What are the penalties for GDPR violations?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
GDPR penalties are real, and they're designed to hurt even the biggest players. The regulation uses a two-tier fine structure with hard ceilings that scale with company size.
Tier 1 (less serious violations) covers things like poor record-keeping, failing to notify a breach on time, or not having a data processing agreement in place. Fines here go up to €10 million or 2% of global annual turnover, whichever is higher.
Tier 2 (more serious violations) covers consent failures, ignoring data subject rights, and unlawful data transfers. These fines go up to €20 million or 4% of global annual turnover, whichever is higher.
For a company the size of Google or Amazon, 4% of turnover runs into the billions. For a small business, even a low-end fine can be genuinely damaging. That said, most real-world enforcement actions land well below the ceilings. Data Protection Authorities (DPAs) consider factors like how quickly you responded, whether you self-reported, and how much actual harm occurred.
Beyond the fine itself, there's the surrounding fallout. Regulatory investigations take time and cost legal fees. Public enforcement decisions are published (yes, people read them). Affected individuals can bring private claims on top of any DPA action. The full cost of a violation is almost always higher than the headline fine.
For email marketers specifically, the highest-risk areas are consent practices and how you handle unsubscribe requests and deletion. If you're collecting email addresses from EU residents and you can't clearly show when, how, and why they opted in, you're exposed to Tier 2.
One honest note: GDPR compliance is a legal question, not just a technical one. We can point you toward what to check, but if you're uncertain about your specific situation, a qualified data protection professional is worth talking to.
But if you want to start somewhere practical, check that your email marketing setup has proper consent records, a clear unsubscribe path, and a data processing agreement with your ESP. Those three things cover the most common enforcement triggers. Not sure where to start? We're happy to talk it through at our SOS line.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.