GDPR Fines Tracker 2026: Every Major Enforcement Action & What It Means

GDPR enforcement is no longer a background risk managed by legal teams. With approximately €1.2 billion in fines issued in 2025 alone, more than €600 million already issued in the first half of 2026, and daily breach notifications exceeding 443 for the first time since 2018, regulators have made one thing unmistakably clear: the grace period is over. And with the EU AI Act's high-risk system enforcement going live on 2 August 2026 just six weeks away a second penalty layer is about to overlay every existing GDPR exposure.

This tracker compiles every major enforcement action from 2024 through June 2026, breaks down the violation patterns driving the biggest fines, tracks how the major fines have fared on appeal, and maps what it means for your business right now. Whether you're assessing your GDPR compliance posture for the first time or refreshing your programme ahead of a client audit, the cases here are your most practical reference point.

Section I — GDPR Enforcement at a Glance: June 2026 Snapshot

Before diving into individual cases, the numbers themselves tell a compelling story.

The 7th edition of the CMS GDPR Enforcement Tracker Report (cut-off date 1 March 2026) records 2,685 documented fines an increase of 440 over the prior report totalling approximately €6.11 billion in directly-recorded fines, with 3,062 fines counted if those with limited information on amount or date are also included. Factoring in cases beyond the CMS sample and the most recent enforcement actions, total cumulative GDPR penalties now exceed €7.4 billion since the regulation came into force in May 2018, with the DLA Piper January 2026 Survey reporting €7.1 billion through 10 January 2026 as a confirmed baseline.

What these numbers mean in practice: enforcement is accelerating in both frequency and financial severity, and the sectors being targeted are broadening fast. Finance, healthcare, telecommunications, and public sector organisations are now firmly in scope not just Big Tech. Equally important, 2026 has been the year courts started reshaping major fines on appeal three of the most significant decisions have moved in the first six months alone.

Section II — The GDPR Fines Tracker: 2024 to 2026 Major Actions

The table below covers every significant enforcement action from 2024 through June 2026. Status badges show appeal outcomes where applicable. New 2026 additions are highlighted.

Case Deep-Dives: What Actually Went Wrong

Understanding why these fines were issued matters more than the amounts themselves. Each case contains a direct lesson for your compliance programme.

IQVIA Operations France — €5 Million (CNIL, May 2026)

On 26 May 2026, France's CNIL imposed a €5 million fine on IQVIA Operations France — a major global healthcare analytics provider — for failing to implement adequate safeguards limiting risks to individuals in the management of its health data warehouses. The decision underscores that France's CNIL is applying the highest standard of scrutiny to sensitive Article 9 data processing, particularly where health data is centralised at scale for research and commercial analytics use.

What this means for you: Any organisation handling health, biometric, or special category data should treat Data Protection Impact Assessments and technical safeguards as ongoing operational obligations, not one-time compliance exercises. The CNIL's expectation is documented evidence that risk to individuals is actively managed, not just initially assessed.

TikTok — €530 Million (Ireland DPC, May 2025)

Ireland's Data Protection Commission fined TikTok €530 million for illegally transferring European Economic Area user data to China without adequate safeguards. The case centred on TikTok's failure to demonstrate that Chinese employees accessing European user data were subject to protections equivalent to those required under GDPR a standard the company could not meet given the reach of Chinese national security laws over domestic companies. TikTok is appealing.

What this means for you: If your organisation uses cloud infrastructure, software vendors, or support teams outside the EEA, you must conduct Transfer Impact Assessments. Claiming Standard Contractual Clauses are in place is no longer sufficient without documented evidence that the receiving country's legal framework doesn't undermine those protections.

Google — €325 Million (France CNIL, September 2025)

France's CNIL fined Google a combined €325 million for two separate violations. Google LLC received €200 million for inserting advertisements disguised as emails into Gmail users' inboxes without valid consent. Google Ireland was fined €125 million for failing to properly inform users about advertising cookies during account creation. Google's cookie-related fines from the CNIL have escalated from €100 million in 2020 to €150 million in 2021 and now €325 million in 2025 a direct consequence of repeat violations.

What this means for you: Cookie banners must offer rejection as easily as acceptance. Regulators are actively auditing interfaces. If your consent management platform makes "Accept All" one click and "Reject All" three clicks, you are in violation of standards the CNIL has now enforced multiple times.

