GDPR Fine Estimator

EU data protection calculator • 2026 edition

GDPR Fine Formula:

Show the calculator

\( FF = \min(AM, \max(G1, G2)) \times VF \times SF \times (1 + RF) \)

Where:

  • \( FF \) = Fine Amount
  • \( AM \) = Annual Revenue of Organization
  • \( G1 \) = First Tier Maximum (€10M or 2% of revenue)
  • \( G2 \) = Second Tier Maximum (€20M or 4% of revenue)
  • \( VF \) = Violation Factor (severity multiplier)
  • \( SF \) = Size Factor (organization size adjustment)
  • \( RF \) = Repeat Offense Factor (additional multiplier)

This formula calculates GDPR fines based on organization size, violation severity, and regulatory history. The fine is capped at the lower of absolute maximum or percentage of annual revenue.

Example: For a company with \( AM = €50M \) annual revenue violating Article 5 (Article 83(4)), with severity factor of 0.8 and no repeat offenses:

\( FF = \min(50M, \max(10M, 20M)) \times 0.8 \times 1.0 \times (1 + 0) = 20M \times 0.8 = €16M \)

Thus, the estimated fine would be €16,000,000.

Organization Details

Low
(Minor)
Medium
(Moderate)
High
(Severe)
Critical
(Major)
0.0

Advanced Options

Fine Estimate

€1,000,000
Estimated Fine Amount
€10,000,000
Tier 1 Maximum
€20,000,000
Tier 2 Maximum
€2,000,000
Revenue-Based Limit
Fine Calculation Breakdown
Annual Revenue: €10,000,000
Violation Type: Article 5
Severity Factor: Medium
Size Adjustment: Large
Repeat Offense: No
Legal Disclaimer

This calculator provides estimates only. Actual GDPR fines depend on specific circumstances, regulatory discretion, and case-by-case assessment by supervisory authorities. The European Data Protection Board provides guidelines but each case is unique.

GDPR Fine Framework

What are GDPR Fines?

GDPR fines are administrative penalties imposed by EU supervisory authorities for violations of the General Data Protection Regulation. Articles 83 and 84 specify two tiers of fines based on violation severity. Fines are calculated as either a percentage of annual global turnover or a fixed amount, whichever is higher.

Fine Calculation Formula

The standard GDPR fine calculation uses the following formula:

\(FF = \min(AM, \max(G1, G2)) \times VF \times SF \times (1 + RF)\)

Where:

  • \(FF\) = Fine Amount
  • \(AM\) = Annual Revenue of Organization
  • \(G1\) = First Tier Maximum (€10M or 2% of revenue)
  • \(G2\) = Second Tier Maximum (€20M or 4% of revenue)
  • \(VF\) = Violation Factor (severity multiplier)
  • \(SF\) = Size Factor (organization size adjustment)
  • \(RF\) = Repeat Offense Factor (additional multiplier)

GDPR Fine Tiers
1
First Tier: Up to €10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Applies to violations of data processing principles, records obligations, and DPO appointment requirements.
2
Second Tier: Up to €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Applies to violations of consent conditions, data subject rights, and international transfer restrictions.
Factors Influencing Fines

Supervisory authorities consider multiple factors when determining GDPR fines:

  • Nature of Violation: Severity and scope of the breach
  • Degree of Responsibility: Intentional or negligent conduct
  • Duration of Violation: How long the violation persisted
  • Measures Taken: Actions to mitigate damage
  • Previous Violations: History of non-compliance
  • Cooperation Level: Engagement with supervisory authorities
Notable GDPR Cases
  • Google (2019): €50M fine by French CNIL for lack of valid consent for ad personalization
  • British Airways (2020): £20M fine for data breach affecting 400,000 customers
  • H&M (2020): €35.3M fine for extensive employee monitoring
  • Amazon (2021): €746M fine for processing personal data without valid consent
  • Meta/Facebook (2022): €265M fine for data breach affecting 533M users

GDPR Framework

GDPR Violation Definition

Failure to comply with General Data Protection Regulation requirements.

Fine Formula

\(FF = \min(AM, \max(G1, G2)) \times VF \times SF \times (1 + RF)\)

Where FF=fine amount, AM=annual revenue, G1=first tier max, G2=second tier max, VF=violation factor, SF=size factor, RF=repeat offense factor.

Key GDPR Rules:
  • First tier: Up to €10M or 2% of revenue
  • Second tier: Up to €20M or 4% of revenue
  • Whichever is higher applies

Assessment Methods

Violation Categories

Two-tier system based on severity and impact of the violation.

Assessment Steps
  1. Determine violation type and tier
  2. Assess organizational revenue
  3. Evaluate severity factors
  4. Apply mitigating factors
Considerations:
  • Fines must be effective, proportionate and dissuasive
  • Must consider organization's ability to pay
  • Previous violations affect penalty

GDPR Fine Learning Quiz

Question 1: Multiple Choice - Understanding GDPR Fine Tiers

According to GDPR Article 83, what is the maximum fine for violations of consent conditions under the second tier?

