5 Most Common GDPR Violations That Trigger Fines

February 12, 2026

GDPR fines aren't just handed out after data breaches. Most violations are entirely preventable — and many don't involve a hacker at all.

Since GDPR came into force in May 2018, data protection authorities across the EU and UK have issued over €5 billion in fines to organisations of every size and type. The headlines tend to focus on the record-breakers — Meta's €1.2 billion, Amazon's €746 million, Google's repeated penalties running into the hundreds of millions. But behind those headline numbers are thousands of smaller enforcement actions against businesses that most people have never heard of: local retailers, HR software companies, healthcare providers, marketing agencies, and e-commerce startups.

What's striking, when you look at the pattern of enforcement, is how consistently the same categories of violation appear. Regulators aren't primarily catching companies doing something exotic or technically complex. They're catching companies doing things wrong that are straightforward to do right — and that most businesses could fix with a structured internal audit and the willingness to treat compliance as an ongoing operational discipline rather than a one-time project.

This article breaks down the five violations that most commonly trigger GDPR fines, with real enforcement examples for each, and practical steps to avoid them.

Violation 1: Insufficient Legal Basis for Processing Personal Data

What It Means

Every time your organisation processes personal data, you need a valid legal basis for doing so. GDPR provides six options: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. The violation occurs when a company processes personal data without being able to point to a valid basis — or when the basis they claim doesn't actually hold up to scrutiny.

This is the foundational GDPR violation, and it's far more common than most businesses realise — because many organisations have never properly mapped their processing activities against a specific legal basis for each one.

How It Happens in Practice

The most frequent version of this violation involves legitimate interests being used as a catch-all justification for processing activities that don't genuinely qualify. Legitimate interests is a flexible legal basis, but it requires a balancing test: the business's interest must be genuine and proportionate, and it must not be overridden by the individual's rights and freedoms. Many businesses invoke it without conducting or documenting that balancing test.

Other common scenarios include collecting more personal data than is necessary for the stated purpose (a breach of the data minimisation principle), repurposing data collected for one reason for a different use without obtaining a new legal basis, and relying on consent that was obtained in ways that don't meet GDPR's validity requirements — bundled into terms and conditions, pre-ticked, or not genuinely free.

Real Enforcement Examples

The Spanish data protection authority (AEPD) has issued numerous fines to companies — including telecoms providers and financial services firms — for processing customer data without a sufficient legal basis or for processing more data than was necessary for the stated purpose. In Germany, state-level data protection authorities have fined employers for collecting excessive employee data without adequate justification. These are not exotic enforcement actions — they're the routine output of regulators doing their jobs.

How to Avoid It

Document your legal basis for every data processing activity in your Record of Processing Activities (ROPA). Don't treat this as a paperwork exercise — think carefully about whether the basis you're claiming genuinely applies. If you're relying on legitimate interests, conduct and document a Legitimate Interests Assessment (LIA) that actually works through the balancing test. Review your data collection practices against the principle of data minimisation: are you collecting only what you genuinely need?

Violation 2: Inadequate Technical and Organisational Security Measures

What It Means

Article 32 of GDPR requires organisations to implement technical and organisational measures appropriate to the risk — encryption, access controls, regular security testing, staff training, and so on. The violation occurs when a data breach happens and the investigation reveals that the breach was preventable with reasonable security measures that the organisation simply hadn't implemented.

Critically, the violation here is not the breach itself — it's the failure to have adequate security in place. Sophisticated attacks on well-secured systems happen to well-compliant businesses. Regulators take a very different view of breaches that result from basic, preventable security failures.

How It Happens in Practice

The patterns are consistent across enforcement actions: databases exposed to the internet without password protection, personal data stored unencrypted at rest, default passwords left unchanged on systems holding sensitive data, no multi-factor authentication on administrative accounts, software and systems left unpatched for extended periods, and excessive access permissions that mean far more employees can access personal data than actually need to.

These aren't sophisticated attack vectors. They're basic security hygiene failures that create entirely avoidable breaches — and regulators treat them accordingly.

Real Enforcement Examples

In 2020, British Airways was issued a £20 million fine by the ICO following a breach that exposed the personal and financial data of approximately 400,000 customers. The ICO's investigation found that the attack could have been prevented with more basic security measures. The hotel group Marriott received a £18.4 million fine in the same period following a breach traced back to inadequate security controls on a system acquired through an earlier merger.

In 2021, the Portuguese National Association of Administrators of Insolvency was fined for allowing excessive access to patient data — medical records accessible to more staff than necessary, without appropriate access controls. The Polish data protection authority has issued multiple fines to organisations for transmitting personal data without encryption. The common thread across all of them is preventability.

How to Avoid It

Conduct a regular security assessment against a recognised framework — Cyber Essentials at minimum for UK businesses, ISO 27001 for those wanting a more comprehensive standard. Implement multi-factor authentication on all systems that hold personal data, especially administrative accounts. Encrypt personal data at rest and in transit. Apply the principle of least privilege to access controls — staff should only be able to access the personal data they need for their specific role. Establish a patch management process that ensures software vulnerabilities are addressed promptly. And document all of this: showing regulators a structured security programme matters if an incident does occur.