SHEIN — €150 Million (France CNIL, September 2025)

SHEIN's Irish subsidiary was fined €150 million after investigation revealed that cookies with advertising purposes were placed on user devices before consent was given. Consent banners lacked key information about advertising purposes, no information was provided about third-party cookie providers, and mechanisms for refusing consent were non-functional with cookies continuing to be placed even after users rejected them.

What this means for you: No cookies including analytics or advertising tags should fire before a user has made an active consent choice. If your tag management setup allows scripts to run on page load before consent is captured, this is a live compliance exposure that CNIL has now enforced at scale.

LinkedIn — €310 Million (Ireland DPC, October 2024)

LinkedIn Ireland was fined €310 million for using an incorrect legal basis for behavioural advertising and analytics. The company claimed targeted advertising was necessary to perform its contract with users. Regulators rejected this because targeted advertising is not required to deliver the LinkedIn service.

What this means for you: "Contract necessity" cannot be used as a legal basis for processing that isn't genuinely necessary to deliver the core service. This applies directly to any business using behavioural analytics, email marketing, or ad retargeting under a claimed contractual necessity basis.

Netherlands Municipalities — €250,000 (Dutch AP, February 2026)

Ten Dutch municipalities were fined for the illegal processing of dossiers containing sensitive information about Muslim residents. The municipalities conducted investigations into these individuals without their knowledge and without a valid legal basis. The Dutch DPA found violations of transparency, data minimisation, and the special protections afforded to sensitive personal data under Article 9.

This case confirms that public sector bodies are now firmly within active enforcement scope, and that special category data involving religion, ethnicity, or health remains a zero-tolerance area for regulators. For organisations operating in the Netherlands specifically, understanding the interplay between GDPR and the Dutch UAVG is essential. A dedicated step-by-step compliance review is advisable.

Section III — Appeals and Reversals: How the Courts Are Reshaping Enforcement

The first half of 2026 has been the most active period for court rulings on major GDPR fines since the regulation took effect. Three landmark decisions reshape how organisations should think about appeal strategy and DPA decision durability.

Amazon — €746 Million Fine Annulled on Procedural Grounds (March 2026)

In March 2026, the Luxembourg Administrative Court annulled the €746 million fine that the Luxembourg CNPD had imposed on Amazon Europe Core in July 2021 for ad targeting without valid consent. Critically, the court annulled the fine on procedural grounds not because the underlying GDPR violations were unfounded. The court confirmed most of the substantive violations. The case has been sent back to the CNPD for a fresh decision, meaning Amazon may yet face a re-issued fine.

What this means for you: Procedural rigor by DPAs is being tested in court, and major fines are being unwound when supervisory authorities fail to follow process to the letter. For organisations, the practical implication is that a DPA decision is increasingly treatable as the start of a process, not the end. Appeals are being filed earlier and pursued harder. But the underlying violations remain on record, and re-issued decisions are likely to follow corrected procedure.

OpenAI — €15 Million ChatGPT Fine Annulled by Court of Rome (March 18, 2026)

On 18 March 2026, the Court of Rome annulled the Italian Garante's €15 million fine against OpenAI, which had been imposed in November 2024 for ChatGPT-related GDPR violations including processing personal data for AI training without a lawful basis, transparency failures, breach notification failures, and lacking age verification mechanisms. This was the only finalised GDPR enforcement action ever adopted in Europe specifically concerning the launch of generative AI services to the public and the Court has now overturned it. The Garante received the ruling on 19 March 2026 and is considering whether to appeal.

What this means for you: The legal landscape for generative AI under GDPR is now genuinely unsettled. The Garante's decision had been treated by other DPAs as quasi-precedent for how to enforce existing GDPR obligations against LLMs. With the Court of Rome's annulment, regulators are likely to be more cautious in initiating GenAI enforcement until the legal questions are clearer but organisations should not interpret this as permission to deprioritise GenAI compliance. The EDPB has been clear that GDPR applies to LLM deployments, and the EU AI Act's August 2026 enforcement creates a parallel framework that does not depend on Garante-style decisions.

