GDPR Enforcement in 2025: €7.1 Billion in Fines and What Changed

The Enforcement Numbers

The GDPR Enforcement Tracker recorded over 2,100 fines through the end of 2025. The cumulative total stands at €7.1 billion across 45 countries — the vast majority from EU member state Data Protection Authorities, with smaller volumes from EEA countries that have implemented equivalent legislation.

2023 was the highest single-year enforcement period on record: €1.78 billion issued, driven primarily by Meta's €1.2 billion penalty from the Irish DPA — the largest fine in GDPR history. The penalty followed a ruling by the Court of Justice of the EU that the Standard Contractual Clauses used for Meta's EU-US data transfers were inadequate under the Schrems II framework.

2025 produced the second-largest individual fine: €530 million issued to TikTok by the Irish DPA for unlawful transfers of European user data to China. The decision centred on the inability of TikTok to demonstrate that Chinese government access to EU user data could be effectively prevented under the applicable legal framework.

The Irish DPA as Systemic Enforcer

Ireland's Data Protection Commission has issued the largest individual fines in GDPR history — not because Ireland has the most violations, but because it serves as the lead supervisory authority for the majority of major US tech companies under the one-stop-shop mechanism. WhatsApp, Meta, TikTok, Apple, LinkedIn, and Twitter are all headquartered in Dublin for EU regulatory purposes.

This creates a structural dynamic: the DPC is simultaneously under pressure from other EU authorities to enforce more aggressively and under scrutiny for its relationships with the industry it supervises. The European Data Protection Board has issued binding decisions overriding the DPC in several high-profile cases, which is what produced the final €1.2 billion Meta fine after the initial DPC draft was rejected by the EDPB.

The EDPB's increased willingness to issue binding decisions under Article 65 represents a significant shift in enforcement power. Individual DPAs that previously had wide discretion over fine amounts and remedial measures are now operating under binding EDPB resolutions. This centralisation of enforcement authority will continue to drive penalty amounts upward.

What DPAs Are Actually Investigating

The nature of GDPR investigations has shifted since the early years of enforcement, which focused heavily on consent mechanism violations and transparency failures. The enforcement priorities in 2024–2025 have moved toward structural violations:

• —Cross-border data transfers — lawful basis, adequacy decisions, supplementary measures
• —AI and automated decision-making — Article 22 obligations, transparency, human review
• —Data minimisation failures — excessive collection, purpose limitation breaches
• —Data retention — absence of documented retention schedules, data kept beyond stated purposes
• —Data subject rights — access request failures, deletion request non-compliance
• —Security — inadequate technical measures following breach notifications

The AI investigation category is new. DPAs are now actively examining how organisations use automated profiling and AI-generated decisions that affect individuals. Article 22 grants individuals the right not to be subject to solely automated decisions with significant effects — and DPAs are increasingly finding that organisations lack the disclosure, opt-out mechanisms, and human review processes that right requires.

The Data Transfer Problem Has Not Been Solved

The EU-US Data Privacy Framework, adopted in July 2023, was intended to resolve the post-Schrems II uncertainty around US data transfers. It provides a new adequacy decision for US companies certified under the framework, replacing the invalidated Privacy Shield. However, Max Schrems and noyb have already filed legal challenges, and the DPF is expected to face CJEU scrutiny within the next two to three years.

In the meantime, the DPF does not resolve transfer questions for non-certified US companies, for transfers to countries beyond the US, or for situations where the data transferred relates to EU public sector activity. For European SaaS companies relying on US cloud infrastructure — AWS, Google Cloud, Azure — the adequacy of transfer mechanisms remains a live legal risk.

The TikTok enforcement decision in 2025 reinforced that "we had SCCs in place" is not a sufficient defence when the destination country's legal framework provides meaningful government access to the data. The adequacy of supplementary measures must be assessed against the actual legal environment of the destination, not assumed from the existence of contractual protections.

What a GDPR Audit Actually Looks Like in 2026

A GDPR gap analysis today goes beyond reviewing the privacy notice and the cookie banner. The most common gaps we identify across client engagements are documentation failures: organisations that have implemented GDPR-aligned processes but lack the Article 30 records, data flow maps, and data processing agreements that demonstrate those processes to an auditor.

The Article 30 Record of Processing Activities is frequently incomplete. The regulation requires that every processing activity be documented with its legal basis, data categories, retention periods, recipients, and international transfer mechanisms. Organisations that have grown their data collection without systematic documentation often have significant gaps between their Article 30 record and their actual processing activities.

Data Processor agreements are the second most common gap. GDPR Article 28 requires a written contract between controllers and processors covering the specific technical and organisational security measures, the processor's sub-processor chain, and the return or deletion of data at contract end. Many SaaS deployments involve processor chains that organisations have not mapped in full — meaning they cannot produce the required contracts for the full processing chain.

The good news is that the structural violations that produce large fines are largely preventable with proper governance architecture. The organisations paying nine-figure penalties are not failing at obscure technical requirements — they are failing at data transfer lawful basis assessment, breach notification, and data subject rights at scale. These are solvable problems.