Numbers and Figures

In the 7th edition of the GDPR Enforcement Tracker Report, with a cut-off date of 1 March 2026, a total number of 2,685 fines (+440 in comparison to the GDPR Enforcement Tracker Report 2025) have been recorded in the CMS Enforcement Tracker database (3,062 if fines with limited information on amount or date are also counted) amounting to a sum of around EUR 6.11 billion (+487.6 million in comparison to the GDPR Enforcement Tracker Report 2025). In the reporting period 2018-2026, the average fine was EUR 2,277,122 across all countries.

The overview illustrates that the highest fine amounting to EUR 1.2 billion originates from Ireland and was imposed against Meta Platforms Ireland Limited. This was the first fine in the billions to date. Overall, the Irish Data Protection Commission is the supervisory authority responsible for the highest fines, accounting for 9 of the top 10 fines.

The data shows, that to date, the highest average fines were levied in the sectors “Media, Telecoms and Broadcasting”, “Employment” and “Transportation and Energy”. Also, the sectors with the highest number of fines to date are the “Industry and Commerce” and “Media, Telecoms and Broadcasting” sectors. While this may be read as an indication that such sectors are particularly inclined to disregard the GDPR requirements, this is not necessarily the case. This may also be due to a comparatively large number of companies that are relevant to the public or simply due to some extraordinary fines in these sectors (e.g. amounting to EUR 1.2 billion in the Media, Telecoms and Broadcasting sector or EUR 290 million in the Employment sector) or increased attention or focus by the authorities (e.g. in Spain regarding the Media, Telecoms and Broadcasting sector, where the Spanish authority has already issued over 80 fines against a particular Spanish telecommunications provider, which overall has received more than 100 fines from all authorities included in the Enforcement Tracker). There were comparatively few fines in the fields of “Accommodation and Hospitality” and “Real Estate”. While this is also true for the “Transportation and Energy” sector, the fines in this sector had a high average amount. This may indicate that finable violations in these fields are rare, but when they did occur, they were serious and therefore carried high fines. This trend could also be observed in the previous year.

Thus far, the Spanish Data Protection Authority has shown the most activity in terms of issuing fines/publishing issued fines, with a total of 1048 (+116 in comparison to the GDPR Enforcement Tracker Report 2025). Other countries with comparatively high fine activity are Italy, Romania and Poland, which have imposed between 106 and 490 (published) fines. Nevertheless, those three countries together have published fewer fines than Spain alone.

The reasons for this are not evident from the data. The difference could, for example, be due to differences in the publication method of fines: while some countries publish even smaller fines of a few hundred euros, other countries seem to limit publication to larger fines. Another reason for the differences between the countries could be the number of staff involved in evaluating cases and handing down fines. This may either be because countries with more fines allocated more staff to their authorities in total or the staff within the authority are more focused on pursuing violations than is the case in other countries.

Another possible explanation is that authorities follow different regulatory approaches, with some, such as the Swedish Data Protection Authority, focusing more on consultation and on issuing reprimands or warnings before imposing fines, while others impose fines directly.

A look at the following average fines shows that the average fine in Spain is much lower than in most other countries:

We have also analysed the DPAs' justifications for the fines. Each fine in the GDPR Enforcement Tracker Report and on the GDPR Enforcement Tracker Website is attributed to one of the following nine categories:

• Insufficient legal basis for data processing
• Insufficient technical and organisational measures to ensure information security
• Non-compliance with general data processing principles
• Insufficient fulfilment of data subjects' rights
• Insufficient fulfilment of information obligations
• Insufficient cooperation with supervisory authority
• Insufficient fulfilment of data breach notification obligations
• Lack of appointment of data protection officer
• Insufficient data processing agreement

Within these categories, the highest number of fines was issued for processing activities lacking a sufficient legal basis. Following closely behind, the second most frequent reason for fines was non-compliance with the general principles of data processing, followed by insufficient technical and organisational measures to ensure information security, failures to fulfil data subject rights and inadequate compliance with information obligations.

Although non-compliance with the general principles of data processing was only the second most common reason for fines, the extraordinarily high fine imposed on TikTok during the reporting period, together with other extraordinarily high fines in this category imposed before the current reporting period, meant that the average fine amount for this type of violation was significantly higher than for any other category.

So far, only very few fines have been imposed for lack of cooperation with the supervisory authority, for cases of insufficient involvement of a data protection officer, missing data processing agreements or lack of appointment of data protection officer. This trend could also be observed in the previous year.