Criteo — €40 Million Fine Upheld by Conseil d'État (March 2026)

In March 2026, France's Conseil d'État the country's highest administrative court rejected Criteo's appeal of the €40 million fine imposed by the CNIL in 2023 for failure to verify that partner sites had obtained valid consent before placing tracking cookies. The decision is now final. The Conseil d'État's confirmation of the original CNIL decision establishes binding precedent across France that AdTech companies cannot delegate consent verification to upstream publishers without active oversight.

What this means for you: AdTech firms operating across publisher networks bear direct responsibility for verifying consent at every node in the chain. "Upstream consent" assumptions are no longer a defensible compliance position. This logic extends to any organisation operating through SaaS, plugin, or vendor networks where personal data flows through multiple parties.

The three rulings together reveal a pattern: courts are willing to overturn major fines where DPAs have erred procedurally, but they are equally willing to uphold the underlying GDPR principles when the procedure is sound. Meta's €1.2 billion fine remains under appeal with payment suspended, and the Schrems II line of reasoning underpinning that fine remains intact regardless of the appeal outcome. The aggregate effect is that GDPR enforcement is becoming more rigorous, not less DPAs are being forced to build more defensible records, which generally results in stronger final decisions.

Section IV — What Violations Are Getting Companies Fined?

An analysis of all recorded enforcement actions shows a consistent hierarchy of violation categories. Here are the five areas generating the most fines.

1. Insufficient Legal Basis (Most Frequent). The single most common reason for GDPR fines, accounting for approximately 34% of total fines per CMS analysis. LinkedIn's €310 million fine is the clearest recent example: claiming contract necessity for targeted advertising when that advertising was not required to perform the contract.

2. Non-Compliance with General Data Processing Principles. GDPR's core principles lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and accountability form the backbone of the regulation. Five of the ten largest GDPR fines fall into this category, per the CMS GDPR Enforcement Tracker Report 7th Edition.

3. Insufficient Security Measures. Security failures are increasingly triggering enforcement, particularly where personal data breaches result from inadequate technical or organisational controls. Vodafone Germany's €45 million fine was driven by vendor security failures. The UK's South Staffordshire Water fine in May 2026 (~£1M) similarly arose from data breach response failures. Regulators now hold controllers directly liable for processor failures.

This is where penetration testing and security validation intersect directly with GDPR accountability. SecurityWall's compliance services integrate security testing with GDPR evidence generation for exactly this purpose.

4. Cookie Consent and Transparency Failures (Fastest Growing). CNIL's actions against Google and SHEIN established clear precedents: making cookie rejection harder than acceptance is a GDPR violation, and placing cookies before consent is obtained is a per-session violation. The Conseil d'État's March 2026 upholding of Criteo's €40 million fine extends this responsibility to AdTech firms operating through partner networks.

5. Data Subject Rights Violations. The right of access (Article 15), right to erasure (Article 17), and right to data portability (Article 20) are increasingly enforced directly. Subject Access Requests should be treated as compliance indicators. A pattern of denied, delayed, or incomplete responses is a reliable trigger for a DPA investigation.

For a complete operational framework covering all five categories, see our GDPR compliance checklist guide.

Section V — What 2026 Regulators Are Targeting Next

Four enforcement priorities now define the regulatory risk landscape for the second half of 2026.

Priority 1: Transparency Obligations — The EDPB's Formal 2026 Action

On 19 March 2026, the European Data Protection Board (EDPB) formally launched the fifth edition of its Coordinated Enforcement Framework (CEF), focused on compliance with the GDPR's transparency and information obligations under Articles 12, 13, and 14. National DPAs across the EU are now running parallel investigations into how organisations communicate data processing practices to individuals.

Regulators are not simply reviewing whether a privacy policy exists. They are testing whether the information is clear, accessible, complete, and consistent with the processing actually taking place. Some authorities are taking the position that organisations should explicitly identify each third country to which personal data is transferred generic categories like "US cloud providers" are no longer sufficient. If your privacy notice was last reviewed more than 12 months ago, it almost certainly needs updating before a DPA review finds it first.

Priority 2: EU AI Act Enforcement — Six Weeks Out

The EU AI Act's high-risk system provisions come into force on 2 August 2026 just six weeks from this update. This creates a second penalty layer operating alongside GDPR, with penalties reaching €35 million or 7% of global turnover (substantially higher than GDPR's €20 million / 4%). The Court of Rome's March 2026 annulment of the OpenAI fine has unsettled GenAI enforcement under GDPR specifically, but the EU AI Act provides a parallel framework that does not depend on existing GDPR jurisprudence.

