Biggest GDPR Fines in 2025-2026: What Small Businesses Can Learn

GDPR enforcement is not slowing down. Data protection authorities across Europe issued record fines in 2025 and continued that trend into 2026. The total penalties since GDPR took effect in 2018 now exceed 5 billion euros.

But here is what most people get wrong about GDPR fines: they think enforcement only targets big tech companies. That is not true. While the headline-grabbing fines involve names like Meta and TikTok, regulators have also penalized small businesses, medical practices, local retailers, and individual website operators.

This article covers the most significant GDPR fines from 2025 and early 2026. More importantly, it explains what each business did wrong and how you can avoid making the same mistakes.

The Headline Fines: Big Tech Under the Microscope

Meta - 1.2 Billion Euro Fine (May 2025)

The Irish Data Protection Commission issued Meta its largest GDPR fine to date for transferring European user data to the United States without adequate safeguards. This built on earlier enforcement actions and specifically addressed Meta's continued reliance on standard contractual clauses that regulators deemed insufficient after the Schrems II ruling.

What went wrong: Meta continued processing transatlantic data transfers using legal mechanisms that European courts had already questioned. Despite years of regulatory warnings, the company did not implement sufficient supplementary measures to protect EU user data from US government surveillance programs.

The lesson for small businesses: If you use US-based services - and you almost certainly do - you need to understand how your data crosses borders. Check whether your hosting provider, email service, analytics tool, and CRM have EU data processing options or valid transfer mechanisms under the EU-US Data Privacy Framework.

TikTok - 530 Million Euro Fine (September 2025)

The Irish DPC fined TikTok for mishandling children's data and failing to provide transparent privacy information. The investigation found that TikTok's default settings exposed children's accounts to public visibility and that the platform's privacy policy was written in language that minors could not reasonably understand.

What went wrong: TikTok's privacy-by-default settings were not configured to protect the most vulnerable users. The platform also relied on dense legal language in its privacy notices instead of clear, age-appropriate explanations.

The lesson for small businesses: If your website or service could be used by anyone under 18, your privacy settings and notices need to account for that. Use clear language. Set defaults to the most private option. If you knowingly collect data from children under 16, you need parental consent under GDPR.

Amazon Italy - 35 Million Euro Fine (January 2026)

Italy's Garante fined Amazon for aggressive cookie consent practices on its Italian marketplace. The regulator found that Amazon made it significantly harder to reject cookies than to accept them, using dark patterns in the consent interface.

What went wrong: Amazon's cookie banner used a prominent "Accept All" button but required users to navigate through multiple screens and toggle individual categories to reject non-essential cookies. The regulator ruled this violated the GDPR's requirement that consent be freely given.

The lesson for small businesses: Your cookie banner needs a clear "Reject All" or "Decline" option that is just as visible and easy to use as the "Accept All" button. Dark patterns in consent interfaces are a known enforcement priority.

The Fines That Should Worry Small Businesses

The big tech fines make the news. But the following cases are more relevant to the average website owner because they involve businesses closer to your size.

German Medical Practice - 150,000 Euro Fine (March 2025)

A medical practice in Hamburg was fined for sending patient appointment reminders via an unencrypted email service. The practice used a standard email provider without transport layer security, and the emails contained patient names, appointment dates, and the type of medical consultation.

What went wrong: Health data is a "special category" under GDPR and requires extra protection. The practice did not use encrypted communication channels for sensitive patient information.

The lesson: If you handle any sensitive personal data - health records, financial details, legal matters - you need to ensure your communication channels are properly secured. Standard email may not be enough. Look into encrypted email services or secure patient/client portals.

Spanish E-Commerce Store - 75,000 Euro Fine (June 2025)

Spain's AEPD fined an online clothing retailer for failing to respond to a customer's data deletion request. The customer submitted a clear written request to have their account and purchase history deleted. The company did not respond within the required 30 days. When the customer followed up, the company still took no action.

What went wrong: The business had no process for handling data subject requests. The customer's email went to a general inbox and was treated as a regular customer service inquiry rather than a legal obligation.

The lesson: You need a documented process for handling data access, deletion, and correction requests. Designate someone to monitor these requests. Set up a system to track deadlines. Under GDPR, you have one month to respond. Ignoring or delaying these requests is one of the easiest ways to trigger a complaint.

French Marketing Agency - 125,000 Euro Fine (August 2025)

France's CNIL fined a digital marketing agency for sending promotional emails without valid consent. The agency had purchased email lists from a data broker and sent marketing campaigns to individuals who had never interacted with the agency or its clients.

What went wrong: Purchased email lists are a GDPR minefield. The individuals on the list had not given consent to receive marketing from this specific agency. The "consent" given to the data broker - if it existed at all - did not extend to unnamed third parties.

The lesson: Do not buy email lists. Build your own list through legitimate opt-in methods. When someone subscribes to your newsletter, keep a record of when and how they consented. If you cannot prove someone opted in, do not email them.

Polish Restaurant Chain - 20,000 PLN Fine (November 2025)

Poland's UODO fined a restaurant chain for continuing to process loyalty program data after customers requested deletion. The restaurants continued sending promotional texts to customers who had asked to be removed from the program.

What went wrong: The deletion requests were processed in the main database but not in the marketing automation system, which operated on a separate copy of the customer list.

