GDPR fines continue to rise -- and supervisory authorities are focusing on new priorities. Learn which violations were most frequently sanctioned in 2025/2026, how Art. 83 GDPR is applied in practice and what measures can protect your organisation from severe penalties.
GDPR Fines in 2026: Recent Developments and Lessons Learned
Since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, European data protection authorities have imposed fines totalling billions of euros. The trend is clear: sanctions are increasing, supervisory authorities are becoming more professional and enforcement more consistent. For organisations of every size, it is therefore essential to understand the current enforcement trends and to review their own data protection compliance on an ongoing basis. This article analyses the key developments of 2025 and 2026 and identifies the concrete lessons organisations should draw from them.
Enforcement Trends: Where Things Are Heading
Rising Fine Totals
Cumulative GDPR fines across Europe exceeded six billion euros in 2025. Particularly notable is the fact that the spotlight no longer falls solely on technology giants: increasingly, mid-size companies, local authorities and healthcare institutions are coming under scrutiny. The average fine amount has risen by approximately 40 per cent over the past two years.
Supervisory Authority Priorities
European data protection authorities have markedly shifted their focus in recent months:
- Cookie consent and tracking: Unlawful obtaining of consent, particularly through manipulative cookie banners (dark patterns), is one of the most frequent grounds for sanctions
- International data transfers: Following the adequacy decision for the EU-U.S. Data Privacy Framework, transfers to third countries without adequacy decisions (e.g. China, India) remain a high-risk area
- AI and automated decisions: As AI systems become more widespread, the transparency obligations under Articles 13, 14 and 22 GDPR are attracting increasing attention
- Data security and notification obligations: Late or incomplete notifications of data breaches under Article 33 GDPR are consistently sanctioned
- Employee data protection: Monitoring of employees through time-recording systems, GPS tracking and video surveillance is leading to growing numbers of fines
Harmonisation Through the EDPB
The European Data Protection Board (EDPB) has established a unified framework with its Guidelines on the Calculation of Fines (Guidelines 04/2022), which national authorities are increasingly applying. These guidelines define a five-step model:
- Step 1: Categorisation of the infringement (low, medium, high severity)
- Step 2: Consideration of the undertaking's turnover
- Step 3: Assessment of aggravating and mitigating circumstances
- Step 4: Determination of the statutory maximum
- Step 5: Review for proportionality, deterrent effect and effectiveness
The Most Common Violations: Where Organisations Fail
Insufficient Legal Basis (Article 6 GDPR)
By far the most frequent ground for fines is the processing of personal data without a valid legal basis. In practice this particularly concerns:
- Consent: The consent does not meet the requirements of Article 7 GDPR (not freely given, not informed, not unambiguous) or is obtained through dark patterns
- Legitimate interest: The balancing test required by Article 6(1)(f) GDPR is not performed or insufficiently documented
- Contract performance: Processing is wrongly based on contract performance when it is not necessary for that purpose (e.g. extensive profiling in simple sales contracts)
Lack of Transparency (Articles 12-14 GDPR)
Privacy notices are often incomplete, outdated or unintelligible. Typical deficiencies include:
- Failure to state specific retention periods
- Insufficient information about data recipients
- No identification of the legal basis for each processing purpose
- Privacy policies that are inaccessible or difficult to find
Inadequate Technical and Organisational Measures (Article 32 GDPR)
Data breaches regularly reveal significant deficiencies in security measures:
- Lack of encryption of personal data in transit and at rest
- Inadequate patch management: Known vulnerabilities are not closed promptly
- Poor access controls: Too many staff have access to sensitive data without necessity
- Absence of pseudonymisation in data analytics and test environments
Infringement of Data Subject Rights (Articles 15-22 GDPR)
Failure to respond in time or in full to access requests (Article 15 GDPR) and erasure requests (Article 17 GDPR) ranks among the most frequently sanctioned violations. Authorities expect:
- Response within one month (extendable by two further months for complex requests)
- Complete disclosure of all processed data
- Comprehensible reasons where an erasure request is refused
- Documentation of the entire handling process
Article 83 GDPR: The Fine Framework in Practice
Two Tiers of Fines
Article 83 GDPR distinguishes two levels of fines:
Article 83(4) GDPR (up to EUR 10 million or 2% of global annual turnover):
- Infringements of the obligations of the controller or processor
- Infringements of certification requirements
- Infringements of the obligations of the monitoring body
Article 83(5) GDPR (up to EUR 20 million or 4% of global annual turnover):
