What are the highest GDPR fines in 2024?

1. LinkedIn - €310m fine 2. Uber Technologies Inc., Uber B.V. - €290m fine 3. Meta Platforms Ireland Limited - €91m fine 4. Enel Energia SpA - €79.1m fine 5. Amazon France Logistique - €32m fine 6. Clearview AI Inc. - €30.5m fine 7. Avast Software - €13.9m fine 8. Eni Plenitude S.p.A. - €6.4m fine 9. Apoteket AB. - €3.2m fine 10. Hellenic Post - €2.9m fine 11. UniCredit S.p.a. - €2.8m fine 12. Vinted - €2.3m fine 13. TikTok - £1.8m fine 14. Avanza Bank AB - €1.3m fine 15. CAIXABANK, S.A - €1.2m fine 16.mBank - €940k fine 17. Postel S.p.A - €900k fine 18. Verkkokauppa.com - €856k fine 19. NTT Data Italia S.P.A - €800k fine 20. Apohem AB - €698k fine

Biggest GDPR Fines of 2025

Last year, some hefty fines were issued often to repeat offenders. We review the largest penalties dished out in 2025 so far and the breaches behind them.

With the first quarter of the year behind us, there is sufficient information to state that it has been a relatively quiet year on the fines front. That being said, penalties have already broken the million euro mark. The biggest breach of the year has its roots in insufficient technical and organisational measures to ensure information security. We investigate the breaches that resulted in the fines so that your company can avoid similar penalties.

See our Data Protection Training Package

We continuously track the largest data protection fines throughout the year and have highlighted the biggest GDPR fines of all time.

The biggest 2025 GDPR fines in detail

1. Orange Espagne- €1.2m fine

GDPR breaches - Art. 6, Art. 25

Spain’s data protection authority (AEPD) has fined Orange Espagne €1.2 million for unlawful data processing related to a SIM-swapping fraud. A franchise employee fraudulently issued a duplicate SIM card without the customer's consent, enabling attackers to steal €9k from the victim's accounts.

The AEPD found Orange in violation of Articles 6 and 25 of the GDPR, citing inadequate identity verification processes. Despite Orange claiming it was individual misconduct, the regulator held the company accountable for failing to implement sufficient safeguards. The fine and required remedial actions were upheld following Orange's appeal.

2. Caja Rural de Jaen - €400k fine

GDPR breach - Art. 5 (1) f)

The AEPD has fined Caja Rural de Jaén, Barcelona y Madrid €500,000 following a cyberattack that exposed sensitive customer data due to insufficient security measures. The breach was found to violate Article 5(1)(f)of the GDPR.

The bank attempted to shift blame to its IT provider, but the AEPD maintained that the bank held ultimate responsibility for data protection. Although the bank appealed, the authority upheld the decision. After agreeing to pay without admitting fault, the fine was reduced to €400,000.

Explore our Compliance Essentials Library

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.

Share to:

Written by: Emmeline de Chazal

Emmeline is an experienced digital editor and content marketing executive. She has a demonstrated history of working in both the education management and software industries. Emmeline has a degree in business science and her skillset includes Search Engine Optimisation (SEO) and digital marketing analytics. She is passionate about education and utilising her skills to encourage greater access to e-learning.

Browse Popular Compliance Topics

Find a course

Explore our course libraries

Compliance Portal

AIDA - Our AI Digital Assistant

About The Platform