Solution:

The answer is B) €20 million or 4% of annual revenue. Under GDPR Article 83(4), violations of consent conditions fall under the second tier of administrative fines. The second tier allows for fines up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Pedagogical Explanation:

The two-tier system in GDPR reflects the severity of different types of violations. The first tier (Article 83(4)) covers less severe violations and allows fines up to €10M or 2% of revenue. The second tier (Article 83(5)) covers more serious violations including consent conditions, data subject rights, and international transfers, allowing higher penalties.

Key Definitions:

GDPR Article 83: Specifies administrative fine framework

First Tier: Less severe violations (€10M or 2% of revenue)

Second Tier: More severe violations (€20M or 4% of revenue)

Important Rules:

• Fines are based on either fixed amount OR percentage of revenue

• Whichever is higher applies

• Second tier covers consent and rights violations

Tips & Tricks:

• Remember: 2nd tier = higher penalties (€20M or 4%)

• Consent violations are always 2nd tier

• Use whichever calculation yields higher fine

Common Mistakes:

• Confusing first tier (€10M) with second tier (€20M)

• Forgetting that percentage is applied to annual revenue

• Not understanding which violations fall under each tier

Question 2: GDPR Fine Formula Application

Calculate the GDPR fine for a company with €50 million annual revenue that violated Article 5 (second tier) with high severity (factor 0.8), large organization size (factor 1.0), and no repeat offenses. Show your work.

Solution:

Using the GDPR fine formula: \(FF = \min(AM, \max(G1, G2)) \times VF \times SF \times (1 + RF)\)

Given:

  • AM = €50,000,000
  • G1 = €10,000,000 (first tier max)
  • G2 = €20,000,000 (second tier max)
  • VF = 0.8 (high severity)
  • SF = 1.0 (large org)
  • RF = 0 (no repeat)

Step 1: Calculate max fine = min(€50M, max(€10M, €20M)) = min(€50M, €20M) = €20,000,000

Step 2: Apply factors = €20,000,000 × 0.8 × 1.0 × (1 + 0) = €16,000,000

Pedagogical Explanation:

This calculation demonstrates how the revenue-based limitation works. Even though the company has €50M revenue, the second tier maximum of €20M becomes the ceiling for the calculation. The severity factor then scales this maximum down to €16M.

Key Definitions:

Annual Revenue (AM): Total global turnover from previous year

Violation Factor (VF): Multiplier based on severity of violation

Size Factor (SF): Adjustment based on organization size

Important Rules:

• Always use the higher of fixed amount or percentage

• Revenue is from the preceding financial year

• Apply factors sequentially after determining base maximum

Tips & Tricks:

• Work with base maximum first, then apply factors

• Convert percentages to decimals for calculations

• Verify the minimum/maximum logic

Common Mistakes:

• Forgetting to take the minimum of revenue vs. fixed maximum

• Applying factors before determining the base maximum

• Confusing which tier applies to which violations

Question 3: Word Problem - Revenue-Based Limitations

A tech startup with €5 million annual revenue violates GDPR Article 83(5) (second tier) with critical severity (factor 0.95). The violation affects data of 100,000 individuals across 5 EU countries. Calculate the maximum possible fine considering the revenue-based limitation.

Solution:

Step 1: Determine the base maximum fine

For second tier violations: min(€5M, max(€20M, 4% of €5M))

4% of €5M = €200,000

Max = min(€5M, max(€20M, €200K)) = min(€5M, €20M) = €5,000,000

(Note: Revenue limitation applies here since €5M < €20M)

Step 2: Apply severity factor = €5,000,000 × 0.95 = €4,750,000

Therefore, the maximum possible fine is €4,750,000.

Pedagogical Explanation:

This example highlights the revenue-based limitation. For smaller organizations, the absolute maximum may be lower than the fixed maximum due to their annual revenue. The 4% of revenue calculation also plays a role but is overridden by the absolute maximum in this case.

Key Definitions:

Revenue-Based Limitation: Fines cannot exceed organization's annual revenue

Absolute Maximum: Fixed ceiling regardless of revenue

Percentage Maximum: Calculated based on annual revenue

Important Rules:

• Fine cannot exceed annual revenue

• Apply the minimum of revenue vs. absolute maximum

• Percentage calculation is additional consideration

Tips & Tricks:

• Always calculate both absolute and percentage maximums

• Take the minimum of revenue and absolute maximum

• Apply severity factors to the final maximum

Common Mistakes:

• Not considering the revenue-based limitation

• Forgetting to apply the minimum function

• Confusing which maximum applies in different scenarios

Question 4: Application-Based Problem - Mitigating Factors

A multinational corporation with €500 million annual revenue faces a GDPR violation under Article 32 (second tier). The initial calculation yields a fine of €40 million, but the company demonstrated excellent cooperation with authorities (15% reduction) and implemented immediate corrective measures (10% reduction). Calculate the adjusted fine considering these mitigating factors.

