GDPR Fines Tracker 2026: Every Major Enforcement Action & What It Means

Last updated: February 2026 — This page is updated monthly. Bookmark it and return.

GDPR enforcement is no longer a background risk managed by legal teams. With €1.2 billion in fines issued in 2025 alone and daily breach notifications exceeding 400 for the first time since 2018, regulators have made one thing unmistakably clear: the grace period is over.

This tracker compiles every major enforcement action from 2024 through February 2026, breaks down the violation patterns driving the biggest fines, and maps what it means for your business right now. Whether you're assessing your GDPR compliance posture for the first time or refreshing your programme ahead of a client audit, the cases here are your most practical reference point.

Section I — GDPR Enforcement at a Glance: 2026 Snapshot

Before diving into individual cases, the numbers themselves tell a compelling story.

A total of 2,245 documented fines have been recorded in the CMS Enforcement Tracker database — 2,560 if fines with limited information on amount, date, and sector are included — amounting to a cumulative sum of approximately €5.65 billion, an increase of €1.17 billion over the prior reporting period. When the most recent 2025 fines are factored in, total penalties now exceed €7.1 billion since GDPR came into force in May 2018.

Here is the enforcement picture at a glance as of February 2026:

What these numbers mean in practice: enforcement is accelerating in both frequency and financial severity, and the sectors being targeted are broadening fast. Finance, healthcare, telecommunications, and public sector organisations are now firmly in scope — not just Big Tech.

Section II — The GDPR Fines Tracker: 2024–2026 Major Actions

The table below covers every significant enforcement action from 2024 through February 2026. It is updated monthly.

Sources: CMS GDPR Enforcement Tracker, Osano Enforcement Tracker, DPA press releases

Case Deep-Dives: What Actually Went Wrong

Understanding why these fines were issued matters more than the amounts themselves. Each case contains a direct lesson for your compliance programme.

TikTok — €530 Million (Ireland DPC, May 2025)

Ireland's Data Protection Commission fined TikTok €530 million for illegally transferring European Economic Area user data to China without adequate safeguards. The case centred on TikTok's failure to demonstrate that Chinese employees accessing European user data were subject to protections equivalent to those required under GDPR — a standard the company could not meet given the reach of Chinese national security laws over domestic companies.

What this means for you: If your organisation uses cloud infrastructure, software vendors, or support teams outside the EEA, you must conduct Transfer Impact Assessments. Claiming Standard Contractual Clauses are in place is no longer sufficient without documented evidence that the receiving country's legal framework doesn't undermine those protections.

Google — €325 Million (France CNIL, September 2025)

France's CNIL fined Google a combined €325 million for two separate violations. Google LLC received €200 million for inserting advertisements disguised as emails into Gmail users' inboxes without valid consent — the CNIL ruled this amounted to unsolicited direct marketing. Google Ireland was fined €125 million for failing to properly inform users about advertising cookies during account creation, where the interface steered users toward acceptance.

Google's cookie-related fines from the CNIL have escalated from €100 million in 2020 to €150 million in 2021 and now €325 million in 2025 — a direct consequence of repeat violations. Regulators apply escalating penalties to organisations that receive formal warnings and continue non-compliant practices.

What this means for you: Cookie banners must offer rejection as easily as acceptance. Regulators are actively auditing interfaces. If your consent management platform makes "Accept All" one click and "Reject All" three clicks, you are in violation of standards the CNIL has now enforced multiple times.

SHEIN — €150 Million (France CNIL, September 2025)

SHEIN's Irish subsidiary was fined €150 million after investigation revealed that cookies with advertising purposes were placed on user devices before consent was given. Consent banners lacked key information about advertising purposes, no information was provided about third-party cookie providers, and mechanisms for refusing consent were non-functional — with cookies continuing to be placed even after users rejected them. SHEIN's 12 million monthly French visitors amplified the severity.

What this means for you: No cookies — including analytics or advertising tags — should fire before a user has made an active consent choice. If your tag management setup allows scripts to run on page load before consent is captured, this is a live compliance exposure that CNIL has now enforced at scale.

LinkedIn — €310 Million (Ireland DPC, October 2024)

LinkedIn Ireland was fined €310 million for using an incorrect legal basis for behavioural advertising and analytics. The company claimed targeted advertising was necessary to perform its contract with users. Regulators rejected this because targeted advertising is not required to deliver the LinkedIn service. LinkedIn also failed to clearly communicate which legal basis applied to which type of processing.

What this means for you: "Contract necessity" cannot be used as a legal basis for processing that isn't genuinely necessary to deliver the core service. This applies directly to any business using behavioural analytics, email marketing, or ad retargeting under a claimed contractual necessity basis.

Netherlands Municipalities — €250,000 (Dutch AP, February 2026)

Ten Dutch municipalities were fined for the illegal processing of dossiers containing sensitive information about Muslim residents. The municipalities conducted investigations into these individuals without their knowledge and without a valid legal basis. The Dutch DPA found violations of transparency, data minimisation, and the special protections afforded to sensitive personal data under Article 9.

