GDPR Fine Risk Calculator
The General Data Protection Regulation (GDPR) sets two tiers of administrative fines for violations, calibrated as a percentage of global annual turnover to ensure they are proportionate and dissuasive regardless of company size. Understanding the maximum fine exposure helps data protection officers, legal teams, and boards make risk-based compliance investment decisions. This calculator derives the maximum statutory fine for both Article 83(4) and Article 83(5) violations from your global annual turnover, using the statutory EUR 10M and EUR 20M floor amounts from GDPR text (converted to USD at a user-editable rate).
GDPR fine formula (Article 83)
EUR_floor_1 = EUR 10,000,000 * exchange_rate_USD
EUR_floor_2 = EUR 20,000,000 * exchange_rate_USD
tier1_max = max(EUR_floor_1, annual_turnover * 0.02)
tier2_max = max(EUR_floor_2, annual_turnover * 0.04)
Source: GDPR Article 83(4) and 83(5)
What GDPR Article 83 violations apply to each tier?
- Tier 1 (2% / EUR 10M): violations of controller and processor obligations (Art. 25-39), certification body rules (Art. 42-43), monitoring body rules (Art. 41).
- Tier 2 (4% / EUR 20M): violations of basic principles (Art. 5-7), data subject rights (Art. 12-22), international transfer rules (Art. 44-49), member state specific rules, orders by supervisory authority.
Frequently asked questions
What are the GDPR fine tiers and maximums?
GDPR Article 83 sets two fine tiers. Tier 1 (Article 83(4)): up to EUR 10,000,000 or 2% of total worldwide annual turnover, whichever is higher. Applies to violations of controller/processor obligations, certification body obligations, and monitoring body obligations. Tier 2 (Article 83(5)): up to EUR 20,000,000 or 4% of total worldwide annual turnover, whichever is higher. Applies to basic processing principles, data subject rights, and cross-border transfer violations.
How do supervisory authorities calculate actual GDPR fines?
The EDPB (European Data Protection Board) Guidelines 04/2022 on fines set out a five-step methodology: (1) identify the processing operations and applicable maximum; (2) assess starting point based on severity of infringement; (3) adjust for aggravating and mitigating factors; (4) apply the maximum turnover-based cap; (5) assess effectiveness, proportionality, and dissuasiveness. Actual fines are almost always far below the statutory maximum.
What factors reduce a GDPR fine?
Mitigating factors include: proactive notification of the breach to authorities; effective cooperation with the supervisory authority; prompt remediation of the violation; good faith efforts to comply; first infringement; limited harm to data subjects; strong DPO appointment and data protection program; and certification under an approved GDPR certification scheme. Conversely, repeat violations and failure to cooperate increase fines.
What is the largest GDPR fine issued to date?
The largest GDPR fine issued was EUR 1.2 billion against Meta Platforms Ireland Limited by the Irish Data Protection Commission in May 2023, for unlawful transfer of personal data from the EU to the US via Standard Contractual Clauses without adequate supplementary safeguards. This equated to approximately 4% of Meta's global annual revenue, the maximum Article 83(5) amount. Source: Irish DPC enforcement page.
Does GDPR apply to US-based companies?
Yes. GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is based (Article 3, extraterritorial scope). US companies that offer goods or services to EU residents, or monitor EU residents' behavior, must comply. Non-EU companies without an EU establishment should designate an EU representative under Article 27. Enforcement of fines against non-EU entities is more complex but has occurred.
Official sources
- European Parliament: GDPR - Regulation (EU) 2016/679 - Full Text (EUR-Lex).
- EDPB: EDPB Guidelines 04/2022 on Calculation of Administrative Fines.
Reviewed by the CalculatorHub team, edited by James Graham, 14 June 2026. See our methodology.