TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. Breach of GDPR: Penalties, Examples, and Prevention
Legal Compliance

Breach of GDPR: Penalties, Examples, and Prevention

Learn what a breach of GDPR means, the penalties involved, real enforcement examples, and how to prevent violations at your business.

TermsBox Team|April 3, 202611 min read

A breach of GDPR occurs when any organization fails to comply with the requirements set out in the General Data Protection Regulation. Whether it involves mishandling personal data, ignoring data subject rights, or suffering a security incident that exposes user information, the consequences can be severe.

This guide explains what constitutes a breach of GDPR, the penalty structure, real enforcement actions, and the practical steps you can take to stay compliant. This content is educational and should not be treated as legal advice. Consult a qualified attorney for guidance specific to your situation.

What Is a Breach of GDPR?

A breach of GDPR is any violation of the regulation's requirements. The term covers two distinct but related concepts that are often confused.

Compliance breach refers to any failure to meet GDPR obligations. Examples include processing personal data without a valid legal basis, failing to appoint a Data Protection Officer when required, or not maintaining records of processing activities. These do not necessarily involve a security incident.

Personal data breach is defined in Article 4(12) of the GDPR as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data." This is a subset of compliance breaches and triggers specific notification obligations.

Both types can result in regulatory action, but personal data breaches carry additional urgency because of the 72-hour notification window under Article 33.

Common Types of GDPR Breaches

Organizations violate the GDPR in a variety of ways. Understanding the most frequent breach categories helps you identify risks before they escalate.

Unlawful Processing

Processing personal data without a valid legal basis under Article 6 is one of the most common violations. This includes collecting data without consent where consent is the chosen basis, or relying on legitimate interest without conducting and documenting a balancing test.

Inadequate Security Measures

Article 32 requires controllers and processors to implement appropriate technical and organizational measures. Breaches in this area include:

  • Unencrypted databases containing personal data
  • Lack of access controls or role-based permissions
  • Failure to patch known vulnerabilities
  • Missing logging and monitoring for unauthorized access

Failure to Honor Data Subject Rights

Articles 15 through 22 grant individuals specific rights, including access, rectification, erasure, and data portability. Ignoring or unreasonably delaying responses to these requests is a breach. Controllers must respond within one month under Article 12(3), with a possible two-month extension for complex requests.

Insufficient Privacy Notices

Article 13 and Article 14 require transparent information about data processing. A privacy policy that omits the legal basis for processing, categories of recipients, or data retention periods is non-compliant. Using a privacy policy generator can help you cover the required disclosures systematically.

International Data Transfers

Chapter V of the GDPR restricts transfers of personal data to countries outside the EEA that lack an adequacy decision. Organizations that transfer data without Standard Contractual Clauses, Binding Corporate Rules, or another approved mechanism are in breach.

GDPR Breach Penalties and Fine Structure

The GDPR introduced a penalty framework designed to make non-compliance financially meaningful. Fines are split into two tiers based on the severity of the violation.

Lower Tier: Up to 10 Million EUR or 2% of Turnover

Article 83(4) covers violations related to:

  • Obligations of controllers and processors (Articles 8, 11, 25 through 39, 42, and 43)
  • Obligations of certification bodies (Articles 42 and 43)
  • Obligations of monitoring bodies (Article 41)

Upper Tier: Up to 20 Million EUR or 4% of Turnover

Article 83(5) applies to the most serious breaches, including:

  • Core data processing principles (Articles 5, 6, and 9)
  • Conditions for consent (Article 7)
  • Data subject rights (Articles 12 through 22)
  • International data transfers (Articles 44 through 49)
  • Non-compliance with a supervisory authority order

When calculating fines, supervisory authorities consider factors listed in Article 83(2):

  1. The nature, gravity, and duration of the infringement
  2. Whether the violation was intentional or negligent
  3. Actions taken to mitigate damage
  4. Degree of cooperation with the supervisory authority
  5. Categories of personal data affected
  6. How the authority became aware of the infringement
  7. Previous infringements by the same controller or processor

Beyond fines, supervisory authorities can issue warnings, reprimands, processing bans, and orders to erase data under Article 58(2).