This case is significant well beyond the fine amount. It confirms that public sector bodies — government departments, local authorities, healthcare trusts — are now firmly within active enforcement scope, and that special category data involving religion, ethnicity, or health remains a zero-tolerance area for regulators.

For organisations operating in the Netherlands specifically, this case underscores why understanding the interplay between GDPR and the Dutch UAVG is essential. The national implementation law affects available legal bases, DPA jurisdiction, and how investigations proceed. A dedicated step-by-step compliance review is advisable.

Section III — What Violations Are Getting Companies Fined?

An analysis of all recorded enforcement actions shows a consistent hierarchy of violation categories. Here are the five areas generating the most fines, with what each means operationally:

1. Insufficient Legal Basis (Most Frequent)

The single most common reason for GDPR fines. It applies when an organisation processes personal data without a valid Article 6 legal basis — or uses the wrong one. LinkedIn's €310 million fine is the clearest recent example: claiming contract necessity for targeted advertising when that advertising was not required to perform the contract.

Other common failures include using "legitimate interests" without a proper balancing test, relying on consent where it was bundled, pre-ticked, or not freely given, and switching legal bases mid-processing without informing users.

2. Non-Compliance with General Data Processing Principles

GDPR's core principles — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and accountability — form the backbone of the regulation. Violations here attract the largest fines because they reflect systemic, organisation-wide failures. Meta's €1.2 billion fine fell into this category, as did Amazon's €746 million penalty.

3. Insufficient Security Measures

Security failures are increasingly triggering enforcement, particularly where personal data breaches result from inadequate technical or organisational controls. Vodafone Germany's €45 million fine was driven by vendor security failures and poor customer data handling. Regulators now hold controllers directly liable for processor failures, meaning a vendor breach can result in fines for the controller even when the vendor is the proximate cause.

This is where penetration testing and security validation intersect directly with GDPR accountability. Demonstrating that adequate security measures are in place — through documented testing, remediation, and independent validation — is how organisations defend against enforcement scrutiny. SecurityWall's compliance services integrate security testing with GDPR evidence generation for exactly this purpose.

4. Cookie Consent and Transparency Failures (Fastest Growing)

Dark patterns emerged as a frontline enforcement priority in 2024–2025. CNIL's actions against Google and SHEIN established clear precedents: making cookie rejection harder than acceptance is a GDPR violation, and placing cookies before consent is obtained is a per-session violation affecting every user. Regulators now actively test websites rather than waiting for complaints.

Common red flags: unequal friction between Accept and Reject paths, absence of a "Reject All" button on the first consent layer, pre-ticked boxes, cookie walls blocking service access, and consent banners that don't identify third-party recipients.

5. Data Subject Rights Violations

The right of access (Article 15), right to erasure (Article 17), and right to data portability (Article 20) are increasingly enforced directly. Malta's February 2026 action — ordering a company to provide a full copy of a complainant's personal data within 20 days — illustrates that regulators will intervene even without a fine when access rights are denied on spurious legal grounds.

Subject Access Requests should be treated as compliance indicators. A pattern of denied, delayed, or incomplete responses is a reliable trigger for a DPA investigation.

For a complete operational framework covering all five categories, see our GDPR compliance checklist guide.

Section IV — Which Countries Are Enforcing Most Aggressively?

Enforcement intensity varies significantly across EU member states — not because the law differs, but because DPAs vary in resource levels, enforcement philosophy, and sector focus.

Ireland — Highest Value Fines

Ireland's Data Protection Commission is the lead supervisory authority for most major US technology platforms because of their EU headquarters in Dublin. This makes Ireland the source of the largest individual fines to date: Meta (€1.2B), TikTok (€530M), LinkedIn (€310M), and WhatsApp (€225M) all fall under DPC jurisdiction. Cross-border enforcement procedural reforms now in effect are reducing the delays that previously stalled complex cases.

Spain — Highest Volume of Fines

The Spanish DPA has issued more fines than any other EU authority, with a total of 932 recorded actions. Spanish fines tend to be smaller in individual amount but span a far wider range of sectors and organisation sizes, including SMEs. Spain's enforcement activity demonstrates clearly that GDPR is not purely a Big Tech concern.

France (CNIL) — Aggressive on Cookies and Consumer-Facing Violations

France's CNIL has established itself as Europe's most active enforcer against consent manipulation and cookie violations. Its 2025 actions against Google (€325M) and SHEIN (€150M) represent the culmination of a multi-year enforcement plan targeting cookie compliance that began in 2019. The CNIL tests websites directly, and it applies escalating penalties to repeat offenders — Google has now been fined three times for cookie issues, each time for a larger amount.

