GDPR Fines and Penalties: What SaaS Companies Risk

GDPR fines are not theoretical. Since the regulation took effect in May 2018, European Data Protection Authorities have imposed billions of euros in penalties — with some of the largest fines targeting technology and SaaS companies. The numbers make headlines: €1.2 billion against Meta for international data transfers, €746 million against Amazon for advertising targeting, €405 million against Meta for children’s data on Instagram.

But the enforcement picture extends well beyond headline-grabbing mega-fines. Hundreds of smaller penalties have been issued against companies of all sizes for routine compliance failures: inadequate privacy notices, missing DPAs, late breach notifications, and failure to maintain records of processing activities. These are exactly the failures that affect SaaS companies at every stage of growth.

Understanding the fine framework — what triggers enforcement, how penalties are calculated, and what supervisory authorities actually penalize — helps you prioritize your compliance efforts where they matter most.

The Two-Tier Fine Structure

Tier 1: Up to €10 Million or 2% of Global Annual Turnover

The lower tier applies to infringements related to:

• Controller and processor obligations (Articles 8, 11, 25–39, 42, 43) — This includes failures in:

  • Records of Processing Activities (Article 30)
  • Data protection by design and by default (Article 25)
  • Data Processing Agreements (Article 28)
  • Data breach notification (Articles 33–34)
  • Data Protection Impact Assessments (Article 35)
  • DPO appointment and independence (Articles 37–39)
  • Security of processing (Article 32)

• Certification body obligations (Articles 42–43)

Tier 2: Up to €20 Million or 4% of Global Annual Turnover

The upper tier applies to more fundamental infringements:

• Core processing principles (Articles 5, 6, 9) — Unlawful processing, lack of a valid lawful basis, processing special category data without authorization
• Consent conditions (Article 7) — Invalid consent mechanisms
• Data subject rights (Articles 12–22) — Failing to respond to access requests, right to erasure, data portability
• International data transfers (Articles 44–49) — Transferring data outside the EEA without a valid mechanism
• Non-compliance with supervisory authority orders — Ignoring a DPA’s corrective measures

In both tiers, the fine is the higher of the fixed amount or the turnover percentage. For a company with €500 million in annual revenue, a Tier 2 fine could reach €20 million — but 4% of turnover would be €20 million in this case as well. For a company with €1 billion in revenue, the turnover percentage (€40 million) would exceed the fixed cap.

How Fines Are Calculated

Article 83(2) lists the factors supervisory authorities consider when setting the amount of a fine:

Nature, gravity, and duration. How serious was the infringement? How many people were affected? How much damage occurred? How long did the violation persist before being corrected?

Intent or negligence. Was the violation deliberate (e.g., deliberately ignoring subject access requests) or negligent (e.g., inadequate internal processes)? Intentional violations attract higher fines.

Mitigation actions. What did the organization do to reduce the harm? Prompt action to contain a breach, notify affected individuals, and remediate the cause can reduce the fine.

History of compliance. Is this the organization’s first infringement, or is there a pattern? Repeat offenders face escalating penalties.

Cooperation with the supervisory authority. Organizations that cooperate fully with investigations — providing information promptly, implementing requested changes — fare better than those that resist or obstruct.

Categories of personal data. Violations involving sensitive data (health, financial, children’s data) typically attract higher fines than those involving basic contact information.

How the authority learned of the infringement. Did the organization self-report the issue (e.g., through a breach notification), or did the authority discover it through a complaint or investigation?

Prior compliance measures. What technical and organizational measures were in place before the violation? Organizations that demonstrate a genuine compliance program — documented policies, trained staff, regular audits — receive more favorable treatment than those with no program at all.

Certifications and codes of conduct. Adherence to approved codes of conduct or certification mechanisms (Article 40, 42) can be a mitigating factor.

Notable Enforcement Cases Relevant to SaaS

International Data Transfers

Meta — €1.2 Billion (2023). The Irish DPC fined Meta for transferring European users’ data to the United States without adequate safeguards following the Schrems II ruling. This underscored that major tech companies cannot rely on claims of necessity when valid transfer mechanisms are absent. The lesson for SaaS companies: international data transfer compliance is non-negotiable.

Consent and Cookies

Amazon — €746 Million (2021). Luxembourg’s CNPD found that Amazon’s advertising targeting system processed personal data without valid consent. The fine highlighted that consent must be freely given and specific — using personal data for ad targeting without proper opt-in is a fundamental violation.

Google — €150 Million (2022). France’s CNIL fined Google for making it more difficult to reject cookies than to accept them. The “one-click accept, five-click reject” pattern was found to be non-compliant. For SaaS companies: your cookie consent mechanism must be balanced — rejection must be as easy as acceptance.

Security Failures

British Airways — €22 Million (2020). The ICO fined British Airways for a data breach that exposed the personal and financial data of approximately 400,000 customers. The breach resulted from poor security practices — a web skimming attack that went undetected for months. For SaaS companies: technical security is a GDPR obligation (Article 32), not just a best practice.