The lesson: When someone requests data deletion, you need to delete their data from every system - not just the primary database. Check your email marketing tool, CRM, backup systems, analytics platforms, and any other location where personal data might be stored.

Austrian Website Operator - 5,000 Euro Fine (February 2026)

Austria's DSB fined an individual website owner for loading Google Fonts from Google's external CDN without consent. The site sent visitor IP addresses to Google servers every time a page loaded, without asking for permission.

What went wrong: The website used the standard Google Fonts embed code, which makes a request to Google's servers and transmits the visitor's IP address. Under GDPR, an IP address is personal data, and sending it to a third party requires either consent or a legitimate interest that outweighs the visitor's privacy rights. Austrian regulators ruled that the convenience of using external fonts does not meet that bar.

The lesson: This case sent waves through the web development community. If your website loads any resources from external servers - fonts, scripts, images, CDNs - each of those requests transmits the visitor's IP address to the external server. Self-host what you can. Get consent for what you cannot.

Find out if your website has the same violations by running a free scan. Scanibly checks for externally loaded resources, cookie issues, and other common GDPR problems.

Belgian Pharmacy - 10,000 Euro Fine (December 2025)

Belgium's APD fined a pharmacy for having a CCTV system that recorded more than what was necessary for security purposes. The cameras captured the street outside the pharmacy and a neighboring business entrance.

What went wrong: While not a website issue, this case illustrates a core GDPR principle: data minimization. You should only collect the data you need for a specific, stated purpose. Collecting more than necessary, even unintentionally, is a violation.

The lesson for websites: Apply data minimization to your online data collection. Do not ask for information you do not need. If your contact form asks for a mailing address but you will only reply by email, remove the address field. Every piece of data you collect is a piece of data you must protect and account for.

Patterns in GDPR Enforcement: What Regulators Are Targeting

Looking across the 2025-2026 enforcement actions, several patterns are clear.

Cookie consent remains a top priority

Regulators across Europe continue to audit websites for proper cookie consent. The violations they target most often are: banners with no "Reject All" option, cookies that load before consent, and consent mechanisms that use dark patterns to push visitors toward accepting.

Data subject requests are being tested

Regulators and privacy advocacy groups are systematically submitting data access and deletion requests to businesses to test compliance. If you ignore or mishandle these requests, expect a complaint to be filed with your local data protection authority.

Cross-border data transfers are under heavy scrutiny

The EU-US Data Privacy Framework helped some businesses, but regulators are still examining whether individual companies have adequate safeguards in place. This is particularly relevant if you use US-based cloud services, analytics, or marketing tools.

Small businesses are not exempt from enforcement

While fines for small businesses are proportionally smaller, they are not zero. A 5,000 to 150,000 euro fine can be devastating for a small business. Regulators have stated publicly that they intend to enforce GDPR across all sizes of organizations.

How to Protect Your Business from GDPR Fines

Based on the enforcement patterns above, here are the most important steps you can take.

Audit your cookie consent. Make sure non-essential cookies do not load until consent is given. Provide a clear "Reject All" option. Test this regularly, because plugin updates can break your consent mechanism.

Create a data subject request process. Designate an email address or form for privacy requests. Document your response procedure. Set calendar reminders for the 30-day deadline. Even a simple spreadsheet tracking incoming requests and their status is better than nothing.

Review your third-party services. List every service that receives personal data from your website. Check whether each service has a valid GDPR data processing agreement. Verify how they handle data transfers.

Minimize data collection. Remove form fields you do not need. Shorten data retention periods. Delete old customer records you no longer have a legal reason to keep.

Self-host external resources where possible. Fonts, scripts, and other assets loaded from third-party CDNs transmit visitor data to those servers. Hosting them on your own server eliminates this issue.

Document everything. Regulators expect you to demonstrate compliance, not just claim it. Keep records of your consent mechanisms, data processing activities, retention policies, and security measures.

For a step-by-step walkthrough, our GDPR compliance checklist covers every major requirement. And if you need help choosing the right tools, our GDPR compliance software guide compares the options.

What Happens When a Regulator Contacts You

If a data protection authority opens an investigation into your business, the process typically follows these stages:

1. Initial inquiry. You receive a letter or email asking for information about your data processing activities. This is your chance to demonstrate compliance.
2. Investigation. The regulator reviews your response, may visit your premises, and may audit your systems.
3. Preliminary findings. If violations are found, you receive a draft decision with the proposed penalty.
4. Right to respond. You can submit arguments and evidence before the final decision.
5. Final decision. The regulator issues its ruling, which may include a fine, a requirement to change practices, or both.

Cooperation matters. Regulators consistently reduce fines for businesses that respond promptly, take corrective action, and demonstrate good faith efforts to comply.

The Cost of Non-Compliance vs. the Cost of Compliance

Here is the math that matters. A basic GDPR compliance program for a small business - a cookie consent plugin, a proper privacy policy, a data request process, and regular scanning - might cost a few hundred dollars per year. A GDPR fine starts at a few thousand euros and can reach into the hundreds of thousands.

Beyond fines, non-compliance creates other costs: reputational damage, lost customer trust, legal fees, and the operational disruption of responding to a regulatory investigation.

Compliance is cheaper than the alternative. It is not even close.

Get your free compliance score and find out where your website stands today. It takes less than a minute, and it shows you exactly what needs attention before a regulator finds it first.