In one sentence. GDPR Article 83 establishes the administrative fines regime: two tiers — up to €10 million or 2% of worldwide annual turnover (whichever is higher) for procedural violations, and up to €20 million or 4% for substantive violations of core principles and data subject rights. Fines must be effective, proportionate and dissuasive, calculated case-by-case against 11 criteria in Article 83(2) — including nature/gravity, intentional vs negligent character, mitigation measures, prior infringements, cooperation with the authority, and categories of personal data affected. The EDPB Guidelines 04/2022 provide the harmonised methodology now applied across the EEA.
Article 83 is the GDPR’s economic engine — what gives the rest of the regulation its teeth. Since May 2018, EU/EEA supervisory authorities have issued over 6.4 billion euros in cumulative fines. The 2023 EDPB Guidelines 04/2022 introduced a structured 5-step methodology to ensure consistency across the 30 supervisory authorities.
Key takeaways
- Two tiers: €10M/2% (Article 83(4)) and €20M/4% (Article 83(5)).
- The higher of fixed amount OR percentage applies.
- 11 mandatory criteria in Article 83(2) — authority must consider all.
- EDPB Guidelines 04/2022: 5-step harmonised methodology (now standard).
- Maximum applies to total worldwide annual turnover of the parent group, not the subsidiary.
- Concurrent violations: only one fine per case, set at the highest amount applicable.
1. The two tiers
Tier 1 — Up to €10M or 2% (Article 83(4))
Procedural and organizational violations:
- Article 8 — conditions for children’s consent
- Article 11 — processing not requiring identification
- Articles 25-39 — controller/processor obligations, security, breach notification, DPIA, DPO designation
- Articles 41(4), 42, 43 — code of conduct monitoring, certifications
Tier 2 — Up to €20M or 4% (Article 83(5))
Core principles and data subject rights:
- Articles 5, 6, 7, 9 — principles, lawful basis, consent conditions, special categories
- Articles 12-22 — data subject rights (transparency, access, rectification, erasure, etc.)
- Articles 44-49 — international transfers
- Non-compliance with a supervisory authority order
2. The 11 calculation criteria (Article 83(2))
Every administrative fine must take into account, in each individual case:
| # | Criterion | What it means |
|---|---|---|
| a | Nature, gravity, duration | How serious; how long; how many affected; scope of damage |
| b | Intentional vs negligent | Aggravating if intentional; mitigating if accidental |
| c | Mitigation actions | Did the controller act to reduce damage to data subjects |
| d | Degree of responsibility | Considering technical and organisational measures implemented |
| e | Previous infringements | Past relevant violations by same controller/processor |
| f | Cooperation with authority | Did the controller cooperate to remedy and mitigate |
| g | Categories of data affected | Special categories (Article 9) → aggravating |
| h | How authority learned of infringement | Self-reported by controller? Mitigating |
| i | Compliance with prior orders | Did the controller follow previous corrective measures |
| j | Adherence to codes/certifications | Approved Article 40/42 instruments |
| k | Other aggravating/mitigating factors | Financial benefit gained, damages caused, etc. |
3. EDPB Guidelines 04/2022 — the 5-step methodology
Adopted May 2023, now the de facto standard:
Step 1 — Identify processing operations and categorize infringements
- One infringement OR multiple, same/different conduct
- Articles 83(3): for multiple infringements in same operation → ONE fine at the highest applicable maximum
Step 2 — Determine starting point
Based on:
- Nature/gravity/duration (criterion a)
- Categories of data (criterion g)
- Number of data subjects
Authority places infringement on a low/medium/high scale, then sets starting point as % of legal maximum:
- Low gravity: 0-10% of maximum
- Medium gravity: 10-20%
- High gravity: 20-100%
Step 3 — Adjust for aggravating/mitigating circumstances
Each of criteria b, c, d, e, f, h, i, j, k can move the amount up or down. Typical adjustments ±5% to ±30%.
Step 4 — Identify legal maximum
The lower of:
- Fixed maximum (€10M or €20M)
- Percentage maximum (2% or 4% of worldwide turnover)
For undertakings: turnover means the group’s total worldwide turnover (CJEU Volkswagen, C-807/21, December 2023).
Step 5 — Verify effective, proportionate, dissuasive
Adjust final amount if needed to ensure it serves these three objectives.
4. “Undertaking” — the Volkswagen ruling
CJEU C-807/21 (December 2023) confirmed: when calculating the 2%/4% cap, “undertaking” follows EU competition law — meaning the entire economic unit, not just the legal entity sanctioned. A subsidiary’s fine can be capped at the parent group’s worldwide turnover, dramatically increasing maximum exposure.
