GDPR Fine Estimator

Estimate potential GDPR penalty range using Article 83 tier and annual revenue

Applies the GDPR Article 83 tiered fine formula — the higher of a percentage-of-worldwide-turnover cap or a fixed maximum — to a company's annual revenue and selected infringement tier. Privacy lawyers and DPOs use it for risk quantification. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

How does the Article 83 cap actually work?

GDPR sets two caps per tier and applies whichever is higher. The higher tier is the greater of 4 percent of total worldwide annual turnover or 20 million euros. The lower tier is the greater of 2 percent or 10 million euros. So a large company is bounded by the turnover percentage, while a small one is bounded by the fixed figure.

The GDPR backs its rules with steep administrative fines, capped by a two-tier formula in Article 83. This estimator applies that formula to a company’s worldwide turnover and the relevant infringement tier to show the statutory maximum and an illustrative likely range for risk planning.

How it works

Each tier sets two caps and the regulator may impose up to whichever is higher:

lower tier (83(4)):  max( 2% × turnover , €10,000,000 )
higher tier (83(5)): max( 4% × turnover , €20,000,000 )

For large undertakings the percentage of turnover dominates; for small ones the fixed figure does. The result is a ceiling — actual fines are set after weighing the Article 83(2) aggravating and mitigating factors and usually fall below it.

Which violations fall in which tier

Lower tier — Article 83(4) — up to €10M or 2% of turnover:

  • Controller and processor obligations (Articles 8, 11, 25–39)
  • Obligations of certification and monitoring bodies (Articles 41–43)
  • Examples: inadequate security measures, failure to maintain records of processing, failure to appoint a DPO when required, failure to notify a personal data breach within 72 hours

Higher tier — Article 83(5) — up to €20M or 4% of turnover:

  • Core principles of processing (Articles 5, 6, 7, 9)
  • Data subject rights (Articles 12–22)
  • International transfer rules (Articles 44–49)
  • Non-compliance with an order from a supervisory authority
  • Examples: processing without a lawful basis, violating the principles of purpose limitation or data minimisation, unlawful international transfers, ignoring an enforcement notice

The higher tier targets the most fundamental breaches. Processing without any lawful basis at all — not even a misapplied one — places you in this category automatically.

Article 83(2): the factors regulators weigh

The fine within the tier range is not arbitrary. Article 83(2) lists factors that pull the amount up or down:

Aggravating: intentional breach; large number of data subjects affected; sensitive categories of data (health, biometrics, criminal records); long duration; multiple categories of infringement; previous infringements.

Mitigating: taken steps to limit damage; high cooperation with the regulator; promptly notified the supervisory authority; no prior infringements; financial hardship of the controller.

UK GDPR vs EU GDPR: the fixed cap difference

The UK GDPR, which applies after Brexit, mirrors the EU GDPR structure but uses sterling-denominated fixed caps:

  • Higher tier: up to £17.5 million or 4% of worldwide annual turnover (whichever is higher)
  • Lower tier: up to £8.7 million or 2% of worldwide annual turnover (whichever is higher)

The percentage structure is identical; only the fixed floor differs. Enter the EU euro caps for EU GDPR exposure and adjust to the UK figures manually for UK ICO risk assessment.

Tips and notes

Treat the output as a maximum exposure, not a forecast. Regulators rarely impose the cap; a realistic figure in most routine cases is a fraction of the ceiling. The relevant turnover may be the whole corporate group’s consolidated revenue under the broad “undertaking” concept, which can sharply raise the percentage cap for large groups. This is a planning aid for risk quantification, not legal advice — engage qualified counsel for any live matter.