GDPR

GDPR Fines in 2025: What SMEs Got Wrong

6 min readUpdated 13 May 2026

GDPR enforcement against small and medium businesses accelerated in 2024 and 2025. The narrative that DPAs only go after large companies is no longer accurate. Smaller companies are being fined for failures that are entirely avoidable — and the patterns are consistent enough to learn from.

This is what the data shows.

Total Fines: The Headline Numbers

Since GDPR came into force in May 2018, European DPAs have issued over €4.5 billion in fines. The largest fines — Meta's €1.2 billion, Amazon's €746 million — dominate the headlines. But in terms of number of decisions, SMEs account for a significant share of enforcement actions.

The average fine for SMEs is typically in the range of €5,000–€100,000 — not business-ending, but material for a company with limited reserves, and damaging to reputation in regulated markets.

The Most Common Reasons SMEs Are Fined

1. Failure to Respond to Data Subject Access Requests

How often: One of the most common grounds for DPA complaints across all jurisdictions.

What goes wrong: Companies either ignore DSARs, respond late, or respond incompletely. The 30-day deadline is not a target — it is a legal requirement. Many SMEs discover they have no DSAR process when the first request arrives.

Fine range: Typically €5,000–€50,000 for DSAR failures, though higher where combined with other failures.

Example: A Lithuanian company was fined €15,000 for systematically failing to respond to data subject access requests within the legal timeframe.

2. Inadequate Data Security and Breach Notification Failures

How often: Second most common enforcement category for SMEs.

What goes wrong: A breach occurs, the company either doesn't detect it, doesn't notify the supervisory authority within 72 hours, or notifies but provides insufficient information.

Two separate obligations:

  • Notify the supervisory authority within 72 hours of becoming aware (Article 33)
  • Notify affected individuals without undue delay where high risk (Article 34)

Many SMEs breach the notification deadline not because of bad faith, but because they don't have a breach detection and response procedure. They find out about a breach through a third party weeks later, which means the 72-hour clock has long expired.

Fine range: €10,000–€200,000 depending on severity.

Example: A Portuguese hospital fined €400,000 for inadequate access controls allowing clinical staff to access patient data outside their treatment area — a data security failure rather than a breach.

3. Unlawful Processing Basis

How often: Growing enforcement area.

What goes wrong: Using consent as the lawful basis for employee data processing (employees cannot freely consent to their employer), processing beyond the stated purpose, or having no documented lawful basis at all.

Common SME mistake: Relying on consent for everything — employee monitoring, B2B marketing, analytics — rather than identifying the correct basis for each activity. When consent is used incorrectly, all processing built on that consent collapses.

Fine range: €10,000–€100,000.

Example: A Greek company was fined €150,000 for processing employee biometric data (fingerprint time-attendance system) without a valid lawful basis.

4. No or Inadequate Privacy Notice

How often: Frequently cited as part of broader enforcement actions.

What goes wrong: No privacy notice at all, a privacy notice that doesn't cover all required elements (Article 13/14), or a notice that is so generic it doesn't accurately describe actual processing activities.

Fine range: Usually combined with other failures. Rarely fined in isolation for small amounts.

Example: An Austrian company fined €35,000 for operating a website without a GDPR-compliant privacy notice.

5. Unlawful Cookie Consent

How often: One of the fastest-growing enforcement areas.

What goes wrong: Pre-ticked boxes, consent by continued browsing, no genuine reject option, analytics loaded before consent, or consent banners that are dark-pattern designs.

Germany, France, Italy, and Spain have been particularly active. The French CNIL has issued numerous fines to companies whose cookie banners make it harder to reject cookies than to accept them.

Fine range: €10,000–€200,000.

Example: France's CNIL fined multiple companies including smaller businesses for cookie banners without an equivalent reject button. The French energy company Électricité de France received a €600,000 fine — but much smaller companies were caught in the same sweep.

6. Missing or Inadequate Data Processing Agreements

How often: Common as part of broader enforcement actions, rarely as a standalone fine.

What goes wrong: Using third-party vendors who process customer data without a signed DPA. Or having a DPA template on a website that was never actually executed as a binding contract.

When it escalates: The absence of DPAs is particularly damaging when combined with a data breach — it demonstrates that the company had no control over how processors handled data.

The SME Enforcement Pattern

Reviewing enforcement decisions against SMEs, a pattern emerges:

  1. A complaint triggers the investigation. Most SME enforcement starts with a data subject complaint — not a proactive DPA audit.
  2. The DPA investigates and finds multiple failures. A complaint about a DSAR triggers an investigation that discovers missing DPAs, inadequate privacy notices, and no breach procedure.
  3. Fines are cumulative. The fine is not just for the original complaint — it covers all failures identified during the investigation.

The implication: Fixing individual complaints without addressing the underlying compliance programme exposes you to the same investigation pattern in the future.

What Effective SME Compliance Looks Like

The companies that get fined share common characteristics: no documented processes, no designated responsibility for data protection, and compliance that exists only on paper if at all.

Effective SME compliance is not expensive or complex — it is organised:

  • A named person responsible for data protection
  • A maintained RoPA updated when processing changes
  • A documented DSAR response process with a tracked inbox
  • A breach response procedure with clear escalation
  • Signed DPAs with all sub-processors
  • A compliant privacy notice reviewed annually
  • A cookie consent mechanism with a genuine reject option

None of this requires a dedicated compliance team. It requires someone to own it and systems to track it.

ComplyOne generates your GDPR documentation — RoPA, DPA, privacy notices, and gap assessment — in one workflow.

Run your GDPR gap check →

Related guides

Do You Need a DPO? GDPR Decision Tree for SMEs

Most SaaS companies don't need a Data Protection Officer — but the mandatory appointment criteria are broader than many founders realise. This guide explains when a DPO is required, what the role involves, and what to do instead.

GDPR Article 28 Explained for Startup Founders

Article 28 governs controller-processor relationships under GDPR. This guide explains what a Data Processing Agreement must contain, who needs one, and the common mistakes that cause compliance failures in enterprise deals.

GDPR Cookie Compliance in Germany (2026 Guide)

Germany has the strictest cookie compliance requirements in the EU. This guide covers the GDPR and TTDSG framework, what valid consent looks like, cookie banner requirements, and practical steps to comply.

View all guides in this module