GDPR Penalty Estimator
Estimate the potential fine your organisation could face for a GDPR violation. Enter your annual global revenue, select the violation type (standard or serious), and indicate any mitigating factors. The tool calculates your maximum penalty exposure under GDPR Article 83, which caps fines at 4% of annual global turnover or €20 million for serious violations, and 2% or €10 million for standard violations, whichever is higher.
GDPR Fines Explained
The General Data Protection Regulation (GDPR) introduced a two-tier system of administrative fines to ensure that penalties are proportionate, effective, and dissuasive. The lower tier (Article 83(4)) allows fines of up to 2% of annual worldwide turnover or €10 million, whichever is greater, for violations relating to obligations of controllers and processors, certification bodies, and monitoring bodies. The upper tier (Article 83(5)) permits fines of up to 4% of annual worldwide turnover or €20 million, whichever is greater, for more serious violations including breaches of the basic principles of processing, conditions for consent, data subjects' rights, and international transfer provisions.
It is important to understand that these are maximum penalties. The actual fine imposed by a supervisory authority will depend on a careful assessment of the specific circumstances of the case. Article 83(2) sets out a list of factors that authorities must consider when determining both whether to impose a fine and the amount of that fine. These include the nature, gravity, and duration of the infringement; whether the violation was intentional or negligent; actions taken to mitigate damage; the degree of cooperation with the supervisory authority; and any relevant previous infringements.
How Supervisory Authorities Set Fines
In practice, GDPR fines have ranged from a few thousand euros for small organisations with minor violations to hundreds of millions of euros for large technology companies found to have committed systematic breaches. The European Data Protection Board (EDPB) published Guidelines 04/2022 on the calculation of administrative fines, which provide a five-step methodology for determining the appropriate fine amount. This methodology starts with identifying the processing operations concerned, then finding the starting point for the fine calculation based on the nature of the violation and the turnover of the undertaking, before adjusting for aggravating and mitigating factors.
This tool provides a simplified estimate of maximum exposure and the potential impact of mitigating factors. It is intended for awareness and planning purposes only and does not predict actual enforcement outcomes. Real-world fines depend on many factors that cannot be captured in a simple calculator, including the specific supervisory authority involved, the political and enforcement climate, and the quality of the organisation's data protection programme overall.