Major Breach of GDPR Enforcement Examples

Examining real enforcement actions reveals what regulators prioritize and how fines scale with the severity of the violation.

Meta (2023): 1.2 Billion EUR

The Irish Data Protection Commission fined Meta 1.2 billion EUR for transferring EU user data to the United States without adequate safeguards following the invalidation of the Privacy Shield framework. This remains the largest GDPR fine to date and underscores the importance of lawful data transfer mechanisms.

Amazon (2021): 746 Million EUR

Luxembourg's CNPD issued this fine for Amazon's behavioral advertising practices, finding that the company processed personal data for targeted advertising without valid consent under the GDPR.

WhatsApp (2021): 225 Million EUR

The Irish DPC fined WhatsApp for transparency failures, specifically for not providing adequate information to users and non-users about how their data was processed, violating Articles 12 through 14.

H&M (2020): 35.3 Million EUR

The Hamburg Commissioner for Data Protection fined H&M for extensive surveillance of employees at its Nuremberg service center. Managers recorded details about employees' personal lives, health conditions, and religious beliefs, storing them in a shared drive accessible to other managers.

British Airways (2020): 20 Million GBP

The UK ICO fined British Airways after a 2018 data breach exposed the personal and financial data of approximately 400,000 customers. The ICO found that BA had inadequate security measures, including insufficient logging, lack of multi-factor authentication, and failure to conduct rigorous testing.

These cases illustrate that regulators take enforcement seriously across all categories of violation, from security failures and transparency gaps to unlawful data transfers.

The 72-Hour Breach Notification Rule

When a personal data breach occurs, time is critical. Article 33 of the GDPR requires data controllers to notify the relevant supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.

What the Notification Must Include

Under Article 33(3), the notification must describe:

  • The nature of the breach, including approximate number of data subjects and records affected
  • The name and contact details of the Data Protection Officer or other contact point
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate adverse effects

Notifying Data Subjects

Article 34 requires controllers to notify affected individuals "without undue delay" when the breach is likely to result in a high risk to their rights and freedoms. The communication must use clear and plain language.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Notification to individuals is not required if:

  • The controller has applied appropriate protections (such as encryption) that render the data unintelligible
  • The controller has taken subsequent measures that ensure the high risk is no longer likely to materialize
  • Individual notification would involve disproportionate effort, in which case a public communication is acceptable

Documentation Requirements

Even when notification is not required, Article 33(5) mandates that controllers document all personal data breaches, including the facts, effects, and remedial actions taken. This internal record must be available for supervisory authority inspection.

How to Prevent a Breach of GDPR

Prevention is less expensive and less disruptive than remediation. A structured compliance program addresses the most common failure points.

Conduct a Data Mapping Exercise

Before you can protect personal data, you need to know what you collect, where it lives, who accesses it, and how long you keep it. Article 30 requires controllers to maintain a record of processing activities. This record forms the foundation of your compliance program.

Implement Privacy by Design

Article 25 requires data protection by design and by default. In practice, this means:

  • Collecting only the data you need (data minimization)
  • Pseudonymizing or encrypting data where possible
  • Setting default configurations to the most privacy-friendly option
  • Building access controls and audit logging into systems from the start

Use Lawful Bases Correctly

Every processing activity must rely on one of the six legal bases in Article 6. Document which basis applies to each activity and, if using consent, ensure it meets the Article 7 standard: freely given, specific, informed, and unambiguous.

Keep Your Privacy Policy Current

Your privacy policy must accurately reflect your current data practices. When you add new analytics tools, change processors, or start collecting new data categories, update the policy. A privacy policy generator helps maintain a structured document that covers all required disclosures, and tools like TermsBox can monitor your site for changes that may require policy updates.

Train Your Team

Human error accounts for a significant share of data breaches. Regular training should cover:

  • Recognizing phishing and social engineering attacks
  • Proper handling of data subject requests
  • Incident reporting procedures
  • Access management and password hygiene

Run Regular Security Assessments

Periodic penetration testing, vulnerability scanning, and data protection impact assessments (DPIAs) under Article 35 help identify gaps before they become breaches. DPIAs are mandatory for processing that is likely to result in a high risk to individuals.

What to Do After a GDPR Breach

If a breach occurs despite your prevention measures, a clear response plan limits damage and demonstrates accountability.

