Article 83 GDPR · EDPB Guidelines 04/2022

Estimate your maximum fine exposure.

Calculated per the five-step EDPB methodology adopted 24 May 2023 (or the ICO 2024 fining guidance for UK undertakings). All figures are estimates — not legal advice — but they show the math.

Scenario inputs

Five-step EDPB methodology · Art 83 GDPR · ICO 2024 for UK

Jurisdiction

Role under GDPR

Violation type

Article 83 tier

Annual worldwide turnover (EUR)

Undertaking size (SME band)

Seriousness band (EDPB step 2)

Intent character (Art 83(2)(b))

Affected data subjects

Duration of infringement (months)

Art 9 special-category or Art 10 criminal data involved

Aggravating factors (0–7)

Mitigating factors (0–7)

Turnover currency

Article 83 GDPR · EDPB 04/2022 v2.1

Estimated fine exposure

€2,500,000

Band: €1,500,000 – €4,000,000

0€20,000,000 fixed cap

Starting: €2,500,000
Mid: €2,500,000
Ceiling: €20,000,000

EDPB five-step breakdown

1.
Violation identified — security art32 · Art 83(5) tier · EU IE.
2.
Starting point — Seriousness medium → 12.5% × statutory ceiling €20,000,000 = €2,500,000.
3.
Aggravating × mitigating — Aggravating × 1.00 (intent negligent) · mitigating × 1.00 → €2,500,000.
4.
Legal maximum cap check — Cap basis: €20,000,000 fixed cap (Art 83(5)). Uncapped figure stays below the ceiling.
5.
Proportionality note — Mid estimate €2,500,000 sits 12.5% below the statutory ceiling.

EU vs UK methodology

Both regulators apply a five-step methodology with the same overall logic; the statutory caps and currency diverge.

Threshold	EU (GDPR Art 83)	UK (ICO 2024)
Lower tier (Art 83(4))	€10,000,000 or 2% turnover	£8,700,000 or 2% turnover
Upper tier (Art 83(5))	€20,000,000 or 4% turnover	£17,500,000 or 4% turnover
Methodology	EDPB Guidelines 04/2022 v2.1	ICO Fining Guidance, March 2024
Seriousness step	Low 5% · Medium 12.5% · High 40%	Aligned (ICO §61)

Recent enforcement context

Decisions cited by EDPB and CMS Enforcement Tracker — useful as comparators when arguing proportionality at step 5.

Year	Regulator	Subject & article	Fine
2023	DPC (Ireland)	Meta Platforms Ireland Ltd — international data transfersArt 46(1) GDPR	€1,200,000,000
2022	DPC (Ireland)	Meta Platforms — Instagram children's data exposureArt 5(1)(a),(c) · Art 6(1) · Art 12(1) · Art 25	€405,000,000
2023	DPC (Ireland)	TikTok Technology Ltd — children's dataArt 5(1)(a),(c),(f) · Art 24(1) · Art 25 · Art 12 · Art 13	€345,000,000
2022	ICO (UK)	Clearview AI — biometric scrapingUK GDPR Art 5, 6, 9, 14 · DPA 2018	€20,000,000
2024	Datatilsynet (Netherlands)	Uber B.V. — driver data transfers to USArt 44 GDPR	€290,000,000

Source: regulator press releases · CMS Enforcement Tracker (checked 2026-06-08).

Disclaimer

Results are orientative estimates derived from public regulator guidance. They do not constitute legal, tax, or financial advice. Consult a qualified Data Protection Officer or counsel before relying on any figure for board reporting or DPA correspondence.