Menu
A burlap pouch lies on top of various Euro banknotes. The visible denominations include 100, 200, and 500. The bills are colorful, each featuring different architectural designs. The pouch is small and textured, contrasting with the smooth, vibrant currency beneath it.

GDPR Fines and Data Breach Survey 2025

, , , , , , ,

The eighth annual DLA Piper GDPR Fines and Data Breach Survey for 2025 highlights a steady enforcement landscape across Europe, with supervisory authorities issuing fines totaling approximately €1.2 billion. This amount closely mirrors the fines imposed in 2024, signaling continued vigilance by regulators despite no year-on-year increase in aggregate fines. Since the GDPR came into force on May 25, 2018, total fines across surveyed jurisdictions have reached €7.1 billion, with Ireland leading enforcement efforts by a significant margin. The Irish Data Protection Commission (DPC) alone has imposed fines amounting to over €4 billion, including the highest fine of 2025—€530 million against a social media company for breaching international data transfer rules.

A notable trend in 2025 was a 22% increase in daily personal data breach notifications, reaching an average of 443 per day, the first time since GDPR’s introduction that daily notifications exceeded 400. This surge follows a plateau in previous years and is likely driven by geopolitical tensions, increased cyberattacks, new technologies exploited by threat actors, and evolving legal requirements including incident notification rules under frameworks like NIS2 and DORA. Supervisory authorities are now considering raising the threshold for notifying breaches to focus on those posing high risks to individuals, aiming to manage the rising volume of notifications more effectively.

Security of personal data remains a top enforcement priority. Several significant fines in 2025 resulted from breaches of the GDPR’s integrity and confidentiality principle (Article 5(1)(f)) and security obligations (Article 32). For example, the UK Information Commissioner’s Office (ICO) fined Capita €16 million for inadequate technical and organizational measures that led to a large data breach affecting millions. Similarly, Germany’s Federal Commissioner imposed fines totaling €45 million on a telecommunications company for security failures and insufficient oversight of data processors. These cases underscore the increasing regulatory focus on supply chain security, with processors now directly liable for breaches.

Beyond regulatory fines, the risk of GDPR compensation claims is growing, especially for non-material damages such as distress or anxiety caused by data breaches. European courts, including the Court of Justice of the European Union and national courts in Ireland and the UK, have clarified that claimants can pursue damages for emotional distress, though awards are expected to be modest unless supported by evidence of significant harm. This evolving legal landscape suggests organizations must not only manage compliance risks but also prepare for potential follow-on litigation resulting from data breaches.

  • Save

Related Posts

Share via
Facebook
Twitter
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Copy link
CopyCopied