Data Subject Rights

Clearview AI — €20 Million (Multiple authorities, 2022–2023). Multiple European DPAs fined Clearview AI for scraping facial images from the internet and processing biometric data without consent or any valid lawful basis. While Clearview AI’s business model is far from typical SaaS, the cases reinforced that data subject rights — including the right to object and the right to erasure — must be respected, and that “we don’t have a European presence” is not a defense.

Inadequate Documentation

Deutsche Wohnen — €14.5 Million (2019). The Berlin DPA fined Deutsche Wohnen for retaining tenant data beyond any justified retention period and failing to have a proper data retention policy. The company couldn’t demonstrate that it had mechanisms to delete data when it was no longer needed. This case is directly relevant to any SaaS company that retains data indefinitely without a documented retention schedule.

Breach Notification Failures

Several smaller fines (€10,000–€500,000) have been issued for late or incomplete breach notifications — organizations that discovered breaches but failed to notify their supervisory authority within 72 hours, or notified but omitted required information.

Enforcement Trends: 2025–2026

Several trends are shaping current GDPR enforcement:

Increased focus on AI and automated decision-making. As AI adoption accelerates, DPAs are scrutinizing how organizations use personal data in machine learning models, automated profiling, and algorithmic decision-making. DPIAs for AI features are increasingly expected.

Cross-border enforcement coordination. The EDPB’s dispute resolution mechanism is being used more actively to ensure consistent enforcement across member states. This reduces the ability to “forum shop” by establishing your lead authority in a member state perceived as more lenient.

Small and mid-size company enforcement. While mega-fines against big tech dominate headlines, supervisory authorities are increasingly investigating and fining small and medium enterprises. No company is too small for enforcement if a complaint is filed or an incident occurs.

Data broker and ad-tech scrutiny. Processing personal data for advertising purposes without valid consent remains a primary enforcement target. SaaS companies that use personal data for ad targeting — even indirectly through third-party integrations — should review their practices.

Employee data. DPAs are paying more attention to employee monitoring, excessive surveillance, and HR data processing. SaaS companies should ensure their internal HR data processing is as compliant as their customer-facing processing.

Beyond Fines: Other Consequences

Fines are the most discussed consequence, but enforcement can take other forms:

Corrective orders. A DPA can order you to bring your processing into compliance — which may mean stopping a processing activity entirely, deleting data, or restructuring your data flows. This can be more disruptive to your business than a fine.

Processing bans. In serious cases, a DPA can temporarily or permanently ban specific processing activities. If the banned processing is core to your product, this effectively shuts down that business line in the EU.

Reputational damage. DPA decisions are typically published. A public enforcement action signals to customers, prospects, and partners that your data protection practices are inadequate. In B2B SaaS, where trust is a competitive differentiator, this can be more costly than the fine itself.

Customer contract implications. Enterprise customers increasingly include GDPR compliance clauses in their contracts. A regulatory finding of non-compliance can trigger contract penalties, give customers termination rights, or disqualify you from procurement processes.

Civil litigation. GDPR gives data subjects the right to seek compensation for material and non-material damage resulting from a violation (Article 82). Class-action style litigation is emerging in several EU jurisdictions, creating a separate liability track beyond DPA enforcement.

Minimizing Your Risk

The most effective risk mitigation isn’t about avoiding detection — it’s about building a compliance program that prevents violations and demonstrates accountability:

Document everything. The accountability principle (Article 5(2)) means you need to prove your compliance, not just claim it. Documented policies, recorded decisions, training records, and assessment results are your evidence.

Respond to rights requests promptly. DSAR failures are one of the most common triggers for complaints to supervisory authorities. A well-functioning rights request process prevents complaints before they start.

Maintain your ROPA. A current, accurate Record of Processing Activities is the foundation of demonstrable compliance. It’s also the first document a DPA will request in an investigation.

Handle breaches properly. Prompt, complete breach notification demonstrates good faith and typically reduces fines. Late, incomplete, or missing notifications do the opposite.

Invest in the compliance program. Organizations that can demonstrate a genuine, well-resourced compliance program — not just paperwork, but real processes, training, and oversight — receive significantly more favorable treatment in enforcement proceedings.

How GRCTrail Reduces Your Enforcement Risk

GRCTrail provides the compliance infrastructure that supervisory authorities look for:

Audit-ready documentation. Your ROPA, DPAs, DPIAs, and policy documents are maintained in a structured, timestamped, and exportable format. When a DPA asks for evidence, you have it.

Evidence trail. Every compliance action — reviews, approvals, training completions, assessment results — is logged with timestamps. Demonstrate that your compliance program is active, not just documented.

Connected compliance. Your policies, processes, and documentation work together as a system. Changes to one area flag updates needed in related areas, preventing the inconsistencies that trigger enforcement attention.

Build your compliance evidence base →

Related Guides

• GDPR Compliance Checklist — The full compliance framework
• Data Breach Notification — Meeting the 72-hour deadline
• Data Subject Access Requests (DSAR) — Handling rights requests properly
• Records of Processing Activities (ROPA) — The foundation document

Get started with GRCTrail →