Record broken: GDPR fines exceed EUR 5 billion for the first time – CMS publishes sixth edition of the Enforcement Tracker Report

Enforcement of Europe-wide data protection legislation has reached a new highpoint: For the first time, publicly known fines in Europe have exceeded the EUR 5 billion mark. Since the General Data Protection Regulation (GDPR) came into force in May 2018, a total of around EUR 5.65 billion in fines have been imposed as of March 2025 – an increase of EUR 1.17 billion compared to the previous year. This record sum reflects the extent to which European sanctions practice has developed in recent years.

The latest Enforcement Tracker Report from the international commercial law firm CMS reveals clear trends: Most violations relate to inadequate legal bases for data processing (669 cases, Ø EUR 2.9 million) and violations of general data protection principles (644 cases, Ø EUR 3.8 million). Deficiencies in technical and organisational information security measures (418 cases, Ø EUR 2.0 million) also rank high. Violations of data subjects' rights, such as access and transparency obligations, are also increasingly being targeted and now rank fourth among the reasons for sanctions.

Focus on B2C industries, employee data protection and AI

The supervisory authorities are focusing in particular on B2C-related sectors such as media, telecommunications and broadcasting, which has been the most frequently sanctioned sector for the past four years and accounts for around 70 % of all corporate fines. Due to the large players in this sector and the increasing importance of personal data for their business activities, it is highly likely that it will continue to be closely monitored. Employee data protection also remains the second most penalised sector: Fines have risen considerably, most recently with a record fine of EUR 290 million in the Netherlands – a sign that employee data continues to be a sensitive issue for authorities. Investigations often lead to the discovery of further violations that go beyond the scope of the original complaint. The use of new technologies such as artificial intelligence is also becoming increasingly significant: Complex data processing increases the risk of violations, which is why supervisory authorities are taking a closer look at it. The European Data Protection Board (EDPB) has announced that it will be paying particular attention to this area until 2027; non-monetary sanctions such as usage restrictions could also become more substantial in the future, as the example of the temporary ban on AI in Italy shows.

Germany: Processing of employee data under observation

Germany stands out in the European context due to its decentralised supervisory structure with 16 state authorities. The high number of contested fines – many of them contested successfully – is also a characteristic feature. The subject of these fines in Germany is primarily violations of employee data protection. At the same time, collective law enforcement is gaining in importance: With the model declaratory action, the action for an injunction and the new action for redress measures, consumer organisations are increasingly able to bring collective actions against data protection violations to court.

A unique overview of Europe's sanctions landscape

The sixth edition of the report is based on CMS's own online database, the "GDPR Enforcement Tracker" (www.enforcementtracker.com), which currently contains 2,560 fines – the only platform in the EU to date that provides a comprehensive overview of all publicly known GDPR fines. The report itself provides a detailed analysis by sector and country as well as insights into national peculiarities and current case law, for example on the stricter requirements for the right of access of data subjects following recent CJEU judgements.

"In the seven years since the introduction of the GDPR legislation, this strong set of rules has raised awareness of the protection of personal data and kicked off compliance efforts. At the same time, the drastic sanctions of up to EUR 20 million or 4 % of annual global turnover have also created fear and restraint among many companies. We believe in facts over fear. That's why we are continuously updating the list of known fines in the GDPR Enforcement Tracker and have established an annual deep-dive format with the report, which offers deeper insights into the world of sanctions," explains Dr Alexander Schmid from the Enforcement Tracker team at CMS Germany.

You can find the full report here; a summary here.

A brand new feature at www.cms-digitallaws.comis a central overview of all legal texts relating to the General Data Protection Regulation (GDPR) as well as the Digital Markets Act (DMA) and P2B, in English and German and in a search-compatible format. The platform, developed by CMS, is designed to make working in the digital business environment easier for all interested parties.