Violation 3: Non-Compliant Cookie Consent

What It Means

Using tracking cookies — analytics, advertising, personalisation, social media pixels — without obtaining valid, freely given, specific, and informed consent from users is a GDPR violation. The violation is triggered not just by the absence of any consent mechanism, but by consent mechanisms that don't meet GDPR's validity requirements.

This is the area where enforcement has been most active against a wide range of business sizes, and where the gap between having a cookie banner and having a compliant one is most consequential.

How It Happens in Practice

The most cited failures in enforcement actions are: loading tracking cookies before the user has responded to the consent banner, presenting an "Accept All" button prominently while burying the "Reject All" option behind multiple clicks, using pre-ticked consent boxes for non-essential cookie categories, designing banners with dark patterns that confuse users into giving broader consent than they intended, and failing to record and maintain proof of consent.

These aren't technical edge cases. They're design decisions — often deliberate ones made to maximise consent rates — that regulators have been explicitly targeting for several years.

Real Enforcement Examples

France's CNIL has been the most active regulator in this space. In January 2022, CNIL fined Google €150 million and Facebook €60 million specifically for making it harder for users to refuse cookies than to accept them — the reject path required multiple additional clicks compared to the single-click accept option. CNIL also fined Microsoft €60 million in 2022 for the same category of violation on Bing.

These fines were not for loading malicious code or stealing data. They were for designing consent interfaces that tilted the scales toward acceptance — a design pattern that remains common across the web.

The Italian Garante, the Belgian DPA, and the German state-level authorities have all pursued similar enforcement actions, including against smaller businesses and publishers. Cookie consent compliance is a regulatory priority across Europe, not a problem that only affects large platforms.

How to Avoid It

Implement a proper Consent Management Platform like Cookiebot or Enzuzo that blocks non-essential cookies until consent is actively obtained, presents genuine choice with equal prominence for accept and reject options, records consent with a timestamp and the version of your cookie policy in effect at the time, and allows users to withdraw consent as easily as they gave it. Test your banner across devices and verify in your browser's developer tools that no tracking scripts are firing before consent is obtained. Review your CMP configuration whenever you add new tools or integrations to your website.

Violation 4: Failure to Honour Data Subject Rights

What It Means

GDPR grants individuals a set of enforceable rights over their personal data: the right to access it (Subject Access Request), the right to have it corrected, the right to have it deleted (the "right to be forgotten"), the right to restrict processing, the right to data portability, and the right to object to processing. Organisations are legally required to respond to requests within one month. The violation occurs when businesses ignore these requests, miss the deadline, provide incomplete responses, or refuse without valid grounds.

This violation is distinctive because it's often triggered not by a data breach or a technical incident, but by an individual complaint — a single person who files a request, doesn't receive an adequate response, and then complains to the regulator.

How It Happens in Practice

The most common failure is simply not having a process. A subject access request arrives by email, gets forwarded to a generic inbox, and sits there because no one has clear ownership of the response. The one-month deadline passes. The individual complains to the ICO. An investigation is opened.

Other common scenarios include: providing an incomplete response that doesn't include all the personal data held, refusing deletion requests without valid grounds, requiring excessive identification verification that acts as a barrier to exercising rights, and failing to respond to erasure requests made through unsubscribe links or account deletion requests that weren't processed properly.

Real Enforcement Examples

The Lithuanian data protection authority fined a company €15,000 for failing to respond to multiple subject access requests. The Romanian DPA has issued fines to businesses in the financial services sector for systematically failing to respond to erasure requests within the statutory timeframe. The ICO has issued enforcement notices — and in some cases monetary penalties — to organisations that have systematically failed to respond to SARs, including a UK-based company in the credit reference sector.

These enforcement actions share a common feature: they were triggered by individual complaints, not by regulatory proactive audits. The data subject exercised their rights, was ignored, and escalated. It's a reminder that individual rights aren't theoretical — they're enforceable, and individuals increasingly know it.

How to Avoid It

Build a Subject Access Request process before you receive one. Designate a named individual responsible for handling data subject rights requests, document the process clearly, and set internal deadlines that give you time to compile the response before the statutory one-month limit expires. Make sure you know where personal data about any given individual is held across all your systems — CRM, email platform, customer support tools, analytics databases — so you can compile a complete response. Train staff to recognise and escalate data subject rights requests, which can arrive through any channel: email, social media, a contact form, or even in conversation.

Violation 5: Unlawful International Data Transfers

What It Means

GDPR restricts the transfer of personal data to countries outside the EU and UK to situations where adequate protections are in place. Transferring personal data to a country without an adequacy decision, and without an appropriate transfer mechanism such as Standard Contractual Clauses or Binding Corporate Rules, is a violation — regardless of whether any breach or harm has occurred.

