Levels of Fines and Criminal Sanctions

The GDPR has two tiers of fines. Higher-level fines (up to four percent of global revenue or €20 million, whichever is greater) target core processing, data subject rights, and transfers. Lower-level fines (up to two percent or €10 million) target administrative duties.

Notable fines include Instagram (€405 million, children's data), Facebook (€265 million, data scraping), and Amazon (€746 million, lack of consent for cookies).

Two tiers of GDPR fines
Tier	Maximum	Targets
Higher-level fines	Greater of €20 million or 4% of global annual revenue	Basic principles of processing (incl. conditions of consent, lawfulness, special-category data), data subject rights, and transfers outside the EU
Lower-level fines	Greater of €10 million or 2% of global annual revenue	Data protection by default/design, records of processing, cooperation with DPAs, security, breach notification to DPAs and subjects, designation of a DPO

Two tiers of GDPR fines

Tier

Maximum

Targets

Higher-level fines

Greater of €20 million or 4% of global annual revenue

Basic principles of processing (incl. conditions of consent, lawfulness, special-category data), data subject rights, and transfers outside the EU

Lower-level fines

Greater of €10 million or 2% of global annual revenue

Data protection by default/design, records of processing, cooperation with DPAs, security, breach notification to DPAs and subjects, designation of a DPO

Key terms - quick answers

What is “Higher-level fines”?

GDPR fines up to the greater of 20 million euros or four percent of global annual revenue, for infringements of basic processing principles, data subject rights, and transfer rules.

What is “Lower-level fines”?

GDPR fines up to the greater of 10 million euros or two percent of global annual revenue, for administrative and operational infringements.