GDPR Fines in 2025:
In the first half of the year, companies were hit with record-breaking fines for violations of personal data protection rules – the five largest fines alone totaled over three billion euros in just six months.
Krete Paal, CEO of the privacy startup GDPR Register, noted that the fines issued in the first half of the year for breaches of the General Data Protection Regulation (GDPR) highlighted recurring patterns and common failures in data protection, where companies continue to stumble. “European data protection authorities have sent a clear message to businesses: data protection is no longer optional. Formal compliance is not enough – companies are now expected to implement substantive and well-documented data protection practices,” Paal commented.
At the start of 2025, the largest fine in GDPR history – €1.2 billion – came into effect. It was issued by the Irish Data Protection Commission to Facebook’s parent company, Meta. The fine was based on Meta’s extensive transfers of personal data from its social media platforms to the United States without sufficient safeguards. “This decision sends a strong signal to all companies that standard contractual clauses are not enough for international data transfers. A risk assessment, technical safeguards, and ongoing oversight are essential,” Paal emphasized.
Tech giant Amazon took second place with a €746 million fine, issued by Luxembourg’s data protection authority in March. The massive fine was due to targeted advertising conducted without valid and informed user consent. Paal pointed out that in data-driven advertising, consent must be freely given, documented, and easy to withdraw at any time.
The third-largest fine of the year so far was issued in May to TikTok, totaling €530 million. Once again, the Irish Data Protection Commission was the authority responsible. The reason: employees based in China had access to personal data of users in Europe, combined with a lack of transparency in the platform’s processes. “This case teaches that companies must clearly and understandably inform users where their data is stored and what third countries are involved in its processing,” said Paal.
In April, the Spanish Data Protection Authority fined healthcare service provider Marina Salud €500,000. The penalty stemmed from the processing of health data with subcontractors without appropriate contractual agreements. “This shows that every data processor – including IT partners – must be formally bound by a data protection agreement, and the data controller must have full visibility into the entire processing chain,” Paal stressed. Also worth noting is the telecom group Vodafone, which received multiple fines. In April, Vodafone España was fined €200,000 by the local data protection authority for a SIM card swap carried out without sufficient identity verification, which led to a data breach. “This fine highlighted that all personal data–related actions – including account recovery – must rely on strong authentication and a risk-based approach,” explained Paal. Vodafone’s German branch was also fined €45 million for lacking sufficient oversight of subprocessors and failing to implement adequate safeguards for user identification.
According to Paal, the biggest GDPR fines of the first half of 2025 revealed repeated patterns from which companies can draw valuable lessons. “GDPR is no longer a stack of documents in a drawer. It’s a strategic management issue. Well-executed data protection builds trust, strengthens business relationships, and creates long-term value. The opposite is also true: if personal data is handled carelessly, companies will lose money, trust, and competitive advantage.”
To avoid reputational and financial risk, Paal recommends that companies map their data flows and cross-border transfers, and ensure that all subprocessors are covered by data processing agreements. She also stresses the importance of regularly updating privacy notices and consent templates based on the latest best practices and learning from others’ mistakes.
Conducting regular risk-based audits is also essential to ensure there is a clear legal basis for each data processing activity. “But even the best system won’t work if people don’t understand the rules or perceive the risks. Employee training is critical in data protection – most major breaches start with ignorance,” Paal emphasized.
GDPR Register, created by an Estonian startup in cooperation with IT experts, makes GDPR compliance simple and logical, helping companies and organizations efficiently manage the processes, actions, and documentation required by the regulation.
