Breach of GDPR: Penalties, Examples, and Prevention
Learn what a breach of GDPR means, the penalties involved, real enforcement examples, and how to prevent violations at your business.
A breach of GDPR occurs when any organization fails to comply with the requirements set out in the General Data Protection Regulation. Whether it involves mishandling personal data, ignoring data subject rights, or suffering a security incident that exposes user information, the consequences can be severe.
This guide explains what constitutes a breach of GDPR, the penalty structure, real enforcement actions, and the practical steps you can take to stay compliant. This content is educational and should not be treated as legal advice. Consult a qualified attorney for guidance specific to your situation.
What Is a Breach of GDPR?
A breach of GDPR is any violation of the regulation's requirements. The term covers two distinct but related concepts that are often confused.
Compliance breach refers to any failure to meet GDPR obligations. Examples include processing personal data without a valid legal basis, failing to appoint a Data Protection Officer when required, or not maintaining records of processing activities. These do not necessarily involve a security incident.
Personal data breach is defined in Article 4(12) of the GDPR as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data." This is a subset of compliance breaches and triggers specific notification obligations.
Both types can result in regulatory action, but personal data breaches carry additional urgency because of the 72-hour notification window under Article 33.
Common Types of GDPR Breaches
Organizations violate the GDPR in a variety of ways. Understanding the most frequent breach categories helps you identify risks before they escalate.
Unlawful Processing
Processing personal data without a valid legal basis under Article 6 is one of the most common violations. This includes collecting data without consent where consent is the chosen basis, or relying on legitimate interest without conducting and documenting a balancing test.
Inadequate Security Measures
Article 32 requires controllers and processors to implement appropriate technical and organizational measures. Breaches in this area include:
- Unencrypted databases containing personal data
- Lack of access controls or role-based permissions
- Failure to patch known vulnerabilities
- Missing logging and monitoring for unauthorized access
Failure to Honor Data Subject Rights
Articles 15 through 22 grant individuals specific rights, including access, rectification, erasure, and data portability. Ignoring or unreasonably delaying responses to these requests is a breach. Controllers must respond within one month under Article 12(3), with a possible two-month extension for complex requests.
Insufficient Privacy Notices
Article 13 and Article 14 require transparent information about data processing. A privacy policy that omits the legal basis for processing, categories of recipients, or data retention periods is non-compliant. Using a privacy policy generator can help you cover the required disclosures systematically.
International Data Transfers
Chapter V of the GDPR restricts transfers of personal data to countries outside the EEA that lack an adequacy decision. Organizations that transfer data without Standard Contractual Clauses, Binding Corporate Rules, or another approved mechanism are in breach.
GDPR Breach Penalties and Fine Structure
The GDPR introduced a penalty framework designed to make non-compliance financially meaningful. Fines are split into two tiers based on the severity of the violation.
Lower Tier: Up to 10 Million EUR or 2% of Turnover
Article 83(4) covers violations related to:
- Obligations of controllers and processors (Articles 8, 11, 25 through 39, 42, and 43)
- Obligations of certification bodies (Articles 42 and 43)
- Obligations of monitoring bodies (Article 41)
Upper Tier: Up to 20 Million EUR or 4% of Turnover
Article 83(5) applies to the most serious breaches, including:
- Core data processing principles (Articles 5, 6, and 9)
- Conditions for consent (Article 7)
- Data subject rights (Articles 12 through 22)
- International data transfers (Articles 44 through 49)
- Non-compliance with a supervisory authority order
When calculating fines, supervisory authorities consider factors listed in Article 83(2):
- The nature, gravity, and duration of the infringement
- Whether the violation was intentional or negligent
- Actions taken to mitigate damage
- Degree of cooperation with the supervisory authority
- Categories of personal data affected
- How the authority became aware of the infringement
- Previous infringements by the same controller or processor
Beyond fines, supervisory authorities can issue warnings, reprimands, processing bans, and orders to erase data under Article 58(2).
Major Breach of GDPR Enforcement Examples
Examining real enforcement actions reveals what regulators prioritize and how fines scale with the severity of the violation.
Meta (2023): 1.2 Billion EUR
The Irish Data Protection Commission fined Meta 1.2 billion EUR for transferring EU user data to the United States without adequate safeguards following the invalidation of the Privacy Shield framework. This remains the largest GDPR fine to date and underscores the importance of lawful data transfer mechanisms.
Amazon (2021): 746 Million EUR
Luxembourg's CNPD issued this fine for Amazon's behavioral advertising practices, finding that the company processed personal data for targeted advertising without valid consent under the GDPR.
WhatsApp (2021): 225 Million EUR
The Irish DPC fined WhatsApp for transparency failures, specifically for not providing adequate information to users and non-users about how their data was processed, violating Articles 12 through 14.
H&M (2020): 35.3 Million EUR
The Hamburg Commissioner for Data Protection fined H&M for extensive surveillance of employees at its Nuremberg service center. Managers recorded details about employees' personal lives, health conditions, and religious beliefs, storing them in a shared drive accessible to other managers.
British Airways (2020): 20 Million GBP
The UK ICO fined British Airways after a 2018 data breach exposed the personal and financial data of approximately 400,000 customers. The ICO found that BA had inadequate security measures, including insufficient logging, lack of multi-factor authentication, and failure to conduct rigorous testing.
These cases illustrate that regulators take enforcement seriously across all categories of violation, from security failures and transparency gaps to unlawful data transfers.
