core S.à r.l. (Luxembourg CNPD)
Processing of personal data for advertising targeting did not comply with GDPR — unlawful consent mechanisms and insufficient transparency regarding behavioral advertising data processing
Penalty: €746,000,000 — the second-largest GDPR fine. Amazon appealed to Luxembourg courts; fine reduced on appeal but significant penalty remained as of 2025.
Source: Luxembourg CNPD Decision, July 2021
2024 — LinkedIn Ireland (Irish DPC)
Behavioral analysis and targeted advertising processing relied on unlawful basis (legitimate interests) without valid consent; data from non-LinkedIn users processed without transparency
Penalty: €310,000,000 — Article 6 unlawful processing and Article 5 transparency violations. Ordered to bring processing into compliance.
Source: Irish DPC Decision, October 2024
2024 — Uber Technologies / Uber B.V. (Dutch DPA)
Transferred European taxi drivers' personal data — including geolocation, photos, payment details, and sensitive personal data — to Uber's US headquarters without valid transfer safeguards after Privacy Shield invalidation
Penalty: €290,000,000 — Article 44 international transfer violation. Dutch DPA acted as lead supervisory authority.
Source: Dutch Data Protection Authority (AP) Decision, August 2024

Understand Your GDPR Penalty Exposure

Use ComplianceStack's free tools to identify gaps before regulators do.

Take the Quiz →   Gap Analyzer →

Frequently Asked Questions

What is the difference between GDPR Tier 1 (Article 83(4)) and Tier 2 (Article 83(5)) violations?

Tier 1 (Article 83(4)) applies to technical and organizational obligations: DPIA failures, DPO violations, breach notification delays, and controller/processor obligations — maximum €10M or 2% of turnover. Tier 2 (Article 83(5)) applies to substantive violations of data subjects' rights and core principles: invalid lawful basis, unlawful consent, violations of access/erasure/portability rights, and unauthorized international transfers — maximum €20M or 4% of turnover. Many serious enforcement cases involve both Tier 1 and Tier 2 violations simultaneously. The highest-profile fines — Meta, Amazon, LinkedIn — have been predominantly Tier 2 violations.

How do DPAs calculate fines for companies with billions in global turnover?

The 4% calculation applies to total worldwide annual turnover of the preceding financial year for the undertaking — the entire economic unit in the competition law sense, including parent companies and subsidiaries. For Meta, this meant 4% of Meta Platforms Inc.'s global revenue (approximately $117B in 2022), producing the €1.2B fine. EDPB Guidelines 04/2022 establish a five-step methodology: (1) identify all violations and their fine cap; (2) set starting point based on gravity; (3) adjust up/down based on Article 83(2) factors; (4) apply the effective, proportionate, dissuasive standard; (5) apply the turnover/€20M cap as ceiling. For large technology companies, fines are routinely calculated as a percentage of global turnover rather than multiples of specific losses.

Can a company reduce a GDPR Tier 2 fine through early cooperation or remediation?

Yes — cooperation and remediation are among the most significant fine reduction factors under Article 83(2)(c) and (f). DPAs across the EU have reduced fines by 25–50% for entities that self-reported the violation, implemented corrective measures immediately, cooperated fully without prolonged legal challenges, and provided full access to systems and records. Conversely, prolonged litigation challenging DPA jurisdiction, appeals that delay compliance, and failure to implement ordered remediation within DPA-set timelines have resulted in follow-on enforcement actions and enhanced penalties.

More GDPR Resources