GDPR Fines for Small Businesses: Real Cases and Amounts

When people talk about GDPR fines, they mention the big numbers. 1.2 billion euros for Meta. 746 million for Amazon. These headlines create two problems. They make GDPR feel like a big-company problem. And they make the real fines for small businesses seem minor by comparison.

They are not minor if you are the one paying them. Across the EDPB national news feed and the published registers of the national data protection authorities, small-business GDPR sanctions cluster between roughly 1,000 and 50,000 euros. For a local salon, restaurant or dental practice, a 5,000 euro fine still hurts. And the fine usually arrives with a corrective order that costs even more to implement.

Here are real cases, all of them taken from publicly published regulator decisions.

Real GDPR fines for small businesses

The following cases are summaries. Every fine amount links to the regulator's published decisions register where you can verify the original ruling.

Romanian hairdresser: CCTV without notice

A hair salon installed CCTV cameras across the salon floor and the entrance. The cameras recorded clients and staff without any visible notice or privacy policy explaining the recording. The Romanian data protection authority opened a sanction procedure under Articles 12 and 13 GDPR (transparency and the duty to inform). Decisions of this kind from ANSPDCP are published on the Romanian DPA news index, where each entry lists the controller, the violated articles and the fine.

The issue was not the cameras themselves. The issue was that nobody was informed they were being recorded. A simple sign explaining what was recorded, why and how long the footage was kept would have prevented the case.

German bakery: employee data violation

A bakery in Lower Saxony was investigated for improperly handling employee data. The business collected health data from staff without a valid legal basis and stored it without adequate security measures. State data protection authorities in Germany publish their annual activity reports through the German federal DPA portal where every Land office links back to its own decisions.

The fine itself was modest by German standards. The corrective order forced the bakery to overhaul its entire employee data process. The compliance cost exceeded the fine.

Greek small business: missing privacy policy

The Hellenic Data Protection Authority opened a sanction procedure against a small Greek company operating a website that collected personal data through contact forms without any privacy policy. No cookie consent, no information about data processing, no contact details for the data controller. The case appears in the Hellenic DPA decisions register alongside the article references and the imposed fine.

This kind of case stings because a basic privacy policy takes an afternoon to set up. A five-figure fine for something that could have been prevented with a few hours of work is a recurring pattern in the register.

Spanish restaurant: Google Analytics without consent

The Spanish AEPD has fined hospitality businesses for running Google Analytics on their websites without obtaining visitor consent first. The cases are filed on the AEPD resolutions register, which lets you filter by sanction procedure (PS) and by violated GDPR article. A typical example: a restaurant website with no cookie banner at all. Google Analytics loaded on every page, sending visitor IP addresses and browsing behaviour to Google servers in the United States.

After the Schrems II ruling (C-311/18) invalidated the EU-US Privacy Shield, transferring visitor data to US-based services without consent became a much bigger problem. The AEPD register now includes several small-business hospitality cases of exactly this shape.

Dutch AP cookie enforcement

The Autoriteit Persoonsgegevens ramped up cookie enforcement throughout 2024 and 2025. While many actions targeted larger companies, the AP also sent warning letters and corrective orders to small business websites. The pattern was consistent. Websites placing tracking cookies, analytics or embedded third-party content without prior consent.

The AP started with warnings and moved to fines for businesses that did not comply after being notified. You can read more about the Dutch AP cookie enforcement actions and what they mean for your website.

How the cases compare

The single best cross-country starting point is the EDPB national news feed. Every member-state DPA posts new sanctions there with links to the underlying national decision.

Warnings, corrective orders and fines

Not every GDPR issue leads to a fine. Data protection authorities have a range of tools.

Warnings. A formal letter telling you that something on your website violates the GDPR and giving you a deadline to fix it. This is the most common first step for small businesses. No fine, but you must act.

Corrective orders. An instruction to change specific practices within a set timeframe. Failure to comply leads to fines. The cost of implementing corrections can be significant if you need to change how your entire website handles data.

Fines. The headline punishment. For small businesses, these typically range from 1,000 to 50,000 euros. Repeat offenders and businesses that ignore warnings face higher amounts.