The 72-Hour Breach Notification Rule
When a personal data breach occurs, time is critical. Article 33 of the GDPR requires data controllers to notify the relevant supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.
What the Notification Must Include
Under Article 33(3), the notification must describe:
- The nature of the breach, including approximate number of data subjects and records affected
- The name and contact details of the Data Protection Officer or other contact point
- The likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate adverse effects
Notifying Data Subjects
Article 34 requires controllers to notify affected individuals "without undue delay" when the breach is likely to result in a high risk to their rights and freedoms. The communication must use clear and plain language.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowNotification to individuals is not required if:
- The controller has applied appropriate protections (such as encryption) that render the data unintelligible
- The controller has taken subsequent measures that ensure the high risk is no longer likely to materialize
- Individual notification would involve disproportionate effort, in which case a public communication is acceptable
Documentation Requirements
Even when notification is not required, Article 33(5) mandates that controllers document all personal data breaches, including the facts, effects, and remedial actions taken. This internal record must be available for supervisory authority inspection.
How to Prevent a Breach of GDPR
Prevention is less expensive and less disruptive than remediation. A structured compliance program addresses the most common failure points.
Conduct a Data Mapping Exercise
Before you can protect personal data, you need to know what you collect, where it lives, who accesses it, and how long you keep it. Article 30 requires controllers to maintain a record of processing activities. This record forms the foundation of your compliance program.
Implement Privacy by Design
Article 25 requires data protection by design and by default. In practice, this means:
- Collecting only the data you need (data minimization)
- Pseudonymizing or encrypting data where possible
- Setting default configurations to the most privacy-friendly option
- Building access controls and audit logging into systems from the start
Use Lawful Bases Correctly
Every processing activity must rely on one of the six legal bases in Article 6. Document which basis applies to each activity and, if using consent, ensure it meets the Article 7 standard: freely given, specific, informed, and unambiguous.
Keep Your Privacy Policy Current
Your privacy policy must accurately reflect your current data practices. When you add new analytics tools, change processors, or start collecting new data categories, update the policy. A privacy policy generator helps maintain a structured document that covers all required disclosures, and tools like TermsBox can monitor your site for changes that may require policy updates.
Train Your Team
Human error accounts for a significant share of data breaches. Regular training should cover:
- Recognizing phishing and social engineering attacks
- Proper handling of data subject requests
- Incident reporting procedures
- Access management and password hygiene
Run Regular Security Assessments
Periodic penetration testing, vulnerability scanning, and data protection impact assessments (DPIAs) under Article 35 help identify gaps before they become breaches. DPIAs are mandatory for processing that is likely to result in a high risk to individuals.
What to Do After a GDPR Breach
If a breach occurs despite your prevention measures, a clear response plan limits damage and demonstrates accountability.
Immediate Containment
Isolate affected systems to stop ongoing data loss. Preserve evidence for forensic analysis and potential regulatory inquiries. Do not delete logs or modify affected systems before they have been documented.
Assess Severity and Risk
Determine what data was compromised, how many individuals are affected, and whether the data was encrypted or otherwise protected. This assessment drives your notification obligations and remediation priorities.
Notify the Supervisory Authority
If the breach meets the notification threshold, file your report within 72 hours. If you do not yet have complete information, Article 33(4) allows you to provide information in phases, but the initial notification must not be delayed.
Notify Affected Individuals
If the breach poses a high risk, communicate directly with affected data subjects. Explain what happened, what data was involved, what you are doing about it, and what steps they can take to protect themselves.
Conduct a Post-Incident Review
After the breach is resolved, review what happened and why. Update your security measures, incident response procedures, and training materials based on lessons learned. Document everything for your Article 33(5) breach register.
Breach of GDPR and Non-EU Businesses
The GDPR applies beyond the borders of the European Union. Article 3 establishes that the regulation covers:
- Organizations established in the EU, regardless of where processing takes place
- Organizations outside the EU that offer goods or services to individuals in the EU
- Organizations outside the EU that monitor the behavior of individuals in the EU
If your website targets EU visitors, collects their data, or tracks their behavior, you are subject to the GDPR and its enforcement mechanisms. Non-EU organizations that fall within scope must appoint a representative in the EU under Article 27.
Supervisory authorities have demonstrated willingness to pursue non-EU companies. The GDPR's broad territorial scope means that a breach of GDPR obligations can result in enforcement action regardless of where your business is headquartered.
Frequently Asked Questions
What counts as a breach of GDPR?
Any failure to comply with the General Data Protection Regulation counts as a breach. This includes unlawful data processing, inadequate security leading to a personal data breach, failing to honor data subject rights, and transferring personal data outside the EEA without appropriate safeguards.
What are the maximum fines for a GDPR breach?
The GDPR establishes two tiers of administrative fines. Lower-tier violations carry fines of up to 10 million EUR or 2% of global annual turnover, whichever is higher. Upper-tier violations, such as breaching core processing principles or data subject rights, can result in fines of up to 20 million EUR or 4% of global annual turnover.
How quickly must a data breach be reported under GDPR?
Article 33 of the GDPR requires data controllers to notify their supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals. If the breach poses a high risk, affected individuals must also be notified without undue delay under Article 34.
Can individuals sue for a breach of GDPR?
Yes. Article 82 of the GDPR gives individuals the right to claim compensation for material or non-material damage resulting from a GDPR violation. Data subjects can bring claims directly against controllers or processors in court, and several EU member states have seen successful compensation cases.