GDPR fines surge as France, U.K. lead

The General Data Protection Regulation (GDPR) enforcement authorities imposed a total of €68.18 million ($73.63 million) in fines during the first quarter of 2026, according to research from Finbold. This represents a dramatic increase from the €13.8 million ($16.12 million) imposed during the same period in 2025. Companies breaching GDPR provisions incurred approximately €757,600 ($886,000) in fines per day, highlighting the rising enforcement climate in Europe. France and the U.K. were responsible for a staggering 94% of all fines, with France alone imposing €47 million ($54.95 million) and the U.K. imposing €16.89 million ($19.74 million) in penalties.

Poland followed with €2.94 million ($3.43 million) in fines while Sweden and the Netherlands each imposed fines of €565,000 ($660,660) and €250,000 ($292,317), respectively. Marko Marjanović, a research data analyst for the report noted “Authorities are increasingly focusing on core issues like data security and lawful processing, areas where violations are harder to justify.” The biggest fine during this quarter was €27 million ($31.52 million) levied against Free Mobile, a French telecommunications company penalised by CNIL on January 13 due to subscriber data security breaches.

The second-largest penalty, €16 million ($18.69 million), was issued to Reddit on February 23 for failing to protect underage users’ data. Additionally, on January 8, Fee, the parent branch of Free Mobile, paid €15 million ($17.52 million) for inadequate technical and organisational measures. Just two weeks later, on January 22, France Travail, a governmental agency, was fined €5 million ($5.84 million) for not securing job seeker information. Notably, DPD Polska, a Polish forwarding company, paid €2.68 million ($3.13 million) on February 5 for insufficient data processing practices.

Jordan Major and Diana Paluteder, co-authors of the report commented “GDPR enforcement in 2026 clearly signals a renewed regulatory assertiveness,” adding that “The sharp increase in fines, particularly concentrated in France and the U.K., shows that regulators are no longer just setting precedents, but actively scaling enforcement.” Insufficient legal basis for data processing remains the dominant violation, leading to 849 fines totalling €2.99 billion ($3.49 billion) since the law's inception in 2018. Spain holds the record for the most fines, totalling 1060.

The sectors most impacted by these fines continue to be media, telecommunication, and broadcasting, with total fines reaching €4.97 billion ($5.8 million). The highest individual fine remains that of Meta Platforms, which was penalised €1.2 billion ($1.3 billion) by Ireland in May 2023. For further details on this report, you can find the full analysis at Finbold.