The EDPB Guidelines 04/2022 on the calculation of administrative fines, adopted in final form on 24 May 2023, established a more structured approach to penalty setting. The methodology considers turnover, severity, intent, cooperation and prior violations.

EDPB five-step fine calculation

For a small business with around 200,000 euros in annual revenue, a standard fine for a basic website violation under this methodology typically lands between 2,000 and 10,000 euros. Always verify the band against the specific decisions in your country, because regulators apply the same framework with different starting points.

What triggers enforcement against small businesses

Data protection authorities do not randomly audit websites. Here is what actually triggers an investigation.

Customer complaints. This is the number one trigger. A visitor to your website submits a complaint to the local data protection authority. Maybe they could not figure out how to opt out of cookies. Maybe they asked you to delete their data and you did not respond. One complaint is enough to start an investigation.

Competitor reports. In some countries, particularly Germany, competitors can file complaints about your data practices. This is sometimes used as a competitive tactic in industries where local businesses compete for the same customers.

Automated scans by authorities. Several DPAs now run their own website scanning programmes. The Dutch AP, the French CNIL and the Spanish AEPD have all conducted mass scans looking for cookie consent violations.

Data breaches. If your website is hacked and customer data is exposed, you are required to report this to your data protection authority within 72 hours. The investigation that follows often reveals other problems on your website.

The principle of proportionality

GDPR Article 83 requires that fines be "effective, proportionate and dissuasive". For a small business, proportionate means the fine should be meaningful enough to motivate change but not so large that it destroys the business.

In practice this means:

• A salon with 150,000 euros annual revenue will not get the same fine as a tech company with 150 million
• First-time violations with good-faith cooperation typically receive lower fines
• Corrective actions taken before the decision can reduce the penalty
• The number of affected data subjects matters. A local business affecting 500 people faces lower fines than one affecting 50,000

This does not mean small businesses are safe from fines. It means the fines are scaled to what the authority believes will actually change behaviour.

How to reduce your risk

Most small business GDPR problems come from websites, not deliberate data misuse. The most common website issues are:

1. No cookie consent banner or a banner that does not actually block cookies until consent is given
2. Google Analytics, Facebook Pixel or similar tracking running without consent
3. Third-party embeds like Google Fonts, YouTube videos or Google Maps loading visitor data before consent
4. Missing or incomplete privacy policy
5. Contact forms collecting data without explaining what happens to it

You can check all of these with a free scan. It takes two minutes and covers the issues that most commonly trigger enforcement.

If you want a full walkthrough of what your website needs, our GDPR compliance checklist breaks it down step by step. GDPR also requires you to keep your website secure, and inadequate security has been a factor in several of the fines listed above.

Want to check your site against the rules cited above? The scan covers cookie consent, tracking before consent, privacy policy completeness and the third-party embed issues that drive most published small-business decisions.

Common questions

Can a data protection authority fine me without warning first?

Technically yes. In practice, most DPAs issue a warning or corrective order to small businesses before imposing a fine. But this is not guaranteed. If the violation is serious, intentional or involves a data breach, a fine can come without prior warning.

Does GDPR apply to my website if I am a sole trader?

Yes. GDPR applies to all organizations that process personal data of EU residents, regardless of size. Sole traders, freelancers and one-person businesses are all covered. The only thing that changes with size is the proportionality of fines.

What is the smallest GDPR fine ever issued?

Fines under 1,000 euros have been recorded in the EDPB national news feed and in the AEPD resolutions register. They are unusual. For website-related violations, fines below 1,000 euros are rare. Most authorities consider anything below that threshold not worth the administrative effort.

Can I appeal a GDPR fine?

Yes. Every fine decision includes information about how to appeal. Appeals go to the courts in the country where the fine was issued. Small businesses have successfully reduced or overturned fines on appeal, particularly when they can show they have taken corrective action.

Is GDPR enforcement getting stricter or more lenient?

Stricter. The total value of GDPR fines has increased every year since 2018. More importantly for small businesses, DPAs are increasingly using automated scanning tools that can check thousands of websites at once. The Dutch AP, the French CNIL and the Italian Garante have all announced expanded enforcement programmes targeting websites.

Check your website now Scan your website for GDPR issues and more. Free, no signup, takes two minutes. Scan your website