Solution:

Step 1: Calculate initial fine based on maximum

For second tier: min(€500M, max(€20M, 4% of €500M))

4% of €500M = €20,000,000

Max = min(€500M, max(€20M, €20M)) = min(€500M, €20M) = €20,000,000

(Initial fine cannot exceed €20M, not €40M as stated in problem)

Step 2: Apply mitigating factors

Cooperation reduction: 15%

Corrective measures reduction: 10%

Total reduction: 15% + 10% = 25%

Adjusted fine: €20,000,000 × (1 - 0.25) = €15,000,000

Pedagogical Explanation:

This example demonstrates how mitigating factors can significantly reduce GDPR fines. Cooperation with authorities and prompt corrective action are specifically mentioned in Article 83 as factors that may lead to reduced penalties. Organizations should document their cooperative efforts.

Key Definitions:

Mitigating Factors: Circumstances that may reduce penalty amounts

Cooperation: Working with supervisory authorities during investigation

Corrective Measures: Immediate steps to address violations

Important Rules:

• Mitigating factors can reduce but not eliminate fines

• Must be documented and verifiable

• Supervisory authority has discretion in application

Tips & Tricks:

• Maintain detailed documentation of cooperative efforts

• Implement corrective measures immediately

• Engage with authorities proactively

Common Mistakes:

• Assuming mitigation can eliminate fines entirely

• Not properly documenting cooperative efforts

• Delaying corrective measures after violation discovery

Question 5: Multiple Choice - Repeat Offenses

Under GDPR Article 83, which factor is most likely to result in increased penalties for repeat violations?

Solution:

The answer is C) Previous violations are considered as aggravating factors. According to GDPR Article 83(2)(e), supervisory authorities must consider "whether the controller or processor has taken measures to mitigate the damage suffered by data subjects" as well as "any relevant previous infringements by the controller or processor." Repeat violations are explicitly considered as factors that may increase penalties.

Pedagogical Explanation:

GDPR treats repeat violations more seriously than first-time violations. This approach encourages compliance and deters continued non-compliance. The regulation specifically mentions previous infringements as a factor that supervisory authorities must consider when determining penalties.

Key Definitions:

Aggravating Factors: Circumstances that increase penalty severity

Repeat Violations: Multiple infractions by same organization

Supervisory Authority Discretion: Authority to determine appropriate penalties

Important Rules:

• Repeat violations are explicitly considered by authorities

• Penalties increase but are not automatically doubled

• Each case is assessed individually

Tips & Tricks:

• Address violations promptly to avoid repeat classification

• Maintain comprehensive compliance programs

• Document all corrective actions taken

Common Mistakes:

• Assuming repeat violations receive same treatment as first-time

• Not maintaining proper violation tracking systems

• Underestimating the impact of previous violations

GDPR Fine Estimator

GDPR FAQ

Q: How do supervisory authorities determine the exact amount within the GDPR fine range?

A: Supervisory authorities apply the principles of effectiveness, proportionality, and dissuasiveness when determining exact fine amounts. The key factors include:

1. Nature of violation: Severity and scope of the infringement

2. Degree of responsibility: Intentional vs. negligent conduct

3. Duration: How long the violation persisted

4. Measures taken: Actions to mitigate harm to data subjects

5. Previous violations: History of non-compliance

6. Cooperation: Engagement with supervisory authorities

For a company with annual revenue \( AM = €100M \) violating Article 5 (second tier), if the violation affected 50,000 individuals over 6 months, the formula would be: \( FF = \min(100M, \max(10M, 20M)) \times VF \times SF \times (1 + RF) \), where \( VF \) incorporates the scale and duration of the violation.

Q: Are small businesses subject to the same GDPR fine structure as large corporations?

A: Yes, the GDPR fine structure applies equally to all organizations regardless of size. However, supervisory authorities must consider the economic capacity of the organization when determining the exact amount.

For a small business with \( AM = €500K \) committing a second-tier violation:

\( FF = \min(500K, \max(10M, 20M)) \times VF \times SF \times (1 + RF) \)

Since \( AM < \) the absolute maximum, the fine would be capped at \( €500K \times VF \), potentially resulting in a much smaller penalty than for a large corporation with the same violation.

Additionally, Article 81 states that penalties must be "effective, proportionate and dissuasive," which inherently considers the organization's size and economic capacity.

About

Privacy Team
This calculator was created
This calculator was created by our Legal & Compliance Team , may make errors. Consider checking important information. Updated: April 2026.