Since the enforcement of the General Data Protection Regulation (GDPR) in May 2018, fines have been issued for several types of violations. As of February 2025, the most significant share of penalties was due to companies' non-compliance with general data processing principles. This violation has led to over 2.4 billion euros worth of fines.

Since the EU's implementation of the General Data Protection Regulation (GDPR) in May 2018, numerous fines have been issued for violations or non-compliance. Of these, the fine of 1.2 billion euros received by Meta Platforms, Inc. in May 2023 has been by far the greatest. The company was issued such a penalty for personal data transfers to the United States without sufficiently complying with the EU regulation.

A 2019 survey conducted among privacy professionals showed that EU companies were more likely to be compliant with the General Data Protection Regulation (GDPR), while the GDPR did not apply for 25 percent of enterprises based in the United States. Less than ten percent of respondents stated their enterprises were fully compliant in both in the EU and the United States.

Between 2018 and 2022, there has been a significant increase in the level of awareness around the General Data Protection Regulation (GDPR) among European users. In 2018, when the GDPR was first applied, the United Kingdom had the highest level of awareness, with 32 percent of respondents agreeing or strongly agreeing with the statement: "I am aware of the new General Data Protection Regulation (GDPR) that will be introduced in May 2018". In 2022, the share of UK respondents agreeing with the statement increased to 73 percent. France had the lowest level of awareness in 2018, 20 percent, whereas in 2022 it reached 47 percent but remained the lowest among other European markets.

As of February 2025, the industry sector seeing the largest fines issued for General Data Protection Regulation (GDPR) violations, was media, telecoms and broadcasting. The industry has seen approximately four billion euros in fines, in total, since the enforcement of the law in 2018.

In a November 2023 survey, more than 50 percent of data protection officers (DPOs) and privacy professionals in European Union (EU) said that an average controller would find a relevant GDPR violation in case of a random check of an average controller. Some 47 percent said they would need more clear decisions by data protection authorities (DPAs) and courts to improve GDPR compliance.

As of February 2025, the largest fine issued for violation of the General Data Protection Regulation (GDPR) in the United Kingdom (UK) was more than 22 million euros, received by British Airways in October 2020. Another fine received by Marriott International Inc. in the same month was the second-highest in the UK and amounted to over 20 million euros.

As of February 2025, Spain has imposed the highest number of GDPR fines. The 923 fines had a total amount of approximately 96 million euros in value. With 397 fines in total, Italy ranked second, followed by Germany, where data privacy authorities imposed a total of 203 fines.

This statistic shows the views as to whether general data protection regulation (GDPR) has been a good thing for European consumers. 60 percent of the respondents agreed that GDPR has been a good thing for European consumers. This statistic addresses one of the biggest myths in the European tech ecosystem.

As of February 2025, the industry sector seeing the highest number of fines issued for General Data Protection Regulation (GDPR) violations was industry and commerce. This industry has seen a total of 476 fines since the enforcement of the law in May 2018.

Almost all German companies starting compliance activities required by the General Data Protection Regulation (GDPR) struggled with information duties, i.e. informing individuals how their data is being processed. Likewise, producing the needed documentation required a very high effort in terms of resources for 69 percent of enterprises.

As of February 2025, the highest number of fines issued for General Data Protection Regulation (GDPR) violations in the European Union (EU) was due to insufficient legal basis for data processing. There were 672 fines based on this type of violation. Non-compliance with general data processing principles ranked second, with 629 cases.

A survey from September 2019 showed that one in four German companies was fully compliant with the General Data Protection Regulation (GDPR). Another 42 percent was mostly compliant, while 24 percent of enterprises reported to be partially compliant.

As of October 2019, 69 percent of people in the EU-27 had heard about the General Data Protection Regulation (GDPR). Survey respondents from Poland showed the highest rate of awareness as 95 percent stated that they were aware of the GDPR. Only 38 percent of respondents from Estonia claimed the same.

As of January 2025, three organizations had received fines under the EU General Data Protection Regulation (GDPR) for transferring data outside the European Union. The highest penalty, with the amount of 1.2 billion euros, was imposed on Meta Platforms Ireland Limited by the Irish data privacy authority Data Protection Commission (DPC). The latest case of privacy complaint was on the 16th of January, 2025. In its complaint, the Austrian data privacy non-profit None of Your Business (noyb) addressed the data transfers from European Union by a few Chinese companies, including TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi. As of late January 2025, the case was ongoing and the amount of fine is not available.

As of June 2023, Spain was the European country to issue the largest number of GDPR violation fines - over 650. Italy followed, with the local authorities dispensing approximately 265 fines under the European Union general data protection regulation (GDPR). Applied from May 2018 onward, the GDPR is Europe's data protection law, and it is enforced within all the EU Member States.

Since the introduction of the General Data Protection Regulation (GDPR) in May 2018, the largest fine imposed in Spain was against Google LLC. In May 2022, the company was fined 10 million euros for illegal data processing. The second largest penalty was given to Vodafone España, S.A.U., which was fined 8.15 million euros in March 2021, and received another fine of 3.94 million euros in February 2020, both for various GDPR violations. Caixabank S.A., a Spanish company, was fined two fines of five million euros each, and an additional fine of three million euros on different occasions.

Ensuring the right to be forgotten was the most difficult obligation for companies having to comply with the General Data Protection Regulation (GDPR) in 2019. Privacy experts from companies based in the EU and United States also considered data portability quite difficult, ranking this obligation with a mean score of 4.6 and 4.9 out of 10 respectively.

Online users more aware of the General Data Protection Regulation were more comfortable with data tracking for advertising purpose. A poll conducted among internet users in five European countries revealed that 59 percent of individuals having a deep knowledge of the GDPR had a better understanding of data rights.

In September 2024, TikTok was fined 345 million euros due to violations of the General Data Protection Regulation (GDPR) for reasons of non-compliance with general data processing principles. The highest GDPR penalty was in May 2023, when Meta recieved a fine of 120 billion euros on the grounds of insufficient legal basis for data processing.