European UnionHow much can a company be fined for a serious GDPR violation?
A company can be fined up to €20 million or 4% of its global annual turnover — whichever is higher — for a serious GDPR violation.
What the Law Says
The General Data Protection Regulation (GDPR) sets out two tiers of administrative fines, depending on the nature and severity of the infringement. Serious violations fall under the higher tier.
Under Article 83(5) of the GDPR, infringements of certain core provisions — including data processing principles, legal bases for processing, data subjects’ rights, and international transfers — are subject to the highest level of fines.
The fine must be 'effective, proportionate and dissuasive' and takes into account factors like the nature, gravity and duration of the breach; intent or negligence; actions taken to mitigate damage; and previous violations.
Importantly, the regulation specifies that the maximum amount is the greater of €20 million or 4% of the company’s total worldwide annual turnover in the preceding financial year.
Statutory Textinfringements of the following provisions shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher
— Regulation (EU) 2016/679, Art. 83(5) — General conditions for imposing administrative fines
Statutory Textthe fine shall be imposed in addition to other corrective powers referred to in Article 58
— Regulation (EU) 2016/679, Art. 83(1) — General conditions for imposing administrative fines
Sources
Same Question, Other Jurisdictions
Germany
Singapore
UK
South Korea
India
JapanNot legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.