For any business deploying AI tools that process personal data, the next six weeks are the final window to: complete DPIAs for AI-powered processing, document lawful basis specifically for AI-driven decisions, ensure transparency notices accurately describe AI use, and verify that high-risk AI systems meet the EU AI Act's risk management requirements. The EDPB published its first harmonised DPIA template on 14 April 2026 use it.

Priority 3: The Digital Omnibus — Largest GDPR Reform Since 2018

On 19 November 2025, the European Commission proposed the Digital Omnibus a legislative package amending the GDPR, the EUDPR, the ePrivacy Directive, the Data Act, NIS2, and several other instruments. It is the most comprehensive proposal for GDPR changes since the regulation entered into force in 2018. On 10 February 2026, the EDPB and EDPS adopted Joint Opinion 2/2026 — supporting some simplification measures but firmly opposing others, particularly proposals to narrow the definition of "personal data" through entity-relative contextual definitions.

The legislative process is now active. Even if final adoption is months away, the proposals signal a regulatory direction shift toward simplification and competitiveness which controllers should monitor closely given how much downstream change it could produce.

Priority 4: Cross-Border Data Transfers

Regulators continue to require identification of each specific third-country recipient not generic categories. Transfer Impact Assessments are expected for every transfer mechanism, and the use of Standard Contractual Clauses alone is insufficient without documented analysis of the receiving country's legal framework. The Schrems II line of reasoning underpinning Meta's €1.2 billion fine remains intact through 2026.

Section VI — Which Countries Are Enforcing Most Aggressively?

Enforcement intensity varies significantly across EU member states.

Ireland — Highest Value Fines. Ireland's Data Protection Commission remains the lead supervisory authority for most major US technology platforms because of their EU headquarters in Dublin. Cumulative DPC fines stand at €4.04 billion. Meta (€1.2B), TikTok (€530M), LinkedIn (€310M), and WhatsApp (€225M) all fall under DPC jurisdiction.

Spain — Highest Volume of Fines. The Spanish DPA leads with 1,048 recorded actions per the CMS 7th Edition up 116 from the prior report. Spanish fines tend to be smaller in individual amount but span a far wider range of sectors and organisation sizes, including SMEs.

France (CNIL) — Aggressive on Cookies, Consumer-Facing Violations, and Health Data. France's CNIL has established itself as Europe's most active enforcer against consent manipulation and cookie violations. Its May 2026 €5 million fine against IQVIA Operations France for health data warehouse safeguards confirms an expanding focus on sensitive data processing across sectors.

Netherlands — Public Sector and Cross-Border Focus. The Dutch Autoriteit Persoonsgegevens (AP) has expanded its focus from corporate organisations to public sector bodies, as the February 2026 municipal fines demonstrate. Organisations operating in the Netherlands face a dual compliance environment with the Dutch UAVG implementing national derogations. Our guide to GDPR consulting in the Netherlands covers what to look for.

Italy (Garante) — Aggressive but Constrained by Courts in 2026. Italy's Garante remains among the most active regulators with hundreds of decisions and a particular focus on telecoms, AI services, and employment-related processing. The March 2026 annulment of its €15 million OpenAI fine is a notable setback, but the Garante continues active investigations across multiple sectors.

Germany — Security Principle and Vendor Risk. Germany's federal and state-level DPAs focus heavily on technical security measures, vendor risk management, and data processing agreements. Vodafone's €45 million fine reflects the German regulators' view that controllers cannot delegate security responsibility to processors.

Luxembourg — Reset After the Amazon Annulment. Luxembourg's CNPD now faces the reopened Amazon case after the March 2026 court annulment. The path forward involves a re-issued decision following corrected procedure, with the underlying violations already validated by the court.

Section VII — How to Use This Tracker to Protect Your Business

The enforcement patterns above translate directly into a practical risk assessment framework. Match your situation to the relevant actions below:

If you use third-party cookies or tracking pixels: Audit your consent management platform against CNIL standards. Reject must be as easy as Accept on the first consent layer. No cookies should fire before a consent signal is captured. The Conseil d'État's March 2026 ruling on Criteo extends responsibility through partner networks.