This violation is particularly relevant for businesses that use US-based software tools, cloud services, analytics platforms, or CRMs — which, in 2026, is the majority of businesses operating in the UK and EU.

How It Happens in Practice

The most common version of this violation is entirely unintentional: a business signs up for a US-based SaaS tool, integrates it with their systems, and personal data begins flowing to US servers. No one has checked whether the vendor is certified under the EU-US Data Privacy Framework, whether Standard Contractual Clauses are in place, or whether a Transfer Impact Assessment has been conducted. The transfer happens because the tool is useful, not because anyone has assessed whether it's lawful.

More sophisticated versions of the violation involve using SCCs without conducting the required Transfer Impact Assessment to verify they actually provide adequate protection in practice — the core issue at the heart of Meta's €1.2 billion fine.

Real Enforcement Examples

Meta's €1.2 billion fine in May 2023 remains the most prominent example — issued by Ireland's DPC for transferring EU user data to the US without adequate safeguards following the Schrems II ruling. But the issue extends well beyond Big Tech.

Several EU member state authorities — particularly in Austria, France, and Italy — issued rulings in 2022 finding that the use of Google Analytics constituted an unlawful data transfer to the US, given that the analytics data could identify individual users and was subject to US surveillance law. These rulings affected any business using Google Analytics without additional safeguards, which at the time was the majority of websites in Europe.

The Norwegian DPA issued a temporary ban on Meta's behavioural advertising in Norway in 2023, citing unlawful transfer grounds. Smaller businesses have received fines from German and French authorities for using US-based cloud storage and email marketing platforms without proper transfer documentation.

How to Avoid It

Map your data flows to identify every instance where personal data leaves the UK or EU. For each transfer, verify what mechanism is in place: adequacy decision, DPF certification, Standard Contractual Clauses, or Binding Corporate Rules. For SCC-based transfers, conduct and document a Transfer Impact Assessment. Check whether your US-based vendors are certified under the EU-US Data Privacy Framework — most major providers (Google, Microsoft, Salesforce, HubSpot, AWS) are certified; smaller or newer vendors may not be. Keep your vendor transfer documentation current, and review it annually or whenever you add new tools.

Bonus: What Makes Regulators Take Notice?

Not every GDPR violation results in a fine. Regulators have limited resources and make choices about where to focus enforcement action. Understanding what elevates a compliance gap into a regulatory priority helps businesses understand their actual risk profile.

Volume and sensitivity of data involved. A violation affecting millions of individuals, or involving special category data such as health records, financial information, or data relating to children, is far more likely to attract enforcement attention than the same technical violation affecting a small number of individuals with low-sensitivity data.

Evidence of wilful or repeated non-compliance. Regulators treat deliberate violations — where the organisation knew about the gap and chose not to address it — very differently from accidental failures where good faith remediation efforts are evident. Repeated violations, or failures to act on previous regulatory guidance, are significant aggravating factors in fine calculations.

Failure to cooperate with the investigation. Organisations that engage transparently with regulatory investigations, provide requested information promptly, and demonstrate genuine remediation efforts consistently receive more favourable outcomes than those that obstruct, delay, or dispute findings without basis.

Complaints filed by individuals. This is the most important trigger for small business enforcement actions. Regulators are obligated to investigate complaints from data subjects, and a single well-founded complaint can initiate an audit that uncovers broader compliance failures. The individual whose SAR was ignored, the user who couldn't find the reject button on your cookie banner, the employee whose data was handled improperly — any of them can file a complaint that sets an investigation in motion.

The Bottom Line

Looking across these five violation categories, the pattern is clear: most GDPR fines are the result of process failures, not sophisticated attacks or wilful criminality. Businesses that process data without documenting their legal basis, that use tracking cookies without proper consent, that ignore subject access requests, that transfer data internationally without checking their legal basis, or that run systems with basic preventable security gaps are not bad actors — they're organisations that haven't treated compliance as an ongoing operational discipline.

The good news is that all five violations are avoidable. None of them require a large budget, a dedicated legal team, or sophisticated technical capability. They require structured processes, documented decision-making, appropriate tools, and a commitment to reviewing and maintaining compliance as the business evolves.

The place to start is a straightforward internal audit against these five areas. Where is your legal basis documentation? How does your cookie consent actually work? What happens when a subject access request arrives? Where does your personal data go when it leaves your systems? What security controls do you have in place and when were they last reviewed?

The answers to those questions will tell you where your gaps are — and closing gaps is always cheaper than defending an enforcement action.

Related reading: Does GDPR Insurance Cover GDPR Fines? | Do You Need a Cookie Consent Banner? | GDPR Insurance vs. Cyber Insurance

This article is for informational purposes only and does not constitute legal advice. GDPR enforcement actions and fine amounts referenced are based on publicly available information and are accurate as of the publication date. Always consult a qualified legal or compliance professional for advice specific to your organisation.