GDPR Fines Exceed EUR 6 Billion as Enforcement Gains Further Traction
CMS publishes seventh edition of the Enforcement Tracker Report
Berlin – GDPR enforcement across Europe has entered a new phase: what began with landmark proceedings and record-breaking fines has now evolved into routine, operational scrutiny of companies’ day-to-day data protection practices. This is one of the key findings of the latest GDPR Enforcement Tracker Report published by international law firm CMS. As of March 2026, the total volume of publicly known fines has exceeded EUR 6 billion for the first time, reaching approximately EUR 6.11 billion. The number of recorded cases also continues to rise, reflecting sustained enforcement activity across Europe. The data, however, indicates a clear shift in focus: supervisory authorities are increasingly targeting practical compliance issues rather than isolated high-profile cases.
Across sectors, enforcement is now firmly embedded in the regular supervisory work of data protection authorities. In practice, investigations increasingly centre on operational topics such as transparency obligations, cybersecurity measures, online tracking, employee data processing and the use of AI-driven technologies.
Transparency and operational compliance move centre stage
A key development identified in this year’s report is the growing importance of transparency requirements as a horizontal enforcement priority. Deficiencies in privacy notices, cookie banners, employee information and other user-facing disclosures are now regularly scrutinised alongside unlawful processing and security shortcomings.
Alongside this, insufficient legal bases for processing, non-compliance with general data protection principles and inadequate technical and organisational measures remain the most common triggers for significant fines. In practice, cyber incidents and personal data breaches increasingly act as starting points for broader investigations into companies’ overall data governance and accountability structures. “This shift towards operational enforcement means that data protection compliance can no longer be managed as a one-off exercise or purely at policy level,” says Dr Anna Lena Füllsack, part of the Enforcement Tracker team at CMS in Germany. “Supervisory authorities are now looking much more closely at how organisations implement data protection requirements in their day-to-day processes.”
Enforcement broadens beyond Big Tech
While large digital platforms and data-driven business models remain a major focus of enforcement, supervisory activity is increasingly extending beyond traditional targets. Public authorities, non-profit organisations, sports associations and even individuals are now more frequently subject to GDPR scrutiny where significant volumes of personal data are processed. Across sectors, similar enforcement patterns are emerging – from digital platforms and advertising-driven business models to financial services, healthcare and employment-related data processing – with regulators focusing on transparency, data governance and cybersecurity standards. Data subject complaints also continue to play a central role in triggering investigations, with disputes relating to access rights, direct marketing practices and transparency obligations regularly leading to enforcement action.
Meanwhile, judicial review is becoming more influential, as significant fines are increasingly challenged before national courts. This trend is contributing to the ongoing clarification of key legal questions, while also highlighting continuing differences in enforcement practices across EU Member States.
Germany: employee data and litigation dynamics in focus
In Germany, enforcement continues to be shaped by the country’s decentralised system of 16 regional data protection authorities, complemented by the Federal Commissioner for Data Protection. Substantively, cases relating to insufficient legal bases for processing and deficiencies in information security remain particularly prominent. Employee data processing continues to be a recurring enforcement theme, including in cases involving large fines. Fines imposed in Germany span a broad range of sectors, including healthcare, finance, insurance and consulting, as well as cases involving individuals, private associations and employee data processing. Challenges to fines before the courts remain a relevant feature of the German enforcement landscape, with proceedings continuing to influence how cases evolve in practice. In addition, collective redress mechanisms and representative actions are gaining relevance, further increasing the potential exposure of companies to data protection claims and litigation.
A comprehensive overview of Europe’s enforcement landscape
The seventh edition of the report is based on the CMS-maintained online database “GDPR Enforcement Tracker”, which records thousands of cases across Europe and provides a unique, continuously updated overview of publicly known fines. Building on this database, the report offers a detailed analysis of enforcement trends across sectors and jurisdictions, highlighting common patterns as well as national specificities. “GDPR enforcement has reached a level of maturity where it is now part of the normal regulatory landscape across Europe,” adds Füllsack. “It will remain a key strategic issue for organisations in the years ahead.”
Press Contact
presse@cms-hs.com