Netherlands — Growing Public Sector and Cross-Border Focus

The Dutch Autoriteit Persoonsgegevens (AP) has expanded its focus from corporate organisations to public sector bodies, as February 2026's municipal fines demonstrate. The AP was also responsible for the €290 million Uber fine in 2024 for cross-border transfer failures and has been active in enforcement around biometric data and surveillance technologies.

Organisations operating in the Netherlands face a dual compliance environment: GDPR as the base regulation, with the Dutch UAVG implementing national derogations and procedural requirements that diverge in meaningful ways. Our guide to GDPR consulting in the Netherlands covers what to look for when selecting a local compliance partner.

Germany — Security Principle and Vendor Risk

Germany's federal and state-level DPAs focus heavily on technical security measures, vendor risk management, and data processing agreements. Vodafone's €45 million fine for vendor security failures reflects the German regulators' view that controllers cannot delegate security responsibility to processors without adequate contractual and technical oversight.

Italy — AI-Adjacent Enforcement Pioneer

Italy's Garante has been among the most active regulators in AI-related enforcement, acting ahead of the EU AI Act's formal enforcement timeline. The €5 million fine against Replika chatbot maker Luka Inc. in 2025 for GDPR violations related to AI data processing signals that the Garante is actively applying existing GDPR obligations — particularly around lawful basis, transparency, and DPIAs — to AI systems now.

Section V — What 2026 Regulators Are Targeting Next

Three enforcement priorities define the regulatory risk landscape for the remainder of 2026.

Priority 1: Transparency Obligations (Articles 12–14)

The EDPB has formally designated transparency and information provision as its 2026 coordinated enforcement theme. Every national DPA across the EU is running parallel investigations into how organisations communicate data processing practices to individuals — what data is collected, for what purpose, on which legal basis, and for how long it is retained.

Regulators are not simply reviewing whether a privacy policy exists. They are testing whether the information is clear, accessible, complete, and consistent with the processing actually taking place. If your privacy notice was last reviewed more than 12 months ago, it almost certainly needs updating before a DPA review finds it first.

Priority 2: Cross-Border Data Transfers

Regulators explicitly require identification of each specific third-country recipient — not generic categories like "US cloud providers." Transfer Impact Assessments are expected for every transfer mechanism, and the use of Standard Contractual Clauses alone is insufficient without documented analysis of the receiving country's legal framework. Supply chain exposure is particularly acute: US-headquartered SaaS platforms, cloud providers, and support services that process European personal data each require documented safeguards.

Priority 3: AI and Automated Decision-Making

The EU AI Act's August 2, 2026 compliance deadline creates dual obligations for high-risk AI systems. The EDPB's April 2025 guidance clarifies that large language models rarely achieve anonymisation standards, meaning controllers deploying third-party LLMs must conduct comprehensive DPIAs. This affects any business using AI-powered tools that process personal data — from automated customer communications to AI-assisted HR screening.

SecurityWall's compliance services include DPIA support for AI deployments alongside GDPR gap assessments and ongoing compliance monitoring.

Section VI — How to Use This Tracker to Protect Your Business

The enforcement patterns above translate directly into a practical risk assessment framework. Match your situation to the relevant actions below:

If you use third-party cookies or tracking pixels: Audit your consent management platform against CNIL standards. Reject must be as easy as Accept on the first consent layer. No cookies should fire before a consent signal is captured. Test your implementation in a fresh browser session without existing cookies.

If you transfer personal data outside the EEA: Document every third-country transfer, identify each recipient specifically, and maintain a Transfer Impact Assessment. Verify your Standard Contractual Clauses reference the current 2021 EU SCCs. "We have an SCC in place" is no longer sufficient on its own.

If you use AI tools that process personal data: Conduct a DPIA before deploying any AI tool that analyses or makes decisions about individuals. Establish a documented legal basis and ensure your privacy notice reflects the AI-assisted processing in plain language.

If you work with vendors who process EU personal data: Review all data processing agreements against GDPR Article 28 requirements. Request evidence of technical and organisational security measures. The Vodafone case confirms that controller accountability for processor failures is actively enforced.

If you operate in the Netherlands: Address both GDPR and UAVG requirements. Review the GDPR vs Dutch UAVG differences that affect legal bases and DPA jurisdiction. Use the Netherlands compliance checklist as your operational starting point.

For all organisations: Conduct a fresh review of your privacy notices against the EDPB's 2026 transparency priority. The GDPR compliance checklist provides a structured audit framework that maps each requirement to the specific violation categories generating the most fines in 2025–2026.

The prevention cost of addressing these exposures is less than 0.1% of potential fine exposure. For a deeper analysis of the regulatory context driving this enforcement environment, see our companion article: GDPR Enforcement Trends in 2026 — Are You Ready?

This tracker is updated monthly. Sources include the CMS GDPR Enforcement Tracker, Osano Data Privacy Fines Tracker, the DLA Piper GDPR Fines and Data Breach Survey, and individual DPA press releases. This page is informational and does not constitute legal advice.