Example: a small SaaS subsidiary owned by a €10B group — the 4% cap = €400M, not 4% of the small subsidiary.
5. Most significant fines (2018-2026)
| Rank | Entity | Year | Amount | Authority |
|---|---|---|---|---|
| 1 | Meta Ireland | 2023 | €1.2 billion | DPC (transfers) |
| 2 | Amazon Europe | 2021 | €746 million | CNPD Luxembourg |
| 3 | Meta (Instagram) | 2022 | €405 million | DPC (children) |
| 4 | TikTok | 2023 | €345 million | DPC (children) |
| 5 | Meta | 2022 | €405 million | DPC (data scraping) |
| 6 | Meta | 2023 | €390 million | DPC (behavioural ads basis) |
| 7 | Meta | 2024 | €251 million | DPC (security) |
| 8 | 2024 | €310 million | DPC | |
| 9 | Clearview AI | 2024 | €30M+ | Multiple authorities |
| 10 | Uber | 2024 | €290 million | Dutch AP (transfers) |
Total cumulative EEA fines as of 2026: ~€6.4 billion.
6. National variations
Some Member States have added national procedural rules:
- Germany — Bundeskartellamt-style calculation, “Bußgeldkonzept” of BfDI/DSK 2019
- France — CNIL published criteria 2024 with calibration grid
- Spain — AEPD has issued the most fines by volume (1,000+ since 2018)
- Italy — Garante uses turnover-proportional formula
- Netherlands — AP publishes calculation reasoning extensively
EDPB Guidelines 04/2022 are designed to harmonize these.
7. Process: from inspection to fine
- Notice of investigation — controller informed of scope
- Documentation request — typically 30 days to respond
- On-site inspection (if needed) — authorities have powers under Article 58
- Preliminary findings — controller’s right to respond
- Draft decision — for cross-border cases, EDPB Article 65 binding decision possible
- Final decision — published, fine due typically 30-60 days
- Appeal — to national court, within 60-90 days depending on Member State
For cross-border cases under Article 60 (one-stop-shop), the lead supervisory authority drafts the decision but other concerned authorities can object — triggering EDPB Article 65 binding dispute resolution.
8. Cumulative penalties (Article 83(3))
If the same or linked processing operations violate multiple provisions of the GDPR, the total fine cannot exceed the highest applicable maximum. This prevents cumulative sanctioning.
Example: a single processing violating Article 5 (€20M max) and Article 32 (€10M max) → single fine capped at €20M, not €30M.
9. Defenses and mitigation strategies
The most effective mitigations in EDPB-published decisions:
- Self-reporting before the authority discovers the violation
- Demonstrated DPIA and risk analysis prior to processing
- Active cooperation with the authority’s investigation
- Implementing the corrective measures identified
- Approved code of conduct or certification adherence
- Prompt notification of data subjects beyond the legal minimum
- Compensation to affected data subjects
10. Tooling
Legiscope maintains a database of every EU GDPR fine published, classified by Article 83(2) criteria and EDPB methodology step, to support risk-scoring and benchmark against peers in your sector.
For related reading: GDPR Article 5, GDPR Article 32, GDPR Article 33, GDPR breach notification.
Conclusion
Article 83 is the GDPR’s enforcement architecture. The €1.2B Meta sanction and the €746M Amazon sanction demonstrate the tier-2 cap is not theoretical. With EDPB Guidelines 04/2022 harmonizing methodology and Volkswagen confirming group-level turnover applies, the structural ceiling of exposure has risen substantially for any subsidiary in a large group.
FAQ
What are the GDPR fine tiers under Article 83?
Two tiers: up to €10 million OR 2% of worldwide annual turnover (whichever is higher) for procedural violations under Article 83(4); up to €20 million OR 4% of worldwide annual turnover for substantive violations under Article 83(5).
How is “worldwide annual turnover” calculated?
Per CJEU Volkswagen (C-807/21, December 2023): turnover means the entire economic unit (parent group), not just the legal entity sanctioned. A subsidiary’s fine cap is its parent group’s worldwide turnover.
What are the 11 calculation criteria?
Article 83(2) requires consideration of: (a) nature/gravity/duration, (b) intentional/negligent, © mitigation, (d) responsibility, (e) prior infringements, (f) cooperation, (g) data categories, (h) how authority learned, (i) prior orders compliance, (j) codes/certifications, (k) other factors.
What’s the largest GDPR fine ever?
Meta Ireland — €1.2 billion (DPC, May 2023) for unlawful EU-US data transfers under Article 44.
Can I be fined multiple times for one incident?
No. Article 83(3): if the same or linked processing operations violate multiple GDPR provisions, the total fine cannot exceed the highest applicable maximum.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
