GDPR Fine Estimator
Estimate the maximum administrative fine a regulator could impose under GDPR Article 83. Enter your group's total worldwide annual turnover and pick the infringement tier. The maximum is the higher of a fixed cap or a percentage of turnover — this tool shows both halves of that test, and the resulting ceiling, for each tier. These are published statutory thresholds (maximum exposure), not a prediction of an actual fine and not legal advice. Figures as of Jun 25, 2026 — sources.
Both tiers at this turnover
| Tier | Fixed cap | % of turnover | % amount | Maximum (higher of) |
|---|---|---|---|---|
| Lower tier (Art. 83(4)) | €10,000,000 | 2% | €200,000 | €10,000,000 |
| Higher tier (Art. 83(5)) | €20,000,000 | 4% | €400,000 | €20,000,000 |
The lower tier applies to obligations such as records of processing, security of processing and breach notification; the higher tier to breaches of the basic principles, consent conditions and data-subject rights. The classification is a legal question — consult counsel.
Maximum fine = max( fixed cap , rate × worldwide annual turnover )
Lower tier: cap = €10,000,000, rate = 2% · Higher tier: cap = €20,000,000, rate = 4%
Break-even turnover (where the % overtakes the cap) = cap ÷ rate
How it works
The General Data Protection Regulation backs its obligations with administrative fines set out in Article 83. The article does not give a single number; it gives a ceiling, and that ceiling is defined as the higher of two quantities: a fixed amount in euros, or a percentage of the undertaking's total worldwide annual turnover for the preceding financial year. Two infringement tiers exist. The lower tier, in Article 83(4), is capped at the higher of €10,000,000 or 2% of turnover, and covers more procedural obligations — keeping records of processing activities, implementing appropriate security, notifying breaches, and the duties of processors. The higher tier, in Article 83(5), is capped at the higher of €20,000,000 or 4% of turnover, and covers the things regulators treat most seriously: the basic principles of processing (including lawfulness and the conditions for valid consent), data-subject rights, and unlawful international transfers.
The "higher of" construction is what makes the calculation interesting. For a small company, the fixed cap is almost always the binding number — a micro-business with a few hundred thousand euros of turnover faces a percentage figure far below the cap, so the cap governs. For a large multinational, the percentage governs instead, because 4% of a multi-billion-euro turnover dwarfs €20,000,000. The exact turnover at which the two swap places — the break-even point — is simply the cap divided by the rate. For the higher tier that is €500,000,000; for the lower tier it is €500,000,000. Below those turnovers the maximum is flat; above them it rises in a straight line with revenue.
One more subtlety matters: the turnover figure is group-wide. Article 83 refers to the total worldwide annual turnover of the "undertaking", a concept borrowed from EU competition law, and the European Court of Justice has confirmed that a parent's turnover can be used to size the fine of a subsidiary that forms part of the same economic unit. That is why the percentage cap can reach into the hundreds of millions for the largest data controllers, even when the actual processing failure happened in one small part of the business.
This tool is informational and is not legal advice. It reproduces the published statutory ceilings so you can understand your maximum exposure and plan for it. It does not — and cannot — predict whether a regulator will act, which tier will apply, or what fine will ultimately be set. Under Article 83(2) supervisory authorities must weigh a long list of factors when deciding whether to fine at all and, if so, how much: the nature, gravity and duration of the infringement and the number of people affected; whether it was intentional or negligent; any action taken to mitigate damage; the degree of responsibility, taking technical and organizational measures into account; any relevant previous infringements; the degree of cooperation with the authority; the categories of personal data involved; and how the authority became aware of the problem. Because those factors dominate the real-world outcome, actual fines are usually far below the maximum modeled here. For any concrete matter, consult qualified data-protection counsel.
A worked example
Suppose a company has €50,000,000 of worldwide annual turnover and faces a higher-tier infringement — say a breach of the basic principles of lawful processing. Walk through the test:
- Percentage amount = 4% × €50,000,000 = €2,000,000
- Fixed cap (higher tier) = €20,000,000
- Maximum fine = the higher of the two = max(€2,000,000, €20,000,000) = €20,000,000
Here the fixed cap wins, because €50M of turnover is still below the €500,000,000 break-even point. Push turnover above that break-even and the percentage takes over: at €1 billion of turnover the higher-tier maximum would be 4% × €1,000,000,000 = €40,000,000, far above the cap. Change the turnover or the tier in the calculator above and both halves of the test update instantly, so you can see exactly where the cap stops binding and the percentage starts. To estimate exposure under the US frameworks instead, see the HIPAA penalty estimator and the CCPA/CPRA exposure calculator; for the operational side of a breach, the data breach cost estimator.
Frequently asked questions
How is the maximum GDPR fine calculated?
Article 83 sets two infringement tiers. The lower tier is capped at the higher of €10,000,000 or 2% of total worldwide annual turnover; the higher tier at the higher of €20,000,000 or 4% of turnover. "Higher of" is the key word: for a large company the percentage governs, for a small one the fixed cap does. This tool computes both and shows the larger.
Does a bigger turnover always mean a bigger fine?
Only up to a point. Below the break-even turnover the fixed cap dominates, so the maximum does not change as turnover rises. Above it — €500,000,000 for the higher tier, €500,000,000 for the lower — the percentage of turnover takes over and the ceiling scales with the business. This figure is a statutory ceiling, not a forecast.
Will a regulator actually impose the maximum?
Almost never. Article 83(2) requires supervisory authorities to weigh many factors — the nature, gravity and duration of the infringement, whether it was negligent or intentional, mitigating actions, cooperation, and any prior history — so real fines are typically a fraction of the statutory maximum. This estimator shows the published ceiling for planning and risk awareness only. It is informational, not legal advice; a qualified data-protection lawyer should assess any specific situation.
Which turnover figure should I use?
Article 83 refers to total worldwide annual turnover of the preceding financial year — group-wide revenue, not the revenue of a single subsidiary or product line. For a group of undertakings the relevant figure can be the consolidated turnover of the whole group, which is why the percentage cap can be very large for multinationals.
Does this apply to the UK after Brexit?
The UK GDPR mirrors the EU structure but the caps are denominated in pounds: broadly £8.7M / 2% for the lower tier and £17.5M / 4% for the higher tier. The arithmetic here is identical — substitute the sterling caps and your turnover in pounds. Treat both as maximum exposure, not a prediction.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.