Immediate Containment

Isolate affected systems to stop ongoing data loss. Preserve evidence for forensic analysis and potential regulatory inquiries. Do not delete logs or modify affected systems before they have been documented.

Assess Severity and Risk

Determine what data was compromised, how many individuals are affected, and whether the data was encrypted or otherwise protected. This assessment drives your notification obligations and remediation priorities.

Notify the Supervisory Authority

If the breach meets the notification threshold, file your report within 72 hours. If you do not yet have complete information, Article 33(4) allows you to provide information in phases, but the initial notification must not be delayed.

Notify Affected Individuals

If the breach poses a high risk, communicate directly with affected data subjects. Explain what happened, what data was involved, what you are doing about it, and what steps they can take to protect themselves.

Conduct a Post-Incident Review

After the breach is resolved, review what happened and why. Update your security measures, incident response procedures, and training materials based on lessons learned. Document everything for your Article 33(5) breach register.

Breach of GDPR and Non-EU Businesses

The GDPR applies beyond the borders of the European Union. Article 3 establishes that the regulation covers:

  • Organizations established in the EU, regardless of where processing takes place
  • Organizations outside the EU that offer goods or services to individuals in the EU
  • Organizations outside the EU that monitor the behavior of individuals in the EU

If your website targets EU visitors, collects their data, or tracks their behavior, you are subject to the GDPR and its enforcement mechanisms. Non-EU organizations that fall within scope must appoint a representative in the EU under Article 27.

Supervisory authorities have demonstrated willingness to pursue non-EU companies. The GDPR's broad territorial scope means that a breach of GDPR obligations can result in enforcement action regardless of where your business is headquartered.

Frequently Asked Questions

What counts as a breach of GDPR?

Any failure to comply with the General Data Protection Regulation counts as a breach. This includes unlawful data processing, inadequate security leading to a personal data breach, failing to honor data subject rights, and transferring personal data outside the EEA without appropriate safeguards.

What are the maximum fines for a GDPR breach?

The GDPR establishes two tiers of administrative fines. Lower-tier violations carry fines of up to 10 million EUR or 2% of global annual turnover, whichever is higher. Upper-tier violations, such as breaching core processing principles or data subject rights, can result in fines of up to 20 million EUR or 4% of global annual turnover.

How quickly must a data breach be reported under GDPR?

Article 33 of the GDPR requires data controllers to notify their supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals. If the breach poses a high risk, affected individuals must also be notified without undue delay under Article 34.

Can individuals sue for a breach of GDPR?

Yes. Article 82 of the GDPR gives individuals the right to claim compensation for material or non-material damage resulting from a GDPR violation. Data subjects can bring claims directly against controllers or processors in court, and several EU member states have seen successful compensation cases.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is a Breach of GDPR?
  • Common Types of GDPR Breaches
  • Unlawful Processing
  • Inadequate Security Measures
  • Failure to Honor Data Subject Rights
  • Insufficient Privacy Notices
  • International Data Transfers
  • GDPR Breach Penalties and Fine Structure
  • Lower Tier: Up to 10 Million EUR or 2% of Turnover
  • Upper Tier: Up to 20 Million EUR or 4% of Turnover
  • Major Breach of GDPR Enforcement Examples
  • Meta (2023): 1.2 Billion EUR
  • Amazon (2021): 746 Million EUR
  • WhatsApp (2021): 225 Million EUR
  • H&M (2020): 35.3 Million EUR
  • British Airways (2020): 20 Million GBP
  • The 72-Hour Breach Notification Rule
  • What the Notification Must Include
  • Notifying Data Subjects
  • Documentation Requirements
  • How to Prevent a Breach of GDPR
  • Conduct a Data Mapping Exercise
  • Implement Privacy by Design
  • Use Lawful Bases Correctly
  • Keep Your Privacy Policy Current
  • Train Your Team
  • Run Regular Security Assessments
  • What to Do After a GDPR Breach
  • Immediate Containment
  • Assess Severity and Risk
  • Notify the Supervisory Authority
  • Notify Affected Individuals
  • Conduct a Post-Incident Review
  • Breach of GDPR and Non-EU Businesses
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.