- Infringements of the basic principles for processing (Articles 5, 6, 9 GDPR)
- Infringements of data subjects' rights (Articles 12-22 GDPR)
- Infringements of the provisions on international transfers (Articles 44-49 GDPR)
Assessment Criteria Under Article 83(2) GDPR
When determining the specific fine, authorities take into account in particular:
- Nature, gravity and duration of the infringement
- Whether the infringement was intentional or negligent
- Measures taken to mitigate the damage
- Degree of responsibility taking into account the technical and organisational measures implemented
- Previous infringements by the controller
- Degree of cooperation with the supervisory authority
- Categories of personal data concerned (special category data under Article 9 GDPR carries greater weight)
- Whether the infringement was notified to the authority
Recent CJEU Case Law
The Court of Justice of the European Union has clarified the fining practice in several rulings:
- CJEU C-807/21 (Deutsche Wohnen): Fines may be imposed directly on legal persons without the need to prove specific misconduct by a natural person
- CJEU C-683/21 (Nacionalinis): The turnover of the entire group is relevant for determining the upper limit
- CJEU C-768/21 (Land Hessen): The authority must establish culpable conduct before imposing a fine
Lessons Learned: What Organisations Should Do Now
Build a Data Protection Management System
A systematic approach is indispensable. Organisations should implement a data protection management system (DPMS) comprising the following elements:
- Records of processing activities (Article 30 GDPR): complete, current and regularly reviewed
- Data protection impact assessments (Article 35 GDPR): conducted and documented for all high-risk processing
- Deletion concept: Defined retention periods for all data categories with automated deletion routines
- Incident response plan: Clear processes for detecting, assessing and notifying data breaches within the 72-hour window
Strengthen the Role of the Data Protection Officer
The Data Protection Officer (DPO) is the backbone of data protection compliance. Organisations should ensure that:
- The DPO has adequate resources and expertise
- The DPO is involved early in all data-protection-relevant decisions
- The DPO can act independently and is free from conflicts of interest
- Regular training is provided for the DPO and the wider data protection team
Prioritise Technical Measures
Authorities expect a state of the art commensurate with the risk:
- Encryption of all personal data in transit (TLS 1.3) and at rest (AES-256)
- Multi-factor authentication for all access to systems holding personal data
- Regular penetration testing and vulnerability assessments
- Zero-trust architecture based on the principle of least privilege
- Automated detection of data breaches and anomalies
Control Processor Relationships
The transfer of data to processors (Article 28 GDPR) is a frequent weak point:
- Data processing agreements must be complete and up to date
- Regular audits of processors must be conducted
- Sub-processors must be known and approved
- International data transfers by processors must be safeguarded by appropriate mechanisms (Standard Contractual Clauses, Binding Corporate Rules)
Documentation as a Shield
The accountability principle under Article 5(2) GDPR requires organisations to demonstrate compliance with all data protection principles. Comprehensive documentation includes:
- Documentation of all balancing tests where processing is based on Article 6(1)(f) GDPR
- Proof of consent including timestamp, content and withdrawal instructions
- Records of all data subject requests and their handling
- Documentation of risk analyses and the measures derived from them
- Evidence of staff training (participants, content, date)
Looking Ahead: Expected Developments
Interplay with the AI Act
The EU's AI Act will add a further dimension to data protection compliance. High-risk AI systems are subject to strict requirements regarding transparency, data quality and human oversight. Organisations deploying AI systems that process personal data must comply with both the GDPR and the AI Act -- a dual compliance challenge.
Tightening Employee Data Protection
A dedicated employee data protection act has been discussed in Germany for years. Regardless of the legislative process, supervisory authorities are already intensifying their scrutiny of employee data protection. Key areas include the permissibility of workplace video surveillance, GPS tracking of company vehicles and the analysis of email and internet usage.
Conclusion
The GDPR fines of 2026 demonstrate clearly that data protection is no paper tiger but a domain carrying significant financial and reputational risk. Supervisory authorities have become more professional and more assertive. At the same time, proactive data protection compliance offers considerable opportunities -- as a competitive advantage, a trust anchor for customers and business partners, and a shield against costly sanctions. The compleneo team supports you in establishing and optimising your data protection management system, conducting data protection audits and representing you before supervisory authorities -- so that you remain on the safe side when it comes to data protection.