If you transfer personal data outside the EEA: Document every third-country transfer, identify each recipient specifically, and maintain a Transfer Impact Assessment. The EDPB's 2026 transparency action specifically tests this.

If you use AI tools that process personal data: Conduct a DPIA before deploying any AI tool that analyses or makes decisions about individuals. With the EU AI Act enforcement going live on 2 August 2026, the next six weeks are the final window to ensure compliance. The EDPB published its first harmonised DPIA template on 14 April 2026 use it.

If you work with vendors who process EU personal data: Review all data processing agreements against GDPR Article 28 requirements. The South Staffordshire Water case (May 2026) confirms that controller accountability for breach response is actively enforced even when processors are the proximate cause.

If you process health, biometric, or other special category data: The May 2026 IQVIA €5 million fine establishes that CNIL expects documented evidence of ongoing risk management for Article 9 data not just initial DPIA completion.

If you operate in the Netherlands: Address both GDPR and UAVG requirements. Review the GDPR vs Dutch UAVG differences that affect legal bases and DPA jurisdiction. Use the Netherlands compliance checklist as your operational starting point.

For all organisations: Conduct a fresh review of your privacy notices against the EDPB's 2026 transparency priority. The GDPR compliance checklist provides a structured audit framework. For a deeper analysis of the regulatory context, see our companion article: GDPR Enforcement Trends in 2026 — Are You Ready?

The prevention cost of addressing these exposures is less than 0.1% of potential fine exposure.

Frequently Asked Questions

What is the largest GDPR fine ever issued?

The €1.2 billion fine issued by Ireland's Data Protection Commission against Meta Platforms in May 2023 for unlawful EU-US data transfers remains the largest GDPR fine on record. Amazon's €746 million fine from Luxembourg's CNPD in July 2021 was the second-largest, though the Luxembourg Administrative Court annulled it on procedural grounds in March 2026 (the underlying violations were upheld, and the case has been sent back to the CNPD).

What is the largest GDPR fine issued in 2026 so far?

As of June 2026, the largest single GDPR fine issued in 2026 is the €5 million fine against IQVIA Operations France from the CNIL on 26 May 2026 for failures in health data warehouse safeguards. The UK ICO's nearly £1 million fine against South Staffordshire Water in May 2026 is the largest in the UK so far in 2026. Several larger investigations are pending decision.

Was the Amazon €746M GDPR fine cancelled?

The Luxembourg Administrative Court annulled the €746 million Amazon fine in March 2026 on procedural grounds, but the underlying GDPR violations were upheld. The case was sent back to Luxembourg's CNPD for a fresh decision following corrected procedure. Amazon may yet face a re-issued fine.

When does the EU AI Act start enforcing fines?

The EU AI Act's high-risk system provisions come into force on 2 August 2026, with penalties reaching €35 million or 7% of global turnover substantially higher than GDPR's €20 million / 4% ceiling. This creates a second penalty layer that operates alongside GDPR for AI systems processing personal data.

What is the EDPB Coordinated Enforcement Framework 2026 about?

On 19 March 2026, the EDPB formally launched the fifth edition of its Coordinated Enforcement Framework focused on GDPR transparency and information obligations under Articles 12, 13, and 14. National DPAs across the EU are running parallel investigations into privacy notices, consent flows, and how organisations communicate data processing practices to individuals.

Does GDPR apply to organisations outside the EU?

Yes. GDPR applies extraterritorially to any organisation that processes personal data of EU residents, regardless of where the organisation is based. Enforcement actions against non-EU companies including Clearview AI (€30.5 million, Dutch DPA, 2024) and TikTok (€530 million, Irish DPC, 2025) confirm that geographic distance provides no protection from European regulators.

This tracker is updated monthly. Sources include the CMS GDPR Enforcement Tracker (7th Edition, cut-off 1 March 2026), Osano Data Privacy Fines Tracker, the DLA Piper GDPR Fines and Data Breach Survey January 2026, EDPB press releases including the 19 March 2026 launch of CEF 2026, the EDPB-EDPS Joint Opinion 2/2026 on the Digital Omnibus, and individual DPA press releases through 17 June 2026. This page is informational and does not constitute legal advice.