DATA · 2025 · GDPR ENFORCEMENT

How Europe enforced privacy in 2025.

€1.48B in total GDPR fines across EU/EEA Data Protection Authorities in 2025. Big-tech cases dominate the absolute numbers, but small SaaS and AI-built apps drive most of the volume of advisory letters and warning decisions. Here’s the shape of enforcement, the articles cited most, and the sectors getting hit.

Total fines (EU/EEA)

€1.48B

↑ ~9% YoY

Biggest single fine

€1.2B

Meta · Ireland · data transfers

Decisions issued

2,470+

Across all EU/EEA DPAs

Top-cited article

Art. 6(1)(a)

Missing lawful basis — 38% of cases

Where the fines landed.

Ireland dominates absolute totals because that’s where Meta + Google + LinkedIn are EU-headquartered. Spain (AEPD), Germany’s state regulators, and Italy’s Garante issue the highest volume of smaller decisions — those are the ones that affect SMB SaaS.

Country / DPA	2025 fines	% of total	Notes
Ireland	€1.34B	91%	Meta/Instagram cases dominate; €1.2B Meta data-transfer fine alone
Spain (AEPD)	€29M	2%	Highest volume of decisions; mostly SMB-scale
Germany	€21M	1%	Cross-Länder enforcement; major retailer + telecom fines
Italy (Garante)	€19M	1%	Telco + telehealth fines; ChatGPT-related decisions
France (CNIL)	€17M	1%	Cookie consent + ad-pixel cases
Netherlands (AP)	€13M	1%	Heavy on biometric data + tracking violations
Other EU/EEA	€39M	3%	Combined other DPAs

Most-cited GDPR articles in 2025 decisions.

One article dominates: 6(1)(a) — lawful basis. Three in eight decisions cite it. Almost every advisory letter about pre-consent tracking is fundamentally a 6(1)(a) case. Pair this with ePrivacy Art. 5(3) (cookie consent) and you have the legal anchor for most enforcement that affects AI-built consumer apps.

Art. 6(1)(a)Lawful basis — consent missing38% of decisions

Marketing-pixel + analytics violations

Art. 5(1)(c)Data minimisation14% of decisions

Collected more than necessary

Art. 32Security of processing12% of decisions

Inadequate technical/organisational measures

Art. 13/14Transparency / privacy notice11% of decisions

Missing or inaccurate disclosure

Art. 5(1)(f)Integrity & confidentiality9% of decisions

Data breaches

Art. 25Privacy by design6% of decisions

Defaults too permissive

Which sectors got hit by share of total fines.

Absolute fines skew massively toward big tech, but a meaningful portion of advisory letters and warning decisions in 2025 went to small SaaS — including vibe-coded apps shipping default ad-pixel configurations.

Sector	Share of fines	Notes
Big tech / social media	78%	Heavily skewed by Meta + Google cases
Telecom & ISPs	6%	Customer-data handling, breaches
Healthcare / telehealth	4%	Special category data; ChatGPT health usage
Fintech / banking	3%	KYC over-collection; biometric edge cases
E-commerce / retail	3%	Cookie banners, marketing pixels
SaaS / B2B (incl. vibe-coded)	6%	Pre-consent tracking, missing privacy notices, advisory letters

Sources & methodology.

EDPB (European Data Protection Board) enforcement tracker — public register of national DPA decisions.
GDPR Enforcement Tracker by CMS Hasche Sigle (commercial dataset; aggregated here for fines & article frequency).
CNIL (France), Garante (Italy), AEPD (Spain), DPC (Ireland), Datatilsynet (Denmark) — direct national-DPA decision pages.
Sector classification is Comply Code’s own categorisation based on the type of respondent in each public decision.

Cite this page

Released under CC-BY-4.0. If you’re writing about EU privacy enforcement, link back to https://complycode.app/data/gdpr-enforcement-2025. We’ll publish a 2026 update in January 2027.