Article 83 GDPR · EDPB Guidelines 04/2022

Estimate your maximum GDPR fine exposure.

Calculated per the five-step EDPB methodology adopted 24 May 2023 (or the ICO 2024 fining guidance for UK undertakings). All figures are estimates — not legal advice — but they show the math, including the turnover-size step that scales exposure to your size.

The short answer (reviewed 2026-06-13): GDPR fines are capped at the higher of €20,000,000 or 4% of worldwide annual turnover for Article 83(5) infringements, and €10,000,000 or 2% for Article 83(4). In the UK the caps are £17,500,000 / £8,700,000. But the actual fine is built from a starting amount (a % of that maximum set by seriousness) that is then reduced to a fraction of itself based on your turnover (EDPB ¶65–66 / ICO Step 2): an undertaking with €2–10M turnover pays 0.4–2% of the starting amount, not the headline cap.

Sources: GDPR Art 83 (EUR-Lex) · EDPB Guidelines 04/2022 · ICO Fining Guidance (Mar 2024)

Scenario inputs

Five-step EDPB methodology · Art 83 GDPR · ICO 2024 for UK

Jurisdiction

Role under GDPR

Violation type

Article 83 tier

Annual worldwide turnover (EUR)

Undertaking size (SME band)

Seriousness band (EDPB step 2)

Intent character (Art 83(2)(b))

Affected data subjects

Duration of infringement (months)

Art 9 special-category or Art 10 criminal data involved

Aggravating factors (0–7)

Mitigating factors (0–7)

Turnover currency

Article 83 GDPR · EDPB 04/2022 v2.1

Estimated fine exposure

€18,000

Band: €11,000 – €29,000

0€10,000,000 fixed cap

Starting: €18,000
Mid: €18,000
Ceiling: €10,000,000

EDPB five-step breakdown

Step 2 (turnover-size adjustment, EDPB ¶65–66 / ICO Step 2 Table B) is the step that scales exposure to undertaking size. Step-1 and step-2 percentages are illustrative range midpoints, not a regulator tariff (ICO ¶108: no pre-set tariff).

1.
Seriousness → starting amount — security art32 · Art 83(4) · EU IE. Seriousness medium (midpoint 15.0% of €10,000,000) = €1,500,000.
2.
Turnover-size adjustment — Turnover band 0.4–2% (2–10M turnover) → 1.2% × €1,500,000 = €18,000.
3.
Aggravating × mitigating — Aggravating × 1.00 (intent negligent) · mitigating × 1.00 → €18,000.
4.
Legal maximum cap check — Cap basis: €10,000,000 fixed cap (Art 83(4)). Uncapped figure stays below the ceiling.
5.
Proportionality note — Mid estimate €18,000 sits 0.2% below the statutory ceiling.

Notes

Turnover-size step (0.4–2% (2–10M turnover), EDPB ¶65–66 / ICO Step 2 Table B) reduced the starting amount to a fraction of the legal maximum. This is the step that keeps SMB exposure proportionate.

EU vs UK methodology

Both regulators apply the same five-step methodology; only the statutory caps and currency diverge. The five-step engine then sets a starting amount from seriousness and reduces it to a fraction of itself for smaller undertakings — there is no fixed tariff (ICO ¶108).

Threshold	EU (GDPR Art 83)	UK (ICO 2024)
Lower tier (Art 83(4))	€10,000,000 or 2% turnover	£8,700,000 or 2% turnover
Upper tier (Art 83(5))	€20,000,000 or 4% turnover	£17,500,000 or 4% turnover
Methodology	EDPB Guidelines 04/2022 v2.1	ICO Fining Guidance, March 2024

→ Run your turnover and a seriousness level through all five steps in the calculator above to see the seriousness % and turnover-band multiplier applied to your own figures.

Recent enforcement context

Decisions cited by EDPB and CMS Enforcement Tracker — useful as comparators when arguing proportionality at step 5.

Year	Regulator	Subject & article	Fine
2023	DPC (Ireland)	Meta Platforms Ireland Ltd — international data transfersArt 46(1) GDPR	€1,200,000,000
2022	DPC (Ireland)	Meta Platforms — Instagram children's data exposureArt 5(1)(a),(c) · Art 6(1) · Art 12(1) · Art 25	€405,000,000
2023	DPC (Ireland)	TikTok Technology Ltd — children's dataArt 5(1)(a),(c),(f) · Art 24(1) · Art 25 · Art 12 · Art 13	€345,000,000
2022	ICO (UK)	Clearview AI Inc — biometric scrapingUK GDPR Art 5, 6, 9, 14 · DPA 2018Penalty £7,552,800 (May 2022). Quashed by the First-tier Tribunal on jurisdiction (Oct 2023); the Upper Tribunal found for the ICO on jurisdiction (Oct 2025) and remitted the rest — not a settled comparable.	£7,552,800
2024	Autoriteit Persoonsgegevens (Netherlands)	Uber B.V. — driver data transfers to USArt 44 GDPR	€290,000,000

Source: regulator press releases · CMS Enforcement Tracker (sources checked 2026-06-13; methodology reviewed 2026-06-13).

Frequently asked questions

What is the maximum GDPR fine?

The higher of €20 million or 4% of total worldwide annual turnover of the preceding financial year for Article 83(5) infringements, and €10 million or 2% for Article 83(4). For an undertaking the percentage is calculated on group turnover, which is why “4% of turnover” can exceed the fixed cap for large companies.

Does the headline cap mean a small business pays €20 million?

No. The cap is a ceiling, not the expected fine. Both the EDPB (¶65–66) and the ICO (Step 2, Table B) reduce the starting amount to a fraction of itself based on turnover — an undertaking with €2–10M turnover is in the 0.4–2% band. This turnover-size step is the single biggest driver of proportionate fines for SMBs and is built into this calculator.

Which violations are upper tier (Art 83(5)) vs lower tier (Art 83(4))?

Upper tier (€20M / 4%): basic principles and lawfulness (Art 5, 6, 7, 9), data-subject rights (Art 12–22) and international transfers (Chapter V). Lower tier (€10M / 2%): security of processing (Art 32), breach notification (Art 33–34), DPIAs (Art 35) and processor obligations (Art 28). The calculator validates the pairing both ways.

How is the seriousness percentage decided?

The EDPB (¶60) and ICO (Step 1) set ranges as a percentage of the applicable maximum: low 0–10%, medium 10–20%, high 20–100%. There is no fixed tariff (ICO ¶108); the single point this tool applies is the range midpoint, clearly labelled as illustrative.

What is the difference between the EU and UK calculations?

The methodology is the same five steps. The statutory caps differ (£17.5M / £8.7M in the UK) and the currency is GBP. The UK turnover bands (ICO Table B) top out at £435M; the EU bands (EDPB ¶65–66) top out at €500M, above which no turnover adjustment applies.

Is this calculator legal advice?

No. It is an orientative estimate derived from public regulator guidance. Actual fines remain the supervisory authority’s discretion under Article 83(2), which weighs factors a calculator cannot fully model. Consult a qualified DPO or counsel before relying on any figure for board reporting or DPA correspondence.

Digital Services Act (DSA) obligations checker — see which DSA duties apply to your platform or marketplace.
EU AI Act risk classifier — classify an AI system into prohibited / high / limited / minimal risk.
NIS2 entity scope check — check whether NIS2 cybersecurity obligations cover your entity.
All SellerGuardrails EU seller compliance tools

Disclaimer

Results are orientative estimates derived from public regulator guidance. They do not constitute legal, tax, or financial advice. Consult a qualified Data Protection Officer or counsel before relying on any figure for board reporting or DPA correspondence.