Below is a comprehensive overview of GDPR enforcement across Europe, highlighting which nations impose the most stringent regulations, the heaviest fines, and why the numbers keep climbing. Dive in to see who’s getting fined—and how much.
Get a Free Cookie Banner now
It doesn't matter if your are in the US, Europe or anywhere else.
Overview of GDPR Enforcement in Europe
This report outlines which European countries exercise the most rigorous control under the General Data Protection Regulation (GDPR) and related laws, as well as how they implement enforcement in practice. You’ll find a prioritized list of nations by regulatory strictness, statistics on fines (both frequency and cumulative value), examples of the largest penalties, and an assessment of who leads the charge in active enforcement.
Prioritized List of Countries by Strict GDPR Enforcement
- Ireland
- Boasts the highest total amount of fines under GDPR.
- Home to major tech multinationals (Meta/Facebook, Google, TikTok), meaning Ireland’s Data Protection Commission (DPC) often oversees large cross-border cases.
- Has issued record-breaking fines in the billions (e.g., Meta), securing its position as one of the strictest enforcers—even if its total number of cases is not the highest.
- France
- Known for a proactive and stringent data protection authority, the CNIL.
- A leader in targeting cookie violations and big tech companies, imposing numerous fines both in quantity and in overall sum.
- Infamously imposed a €50 million fine on Google in 2019, and has since continued with high penalties for illegal tracking and insufficient consent.
- Italy
- The Italian regulator (Garante) is notable for hundreds of enforcement actions—nearly 400 in total—covering telemarketing breaches, data leaks, and more.
- Among the highest total fines (over €266 million), with major hits on telecom companies (e.g., TIM received €27.8 million in 2020).
- Spain
- The Spanish authority (AEPD) is extremely active, with approximately 939 GDPR fines, making it the leader by volume.
- While many Spanish fines are smaller (totaling around €110 million), the sheer number of enforcement actions reveals a thorough approach in both public and private sectors.
- Luxembourg
- Has relatively few cases but imposes extraordinarily large penalties when it does act.
- Responsible for the largest GDPR fine on record (€746 million to Amazon), making Luxembourg second overall in total fines issued.
- The Netherlands
- The Dutch regulator (Autoriteit Persoonsgegevens) enforces strict laws for both large and small violations.
- Among the top five by total fines (~€350 million), even with fewer overall cases (around 30).
- Known for a tough interpretation of GDPR, with fines issued to major tech firms (e.g., TikTok) for child data protection breaches.
- Germany
- Operates a decentralized system, with state-level authorities each enforcing GDPR.
- Has surpassed 200 total fines but remains moderate in total sum (~€56 million).
- Some notable cases (e.g., €35 million against H&M for employee data misuse), though fines are typically lower than in Italy or France.
Note: The UK enforced GDPR until Brexit, now using “UK GDPR.” The Information Commissioner’s Office (ICO) has levied substantial fines against British Airways and Marriott (total ~€76 million), ranking it highly on big individual penalties even if the total case count remains smaller.
Sources for this section:
Enforcement Statistics: Fines per Country
Below is a snapshot of GDPR enforcement in selected European nations, measured by number of fines and overall sum:
| Country | Number of Fines | Total Fines |
|---|---|---|
| Ireland | 30 | €3,507,363,400 |
| Luxembourg | 32 | €746,314,000 |
| France | 65 | €373,185,200 |
| Netherlands | 30 | €350,820,500 |
| Italy | 400 | €266,725,000 |
| Spain | 939 | €109,954,790 |
| UK | 16 | €76,445,500 |
| Germany | 203 | €56,478,933 |
| Greece | 72 | €34,738,540 |
| Sweden | 41 | €31,660,230 |
Note: Spain and Italy handle the most enforcement actions (939 and 400 fines, respectively), whereas Ireland and Luxembourg lead in total penalty amounts due to massive one-off cases. Germany and France strike a middle ground, with moderate-to-high numbers of fines and substantial cumulative sums. Other countries, like Romania, often yield large numbers of smaller sanctions (e.g., nearly 200 fines but only ~€1.2 million total).
Sources for this section:
Biggest GDPR Fines – Examples and Reasons
Below are several of the most notable GDPR penalties, including the organizations targeted and the grounds for these fines:
- €1.2 Billion – Meta (Facebook) – Ireland
Imposed in May 2023 for unlawful data transfers of EU user data to the US without adequate safeguards. Illustrates how GDPR deals harshly with international transfers lacking appropriate protections. - €746 Million – Amazon – Luxembourg
Levied in July 2021 for violations of GDPR’s fundamental principles—specifically, failing to secure valid consent for personalized advertising. The penalty arose from an NGO complaint, reinforcing that unwanted targeted ads can incur heavy repercussions. - €345 Million – TikTok – Ireland
Issued in September 2023 for children’s data protection failures, including making minor accounts public by default and allowing under-13 signups without verified parental consent. - €225 Million – WhatsApp – Ireland
Handed down in 2021 over lack of transparency about how user data was shared with parent company Facebook and third parties. Underlines GDPR’s insistence on clear, thorough privacy notices. - €150 Million – Google (and €60 Million to Facebook) – France
Resulted from France’s CNIL concluding that users found it more difficult to refuse cookies than accept them—thus invalidating consent. One of the largest French fines related to cookie law infringements.
Other noteworthy actions include British Airways (~€22 million) for a data breach in the UK and H&M (€35 million) in Germany for employee data misuse, underscoring that GDPR covers a wide scope—from cybersecurity lapses to unethical internal practices.
Sources for this section:
Active GDPR Enforcement – Who’s Leading?
- Spain & Italy: Notable for exceptionally high enforcement volumes. Spain has nearly 1,000 fines, while Italy has issued around 400. Both show a willingness to tackle minor and major infringements alike, creating a strict baseline of compliance.
- Ireland: Though it sees fewer overall cases, investigations targeting tech giants (e.g., Meta, WhatsApp, TikTok) have yielded the largest fines in GDPR history. Ireland works closely with other EU regulators under the “one-stop-shop” mechanism to ensure consistency across member states.
- France: The CNIL conducts sweeping investigations—particularly for cookies and online tracking—and consistently imposes significant fines. With about 65 fines totaling €373 million, France remains a highly active and uncompromising regulator.
- Germany: A federal structure results in numerous localized actions. Over 200 fines have been issued, albeit usually midrange in size. Cases like H&M’s €35 million penalty show Germany still addresses serious misconduct.
- Other Nations: Countries such as Romania, Hungary, Norway, and Sweden each contribute to GDPR enforcement in line with their resources. Although overall fines may be smaller, their regulators still impose important precedents and maintain robust scrutiny of data practices.
Sources
6. Conclusion
GDPR enforcement has proven extremely vigorous across Europe, yet Ireland, France, Italy, and Spain stand out as top enforcers. Ireland and France focus on colossal fines for the biggest global organizations, while Italy and Spain issue numerous penalties to ensure widespread adherence. Luxembourg and the Netherlands show that smaller countries can still deliver high-impact rulings. Across the board, data protection authorities are amplifying their enforcement efforts, leading to over 2,000 fines and more than €4 billion in penalties by 2024. This indicates a continuing high level of scrutiny for businesses operating in Europe.
Sources for this section:
