Educational Tool

GDPR Fine Calculator

Understand your organisation's potential fine exposure under GDPR Article 83. This educational tool calculates statutory maximum caps and provides illustrative scenario ranges based on published regulatory methodologies.

Maximum fine

What is the maximum GDPR fine in Ireland?

Under GDPR Article 83, the maximum fine is €20 million or 4% of total worldwide annual turnover, whichever is higher (the upper tier). A lower tier caps certain administrative infringements at €10 million or 2% of turnover, whichever is higher. In Ireland these fines are imposed by the Data Protection Commission (DPC) as lead supervisory authority for many EU-headquartered organisations. In the UK the equivalent caps are £17.5 million or 4%(upper) and £8.7 million or 2% (lower), enforced by the ICO.

Key takeaways

GDPR fine key takeaways

  • GDPR Article 83 sets two fine tiers. The lower tier (Article 83(4)) caps fines at €10 million or 2% of total worldwide annual turnover, whichever is higher; the upper tier (Article 83(5)–(6)) caps them at €20 million or 4%, whichever is higher.
  • In Ireland the Data Protection Commission (DPC) imposes the fine under the EU GDPR; in the UK the Information Commissioner's Office (ICO) imposes it under the UK GDPR and Data Protection Act 2018, with sterling caps of £8.7 million / 2% (lower) and £17.5 million / 4% (upper).
  • The cap is a ceiling, not the fine. The DPC follows EDPB Guidelines 04/2022 and the ICO its Data Protection Fining Guidance, weighing Article 83(2) factors — nature, gravity, duration, mitigation and cooperation — case by case.
  • This calculator estimates exposure; it does not predict a fine. Turnover is processed locally in your browser and is never sent to Acompli. For the step-by-step method, see the GDPR fine estimation guide.

How GDPR Fines Are Calculated

Understanding the regulatory framework behind administrative fines.

Statutory Caps (Article 83)

GDPR sets two tiers of maximum fines. The lower tier (Article 83(4)) allows fines up to €10 million or 2% of total worldwide annual turnover, whichever is higher. The upper tier (Articles 83(5) and 83(6)) allows fines up to €20 million or 4% of turnover.

What Determines the Tier?

Lower tier violations include failures in technical and organisational measures, data protection by design, record-keeping, and security breach notifications. Upper tier violations include infringements of data processing principles, lawful basis, consent, data subject rights, and international transfers.

Factors Affecting Actual Fines

Article 83(2) lists factors regulators consider: nature, gravity and duration of the infringement; intentional or negligent character; mitigation actions; degree of cooperation; categories of personal data affected; prior infringements; and whether the infringement was notified.

Regulatory Methodology

The EDPB Guidelines 04/2022 provide a harmonised five-step methodology for EU supervisory authorities. The ICO publishes detailed step-based calculation guidance. Both emphasise that fines must be effective, proportionate, and dissuasive.

DPC (Ireland/EU) vs ICO (UK) fine caps after Brexit

DimensionDPC — Ireland / EUICO — UK
RegimeEU GDPR (Regulation 2016/679)UK GDPR & Data Protection Act 2018
Lower-tier cap€10m or 2% of worldwide turnover (Art. 83(4))£8.7m or 2% of worldwide turnover
Upper-tier cap€20m or 4% of worldwide turnover (Art. 83(5)–(6))£17.5m or 4% of worldwide turnover
Calculation guidanceEDPB Guidelines 04/2022 (five-step method)ICO Data Protection Fining Guidance
Cross-border lead authorityOne-stop-shop; EDPB Art. 65 can raise the fineICO acts alone for UK-only breaches

A UK-only breach is ICO territory; a cross-border EU/EEA breach by an Irish-established controller is DPC territory. See the step-by-step estimation guide for how the caps are applied in practice.

Notable GDPR fines to date

OrganisationFineYearAuthorityIssue
Meta€1.2 billion2023DPC (Ireland)EU–US data transfers (Chapter V / Schrems II) — the largest GDPR fine to date
Amazon€746 million2021CNPD (Luxembourg)Advertising / consent processing (under appeal)
TikTok€530 million2025DPC (Ireland)EEA–China transfers (€485m) + transparency (€45m); under appeal
Instagram€405 million2022DPC (Ireland)Children's data and default settings
TikTok€345 million2023DPC (Ireland)Children's data processing
WhatsApp€225 million2021DPC (Ireland)Transparency obligations (Articles 12–14)

Several of the largest GDPR fines to date were issued by Ireland's Data Protection Commission as lead supervisory authority for major technology firms. Amounts last verified June 2026; figures under appeal (Amazon; TikTok 2025) may change. Actual fines are set case by case under Article 83(2) — the table shows outcomes, not the statutory caps.

Primary sources for the calculator

The tool is grounded in the statutory caps and published regulator methodology, not private enforcement predictions.

Regulation (EU) 2016/679, GDPR Article 83

Open primary source

EDPB Guidelines 04/2022 on the calculation of administrative fines

Open primary source

ICO Data Protection Fining Guidance

Open primary source

GDPR fine questions answered

Short answers to the queries this calculator is designed to support.

Under GDPR Article 83, the Data Protection Commission (DPC) can impose up to EUR 20 million or 4% of total worldwide annual turnover, whichever is higher, for upper-tier infringements (Article 83(5)-(6)), and up to EUR 10 million or 2% for lower-tier infringements (Article 83(4)). In the UK, the ICO's equivalent caps are GBP 17.5 million or 4% (upper) and GBP 8.7 million or 2% (lower).

More methodology questions

Important Disclaimer

This is an educational estimator only. Supervisory authorities determine fines case-by-case using their discretion. The statutory caps are objective calculations based on GDPR Article 83. The scenario ranges are illustrative estimates informed by published methodologies and do not predict actual regulatory outcomes.

This tool does not constitute legal advice. Turnover data is processed locally in your browser and is not stored or transmitted to any server.

Turn risk awareness into action

Use Acompli to connect risk findings to assessment evidence, treatment plans, owners and review history.