GDPR fines hit €3 billion in 2025.
Learn what went wrong at Meta, Amazon & TikTok—and what every DPO must do to avoid costly compliance failures.
2025 Sets a Record: Over €3 Billion in GDPR Fines Issued
In just the first half of 2025, data protection regulators across Europe issued fines totaling more than €3 billion for violations of the General Data Protection Regulation (GDPR). From tech giants to healthcare providers and telecom operators, the fines highlight ongoing failures in data privacy practices.
“Formal compliance is not enough — companies must implement substantive and well-documented privacy practices.”
— Krete Paal, CEO of GDPR Register
Top 5 GDPR Fines of 2025 (So Far)
1. Meta – €1.2 Billion Fine
- Violation: Unlawful data transfers to the U.S.
- Lesson: Standard contractual clauses (SCCs) alone are insufficient. Companies must conduct risk assessments, apply technical safeguards, and maintain continuous oversight.
2. Amazon – €746 Million Fine
- Violation: Targeted advertising without valid consent.
- Lesson: Consent must be freely given, documented, and easy to withdraw.
3. TikTok – €530 Million Fine
- Violation: Chinese staff accessed EU user data; lack of transparency.
- Lesson: Be transparent about data storage, access, and third-country involvement.
4. Marina Salud – €500,000 Fine
- Violation: Shared sensitive health data with subcontractors without valid contracts.
- Lesson: Use signed data processing agreements with all vendors and maintain full visibility into the processing chain.
5. Vodafone – €200,000 + €45 Million in Fines
- Violation: Weak identity verification during a SIM swap; poor subprocessor oversight.
- Lesson: Implement strong authentication methods and regularly audit subprocessors for compliance.
What DPOs Must Learn from These Fines
The largest fines of 2025 reveal recurring compliance gaps. According to Krete Paal, companies must move beyond surface-level policies and focus on operational execution:
- 📌 Map data flows and cross-border transfers
- 📌 Ensure all vendors and subprocessors have up-to-date data processing agreements
- 📌 Regularly update privacy notices and consent mechanisms
- 📌 Conduct risk-based audits for all processing activities
- 📌 Provide ongoing privacy training to staff
“GDPR is no longer a stack of documents in a drawer. It’s a strategic management issue. Well-executed data protection builds trust and long-term value.”
— Krete Paal
How GDPR Register Helps You Stay Compliant
GDPR Register is an Estonian-built privacy management tool designed to simplify and organise GDPR compliance. The platform helps companies:
- Automate and manage RoPAs, DPIAs, and vendor records
- Monitor international data transfers and processing risks
- Stay audit-ready with real-time documentation
- Centralise privacy operations across group companies
📧 Contact: Krete Paal
📨 Email: krete.paal@gdprregister.eu
🌐 Website: https://gdprregister.eu
