GDPR Fines and Data Breach Survey 2025
The General Data Protection Regulation (GDPR) has been in effect since May 25, 2018, imposing strict requirements on organizations that handle personal data within the European Union (EU) and beyond. The DLA Piper GDPR Fines and Data Breach Survey 2025 provides valuable insights into the enforcement landscape of the GDPR over the past year. This blog post will summarize key findings from the survey, highlighting trends in fines, data breach notifications, and regulatory actions across various sectors.
Overview of GDPR Fines
The survey reveals a total of EUR 1.2 billion (USD 1.26 billion/GBP 996 million) in GDPR fines imposed across the surveyed countries from January 28, 2024, to January 27, 2025. This marks a 33% decrease from the previous year’s figure of EUR 1.78 billion (USD 1.87 billion/GBP 1.48 billion). The decline is attributed to several factors, including a lack of record-breaking fines like the EUR 1.2 billion fine against Meta Platforms Ireland Limited in 2023.
Leading Countries in GDPR Fines
Ireland continues to dominate the landscape of GDPR enforcement, with the Irish Data Protection Commission (DPC) issuing a total of EUR 3.5 billion (USD 3.7 billion/GBP 2.91 billion) in fines since the regulation’s implementation. Notable fines include:
- EUR 310 million (USD 326 million/GBP 257 million) against LinkedIn in October 2024.
- EUR 251 million (USD 264 million/GBP 208 million) against Meta in December 2024.
Luxembourg follows with EUR 746.38 million (USD 784 million/GBP 619 million), primarily due to a large fine imposed on a US online retailer and e-commerce platform.
Sectoral Trends in Enforcement
While big tech companies remain primary targets for GDPR enforcement, there has been a growing trend of fines issued against organizations in various sectors, including finance, energy, and healthcare. The survey indicates that supervisory authorities are increasingly confident in their enforcement capabilities, leading to significant penalties across different industries.
Financial Services Sector
In Spain, the Spanish Data Protection Authority (AEPD) issued fines totaling EUR 6.2 million (USD 6.5 million/GBP 5.1 million) against a large bank for multiple breaches, including inadequate security measures. Similarly, Poland’s Personal Data Protection Office (PUODO) fined several international banks for failing to notify customers of data breaches.
Energy Sector
In Italy, the Italian Data Protection Authority (Italian Garante) imposed a fine of EUR 5 million (USD 5.25 million/GBP 4.15 million) on a utility provider for using outdated and inaccurate customer data. This emphasizes the growing scrutiny of organizations outside the tech sector regarding their data protection practices.
Personal Liability for Management
A notable trend emerging from the survey is the potential for personal liability among company directors and management bodies for GDPR violations. The Dutch Data Protection Authority announced an investigation into whether it could hold the directors of Clearview AI personally liable for GDPR breaches, signaling a shift towards greater accountability at the management level.
Data Breach Notifications
The number of data breach notifications remains significant, with an average of 363 notifications per day reported from January 28, 2024, to January 27, 2025. This reflects a slight increase from 335 notifications per day during the previous year. The Netherlands, Germany, and Poland continue to lead in breach notifications, indicating that organizations are becoming more cautious about reporting incidents due to potential investigations and penalties.
Breakdown of Breach Notifications
- Netherlands: 33,471 notifications
- Germany: 27,829 notifications
- Poland: 14,286 notifications
The continued high volume of breach notifications suggests that organizations are increasingly aware of their obligations under GDPR and are more willing to report incidents.
Regulatory Trends and Future Predictions
Looking ahead, several regulatory trends are expected to shape the GDPR landscape in the coming year:
Increased Focus on AI Regulation
With the rapid adoption of AI technologies, European regulators are intensifying scrutiny on how personal data is used in AI systems. The Irish DPC’s engagement with X regarding its AI chatbot tool Grok highlights the need for compliance with GDPR when utilizing personal data for AI training.
Consent or Pay Models
The “consent or pay” model has sparked significant debate among regulators and privacy activists. The European Data Protection Board (EDPB) has indicated that such models may not align with GDPR requirements for valid consent in most cases. This raises questions about how large online platforms will monetize services while complying with strict data protection laws.
Personal Liability as a Compliance Driver
The potential for personal liability will likely drive better compliance among organizations as regulators signal intent to hold individuals accountable for GDPR violations. The Dutch DPA’s investigation into Clearview AI’s management underscores this trend.
Continued Emphasis on Lawfulness, Fairness, and Transparency
Regulatory authorities will maintain their focus on the principles of lawfulness, fairness, and transparency in data processing. Failures to comply with these principles have been consistently identified as a top enforcement priority for regulators.
Conclusion
The DLA Piper GDPR Fines and Data Breach Survey 2025 paints a complex picture of the current state of data protection enforcement in Europe. While there has been a decrease in overall fines compared to previous years, regulatory scrutiny remains high across various sectors. Organizations must stay vigilant in their compliance efforts as regulators continue to adapt to emerging technologies and new challenges in data protection.
As we move forward into an era where AI and data privacy intersect more than ever, businesses must prioritize governance and accountability at all levels to navigate the evolving landscape of GDPR compliance successfully.
