EDPB: 2025 GDPR fines overview — €1.15 billion in penalties
EDPB 2025 Annual Report
On April 9, 2026, the European Data Protection Board (EDPB) published its annual report for 2025. Total fines issued by national Data Protection Authorities (DPAs) across the EU reached €1.15 billion — a significant increase over previous years.
Since GDPR came into force in 2018, over 6,680 fines have been issued totaling approximately €4.2 billion.
Which DPAs fined the most
By fine volume
| Country | DPA | Fine volume | Count |
|---|---|---|---|
| Ireland | DPC | ~€530,000,000 | Low |
| France | CNIL | €486,854,500 | 84 |
| Germany | Multiple DPAs | €48,117,083 | 499 |
| Spain | AEPD | €45,203,465 | 324 |
| Slovakia | ÚOOÚ SR | €468,953 | 542 |
What the numbers reveal
Ireland — A single fine dominates the entire year. The DPC fined TikTok €530 million for illegal personal data transfers to China. This single penalty accounts for nearly half of all European GDPR fines in 2025.
France — CNIL remains one of Europe's most active DPAs. 84 fines in a year demonstrates a systematic approach to enforcement — from small businesses to tech giants.
Germany — Second-highest number of fines after Slovakia (499), but the average is low (~€96,000 per fine). Germany's decentralized model with 16 state DPAs produces high volume but smaller individual sanctions.
Spain — AEPD is consistently active with 324 fines covering a broad range of violations, including unsolicited commercial communications.
Slovakia — Surprising leader in fine count (542), but total volume is just ~€469,000. The average fine is ~€865 — predominantly minor administrative violations.
Who fines the least
Smaller member states — including Czechia — issue significantly fewer fines both in number and total volume. The Czech ÚOOÚ has historically focused on guidance and recommendations rather than large sanctions, though enforcement activity is increasing.
Largest individual fines of 2025
- TikTok — €530,000,000 (Ireland, DPC) — Illegal personal data transfers to China in breach of GDPR Chapter V.
- SHEIN — €150,000,000 (France, CNIL) — Setting cookies without valid consent.
- Google — €150,000,000 (France, CNIL) — Dark patterns in cookie banner, manipulative design.
Enforcement trends
1. Cross-border cases dominate
The EDPB issued 572 final decisions under the One-Stop-Shop mechanism and handled 414 cross-border cases. Large tech companies are increasingly subject to coordinated multi-DPA enforcement.
2. Cookies and consent are a priority
A significant share of fines relates to invalid consent, cookies set before consent, and manipulative cookie banner design. CNIL, the Danish DPA, and others have explicitly flagged cookie compliance as an enforcement priority.
3. Automated detection is coming
The EDPB plans to deploy automated tools for scanning millions of websites to detect dark patterns in cookie banners. Manual audits will be supplemented by machine scanning — the volume of detected violations will increase dramatically.
4. Coordinated Enforcement Framework (CEF)
The EDPB's 2025 coordinated enforcement action focused on the right to erasure (Art. 17 GDPR). 32 DPAs participated and contacted 764 data controllers across Europe.
What this means for businesses
Even in countries with historically lower enforcement, the risk is growing:
- Cross-border reach — if you collect data from users in other member states, you fall under their DPA's jurisdiction.
- Automated scanning — once the EDPB deploys automated tools, geographic distance stops being a shield.
- Enforcement is intensifying everywhere — national DPAs are increasing cookie banner audits and consent compliance checks.
How to protect yourself
Proper consent management is the first line of defense against GDPR fines:
- Valid consent — symmetric buttons, no pre-checked boxes, one click to reject.
- Cookie blocking before consent — no trackers active without consent.
- Audit-ready records — transparent consent logs for regulatory inspections.
- Regular monitoring — automated website scanning for cookies appearing before consent.
Waulter CMP meets all of these requirements by default — from day one.
Sources: EDPB Annual Report 2025 (published April 9, 2026), GDPR Enforcement Tracker (CMS), DLA Piper GDPR Fines Survey 2025