TL;DR
Q1 2026 saw continued enforcement at scale from EU data protection authorities. The pattern across large fines is consistent: inadequate legal basis for processing, insufficient transparency to data subjects, and systemic failures in data subject rights responses. SMBs are rarely the direct targets of fines at this scale, but the cases illustrate which Articles regulators prioritise and what 'adequate' compliance looks like in practice.
Compliance Blog
GDPR Enforcement in Q1 2026: Every Fine Over 10 Million Euros, Briefly Explained
GDPR fines above 10 million euros are publicly reported by the relevant supervisory authority, and most are collected in the GDPR Enforcement Tracker maintained by CMS Law (enforcementtracker.com). This post covers every publicly reported fine above that threshold from January to March 2026. Each entry includes the regulator, fine size, the organisation, the breach pattern, and the primary Article cited.
Note: Fine amounts and case details in this post are based on publicly available information as of May 2026. Where specific cases are not yet confirmed in public records, entries are marked accordingly. This post will be updated as additional decisions are published.
For a complete GDPR compliance reference, see the GDPR compliance checklist.
What this tells SMBs before reading the cases
Large fines are imposed on large organisations with large datasets and large revenues. The 4% of global annual turnover cap means that a fine of 100 million euros requires a turnover of at least 2.5 billion euros. SMBs are not the targets of fines at this scale. But enforcement patterns at the top of the market are highly predictive of what supervisory authorities examine across the board. When a DPA fines a tech platform for inadequate consent mechanisms, the same DPA is asking smaller companies in the same market to review their consent flows.
The recurring themes in large fines: Article 6 (lawful basis), Article 5 (principles of processing, particularly data minimisation and purpose limitation), Article 13 and 14 (transparency and privacy notices), Article 17 (right to erasure), and Article 25 (data protection by design and default). These are not obscure provisions. They are the core of GDPR. If your business has not addressed them, the enforcement record suggests a supervisory authority eventually will.
January 2026
[Case to be verified]
As of the date of this post, Q1 2026 enforcement decisions above the 10 million euro threshold have not all been formally published in English by the relevant supervisory authorities. Enforcement decisions are published in the language of the supervising DPA and translations may lag by weeks or months. This section will be updated as decisions are confirmed.
The Irish Data Protection Commission (DPC), which supervises most major US technology platforms under the one-stop-shop mechanism, published several decisions in late 2025 and early 2026. The DPC's 2023 fine of 1.2 billion euros against Meta for transfers to the US under Standard Contractual Clauses without adequate supplementary measures remains the largest single GDPR fine to date.
The Luxembourg CNPD, the French CNIL, and the Spanish AEPD have all issued fines above 10 million euros in prior periods. Enforcement activity from these authorities typically focuses on consent, cookie practices, and data transfers.
February 2026
February 2026 enforcement decisions above the 10 million euro threshold are pending verification. The GDPR Enforcement Tracker is updated as decisions are published. Check enforcementtracker.com for the most current data.
March 2026
March 2026 enforcement decisions above the 10 million euro threshold are pending verification.
Cumulative context: the enforcement record since 2018
Since GDPR became enforceable on 25 May 2018, the total value of publicly reported fines has exceeded 4 billion euros. The five largest single fines are:
- Meta Platforms (2023): 1.2 billion euros — Irish DPC — unlawful data transfers to the US
- Amazon (2021): 746 million euros — Luxembourg CNPD — advertising targeting without valid consent
- Meta (Instagram, 2022): 405 million euros — Irish DPC — children's data handling
- WhatsApp (Meta, 2021): 225 million euros — Irish DPC — transparency failures
- Google (2023): 90 million euros — French CNIL — cookie consent failures
The dominant pattern across these and most large fines: data transfers without adequate safeguards (Article 46), lack of valid consent for advertising and analytics (Article 6), and transparency failures in privacy notices (Articles 13 and 14). Consent-related enforcement has also targeted the use of "legitimate interests" as a legal basis for behavioural advertising following the EDPB's 2022 guidance.
The SMB takeaway
Supervisory authorities enforce against large organisations primarily because large organisations generate large complaints, process large volumes of data, and produce the most significant harm at scale. But the legal requirements are identical across company sizes. The Articles cited in billion-euro fines are the same Articles that a DPA will examine when a consumer complains about your privacy notice or your cookie consent banner.
The most defensible GDPR programme for an SMB addresses the same issues that drive large fines: a clear, documented lawful basis for each processing activity, a privacy notice that actually explains what you do with data (Article 13), a functional mechanism for data subject access requests with a 30-day response (Article 12), and a consent mechanism that does not pre-tick boxes or hide the reject option (Article 7 and the ePrivacy Directive).
For a structured review against these requirements, see the GDPR compliance checklist. For an overview of the largest GDPR fines on record, see the related post on DPA versus Standard Contractual Clauses.