The GDPR backs its rules with steep administrative fines, capped by a two-tier formula in Article 83. This estimator applies that formula to a company’s worldwide turnover and the relevant infringement tier to show the statutory maximum and an illustrative likely range for risk planning.
How it works
Each tier sets two caps and the regulator may impose up to whichever is higher:
lower tier (83(4)): max( 2% × turnover , €10,000,000 )
higher tier (83(5)): max( 4% × turnover , €20,000,000 )
For large undertakings the percentage of turnover dominates; for small ones the fixed figure does. The result is a ceiling — actual fines are set after weighing the Article 83(2) aggravating and mitigating factors and usually fall below it.
Which violations fall in which tier
Lower tier — Article 83(4) — up to €10M or 2% of turnover:
- Controller and processor obligations (Articles 8, 11, 25–39)
- Obligations of certification and monitoring bodies (Articles 41–43)
- Examples: inadequate security measures, failure to maintain records of processing, failure to appoint a DPO when required, failure to notify a personal data breach within 72 hours
Higher tier — Article 83(5) — up to €20M or 4% of turnover:
- Core principles of processing (Articles 5, 6, 7, 9)
- Data subject rights (Articles 12–22)
- International transfer rules (Articles 44–49)
- Non-compliance with an order from a supervisory authority
- Examples: processing without a lawful basis, violating the principles of purpose limitation or data minimisation, unlawful international transfers, ignoring an enforcement notice
The higher tier targets the most fundamental breaches. Processing without any lawful basis at all — not even a misapplied one — places you in this category automatically.
Article 83(2): the factors regulators weigh
The fine within the tier range is not arbitrary. Article 83(2) lists factors that pull the amount up or down:
Aggravating: intentional breach; large number of data subjects affected; sensitive categories of data (health, biometrics, criminal records); long duration; multiple categories of infringement; previous infringements.
Mitigating: taken steps to limit damage; high cooperation with the regulator; promptly notified the supervisory authority; no prior infringements; financial hardship of the controller.
UK GDPR vs EU GDPR: the fixed cap difference
The UK GDPR, which applies after Brexit, mirrors the EU GDPR structure but uses sterling-denominated fixed caps:
- Higher tier: up to £17.5 million or 4% of worldwide annual turnover (whichever is higher)
- Lower tier: up to £8.7 million or 2% of worldwide annual turnover (whichever is higher)
The percentage structure is identical; only the fixed floor differs. Enter the EU euro caps for EU GDPR exposure and adjust to the UK figures manually for UK ICO risk assessment.
Tips and notes
Treat the output as a maximum exposure, not a forecast. Regulators rarely impose the cap; a realistic figure in most routine cases is a fraction of the ceiling. The relevant turnover may be the whole corporate group’s consolidated revenue under the broad “undertaking” concept, which can sharply raise the percentage cap for large groups. This is a planning aid for risk quantification, not legal advice — engage qualified counsel for any live matter.