GDPR Enforcement in 2025: Which Violations Cost the Most — and How to Avoid Them

GDPR enforcement continued to intensify throughout 2025, with supervisory authorities across the EEA issuing over 2,100 enforcement decisions and total fines exceeding EUR 2.1 billion for the calendar year. The trend is unmistakable: regulators are not slowing down. For SMEs, understanding which violations attract the heaviest penalties is essential for prioritising compliance investments.

2025 Enforcement at a Glance

Several key statistics shaped the enforcement landscape in 2025:

• Total fines issued: Approximately EUR 2.1 billion across all EEA Data Protection Authorities
• Number of enforcement decisions: Over 2,100, an increase of approximately 18% from 2024
• Largest single fine: EUR 1.2 billion imposed by the Irish Data Protection Commission (DPC)
• Most active DPAs by decision volume: Spanish AEPD, Italian Garante, Romanian ANSPDCP, and Hungarian NAIH
• Most active DPAs by fine value: Irish DPC, French CNIL, Italian Garante, and Luxembourg CNPD

A notable development in 2025 was the increased activity of smaller DPAs. Authorities in Austria (DSB), Finland (Tietosuojavaltuutettu), and Croatia (AZOP) issued their largest ever fines, signalling a maturation of enforcement capacity across the EU.

Top 3 Violation Categories

1. Insufficient Legal Basis for Processing (Article 6)

Processing personal data without a valid legal basis remained the most frequently cited and most heavily penalised violation in 2025. This category includes organisations that relied on consent that did not meet the Article 7 standard, claimed legitimate interests without conducting a proper balancing test, or processed data for purposes incompatible with the original collection purpose (violation of the purpose limitation principle under Article 5(1)(b)).

The CNIL imposed several significant fines in this category, including penalties against organisations that tracked users across websites without valid consent. The CNIL has consistently held that cookie consent mechanisms that use dark patterns, pre-selected options, or make rejection unnecessarily difficult do not constitute valid consent under Articles 6 and 7.

Lesson for SMEs: Audit every processing activity for a documented, defensible legal basis. Where you rely on consent, ensure your consent mechanisms meet the freely given, specific, informed, and unambiguous standard. Where you rely on legitimate interests, document your balancing test.

2. Inadequate Technical and Organisational Security Measures (Article 32)

Article 32 violations accounted for a substantial proportion of enforcement actions in 2025. Supervisory authorities penalised organisations for failures including: unencrypted personal data, weak or default passwords, inadequate access controls, failure to apply security patches in a timely manner, and insufficient monitoring and logging.

The Italian Garante was particularly active in this space, issuing multiple fines to healthcare providers for inadequate security measures that resulted in unauthorised access to patient records. The Spanish AEPD continued its established pattern of penalising small and medium-sized organisations for basic security failures, including cases where customer databases were exposed due to misconfigured cloud storage.

The German Federal Commissioner for Data Protection (BfDI) focused on systemic security deficiencies, emphasising that Article 32 requires not only appropriate technical measures but also organisational controls including security policies, access management procedures, and regular testing of security effectiveness.

Lesson for SMEs: Basic security hygiene is non-negotiable. Implement encryption, enforce strong authentication, patch promptly, and restrict access based on the principle of least privilege. Document your security measures and the rationale for choosing them.

3. Non-Compliance with Data Subject Rights (Articles 15-22)

Failures to respond to data subject requests within the statutory one-month timeline, or providing incomplete responses, generated a significant volume of enforcement actions in 2025. The most common violations involved:

• Failure to respond to access requests (Article 15) within one month
• Refusal to erase data when requested under Article 17 without valid grounds for continued processing
• Excessive identity verification requirements that effectively obstructed the exercise of rights
• Failure to provide data in a portable format when requested under Article 20

The Italian Garante imposed multiple fines for delayed or inadequate responses to data subject access requests, including cases where organisations took several months to respond without justification. The Polish DPA (UODO) also issued notable decisions in this area, particularly concerning the right to erasure.

Lesson for SMEs: Implement a tracking system for data subject requests with automated deadline alerts. Train customer-facing staff to recognise data subject requests even when they are not explicitly framed in GDPR language. A customer saying "delete my account" is exercising their Article 17 right.

Notable Enforcement Actions

Irish DPC: Cross-Border Transfer Enforcement

The Irish DPC continued to leverage its role as lead supervisory authority for many large technology companies. Its enforcement decisions in 2025 focused on cross-border data transfers (Chapter V) and the adequacy of safeguards for transfers to third countries. The record fine of EUR 1.2 billion underscored that transfer mechanisms require genuine, assessed safeguards, not merely contractual formalities.

CNIL: Cookie and Tracking Enforcement

The CNIL maintained its focus on online tracking and consent. In 2025, it expanded enforcement beyond large platforms to mid-market e-commerce and media organisations. The CNIL particular emphasis was on consent withdrawal mechanisms: making it harder to withdraw consent than to give it violates the Article 7(3) requirement for equally easy withdrawal.

BfDI: Employee Data Processing

The German BfDI increased scrutiny of employee data processing, particularly regarding workplace surveillance, employee monitoring software, and the use of biometric data for access control. Several fines were imposed for processing employee data without an adequate legal basis or without proper transparency (Articles 13 and 14).

Garante: Healthcare and Public Sector

The Italian Garante continued its active enforcement in the healthcare sector, penalising hospitals and health authorities for security breaches, unauthorised access to patient records, and failure to conduct DPIAs for high-risk processing. It also issued decisions concerning public sector use of facial recognition and AI-based decision-making.

What This Means for SMEs

The 2025 enforcement data confirms several trends that SMEs must act on:

1. Basic compliance is non-negotiable. The most frequent fines are for fundamental failures: no legal basis, no security measures, no response to data subject requests. These are not complex regulatory challenges; they are foundational obligations.
2. Size does not provide immunity. The Spanish AEPD and other DPAs regularly fine small organisations. A EUR 50,000 fine may be small in the context of total GDPR enforcement, but it is material for an SME.
3. Documentation is your defence. Supervisory authorities assess compliance based on what you can demonstrate. Undocumented compliance is, from a regulatory perspective, non-compliance.
4. Proactive compliance is cheaper than reactive enforcement. The cost of implementing proper legal basis documentation, security measures, and data subject rights procedures is a fraction of the cost of a fine, the associated legal fees, and reputational damage.

The GDPR enforcement trajectory shows no sign of reversing. The organisations that invest in compliance now are the ones that will avoid the enforcement headlines of 2026.