What are the penalties for GDPR violations?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

GDPR penalties are real, and they're designed to hurt even the biggest players. The regulation uses a two-tier fine structure with hard ceilings that scale with company size.

Tier 1 (less serious violations) covers things like poor record-keeping, failing to notify a breach on time, or not having a data processing agreement in place. Fines here go up to €10 million or 2% of global annual turnover, whichever is higher.

Tier 2 (more serious violations) covers consent failures, ignoring data subject rights, and unlawful data transfers. These fines go up to €20 million or 4% of global annual turnover, whichever is higher.

For a company the size of Google or Amazon, 4% of turnover runs into the billions. For a small business, even a low-end fine can be genuinely damaging. That said, most real-world enforcement actions land well below the ceilings. Data Protection Authorities (DPAs) consider factors like how quickly you responded, whether you self-reported, and how much actual harm occurred.

Beyond the fine itself, there's the surrounding fallout. Regulatory investigations take time and cost legal fees. Public enforcement decisions are published (yes, people read them). Affected individuals can bring private claims on top of any DPA action. The full cost of a violation is almost always higher than the headline fine.

For email marketers specifically, the highest-risk areas are consent practices and how you handle unsubscribe requests and deletion. If you're collecting email addresses from EU residents and you can't clearly show when, how, and why they opted in, you're exposed to Tier 2.

One honest note: GDPR compliance is a legal question, not just a technical one. We can point you toward what to check, but if you're uncertain about your specific situation, a qualified data protection professional is worth talking to.

But if you want to start somewhere practical, check that your email marketing setup has proper consent records, a clear unsubscribe path, and a data processing agreement with your ESP. Those three things cover the most common enforcement triggers. Not sure where to start? We're happy to talk it through at our SOS line.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your details above and get a plain-English risk read on your GDPR exposure.

I'm reviewing my email program's GDPR exposure and want to understand whether my practices could trigger fines. Based on the details below, can you help me identify which tier of violation I might be at risk for, what the realistic penalty range could be, and what I should fix first? Please give me: 1. My likely risk tier based on what I share (Tier 1 or Tier 2, and why) 2. The top three practices I should check or change 3. What documentation I should have in place to demonstrate compliance 4. Any red flags in my current setup My details: - Business location: country - Audience location: EU / global / specific countries - Opt-in method: single / double / implied / other - Consent records stored: yes / no / partially - ESP or email platform: name - Data Processing Agreement with ESP: in place / not sure / no - Unsubscribe method: one-click / footer link / manual - Privacy policy: yes, URL / no / in progress - Any recent complaints or incidents: describe or leave blank

Edit the yellow boxes, then send to the AI of your choice.