ToolSec

GDPR Fine Calculator

Estimate the maximum GDPR penalty from annual turnover and infringement tier.

Updated: June 26, 2026

How GDPR fines are capped

The EU General Data Protection Regulation sets fines on a two-tier system, and each tier is "whichever is higher" of a fixed cap or a percentage of global annual turnover. That percentage clause is what makes GDPR fines so significant for large companies — a percentage of worldwide revenue can dwarf the fixed cap. This calculator shows both figures and which one applies.

The two tiers

  • Lower tier — up to €10M or 2% of global annual turnover. For infringements like inadequate records, security failings, or not notifying a breach on time (Articles 8, 11, 25–39, 42, 43).
  • Upper tier — up to €20M or 4% of global annual turnover. For the most serious violations: breaching the basic principles, ignoring data subject rights, or unlawful international transfers (Articles 5, 6, 7, 9, 12–22, 44–49).

"Up to" is the key phrase

These are maximums, not automatic penalties. Supervisory authorities set the actual fine using factors in Article 83: the nature and gravity of the infringement, whether it was intentional or negligent, steps taken to mitigate harm, prior violations, and cooperation with the authority. The severity slider in this tool produces a rough illustrative figure between zero and the maximum — treat it as a thinking aid, not a prediction.

Why it matters beyond the fine

The penalty is only part of the cost. A serious GDPR enforcement action usually comes with mandatory remediation, audits, reputational damage and the breach response costs you can estimate with our data breach cost estimator. Strong data protection is far cheaper than enforcement — frame the investment with the security ROI calculator.

This is not legal advice

GDPR is complex and fact-specific. This tool illustrates the statutory ceilings only; it cannot assess your actual exposure. For a real compliance position, consult a qualified data protection lawyer or your DPO.

Frequently asked questions

What is the maximum GDPR fine?

For the most serious infringements, up to €20 million or 4% of global annual turnover, whichever is higher. Lesser infringements are capped at €10 million or 2%.

Is the fine based on revenue or profit?

The percentage is calculated on global annual turnover (total worldwide revenue) of the preceding financial year — not profit.

Does every violation get the maximum fine?

No. The caps are maximums. Authorities weigh factors like severity, intent, mitigation, and cooperation under Article 83 to set the actual amount, which is often far below the ceiling.

Is this calculator legal advice?

No. It illustrates the statutory maximums only. Your real exposure depends on many legal factors — consult a data protection lawyer or DPO.

Stay on the right side of GDPR

Compliance tooling is cheaper than enforcement:

  • Privacy / consent management platform Manage consent, data subject requests and records of processing to reduce upper-tier exposure.
  • Data protection (DPO) services Ongoing expert guidance to keep processing lawful and demonstrate accountability to regulators.

Learn more

Related tools