Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
FAS Advogados
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Insights by type
Legal Outlook 2026 - Brazil: strategic trends across key practice areas Tax Reform series
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About FAS
CMS Careers
English Português
Legal Update

GDPR Enforcement Tracker Report 2023 (4th Edition - Anniversary Edition)

23 May 2023 Europe 4 min read

In time for the fifth anniversary of the introduction of the General Data Protection Regulation, we have released the fourth edition of our annual GDPR Enforcement Tracker Report. This report analyses all publicly available information on data protection fines across Europe since May 2018.

You can view the report (online) here. For a quick overview, check out the Executive Summary.

The most important findings are:

  • Since 25 May 2018, European data protection authorities have imposed more than 1,500 known fines totalling EUR 2.77 billion. In the analysis period of this year's report, 545 new fines were issued totalling around EUR 1.19 billion. This indicates that data protection authorities are continuing to enforce the sanctions outlined by the GDPR.
  • In addition to record fines in the hundreds of millions, a large number of smaller fines have also been imposed, providing valuable information on the enforcement practice. The highest risk of fines is in the business-to-consumer sector, for example in the areas of Industry & Commerce and Media, Telecoms and Broadcasting. Data processing without a legal basis, non-compliance with data processing principles and inadequate data/information security measures were the most frequent legal violations.
  • Implementation of the GDPR is still strongly influenced by national laws and the local supervisory authorities’ practices, especially in relation to sanctions. This is despite the intention of the GDPR to fully harmonize data protection law in the EU (further information also in the "Enforcement Insights per Country" section). In addition to fines, other measures may become more prevalent in the future, such as the restriction or prohibition of data processing. There are already instances of this, such as in the Italian supervisory authority’s case against a provider of generative AI.
  • Numerous questions regarding the interpretation of the GDPR, including those related to sanctions, have not yet been conclusively answered. Ultimately, the European Court of Justice will decide on these issues.

The Enforcement Tracker Report is based on publicly available information in CMS's continuously updated database, the GDPR Enforcement Tracker.

More information on the people behind the EFT report and details of all CMS Data Protection Contacts in Executive Summary.

More insights
Data Protection Law & IT Security Law Data Protection & Freedom of Information Data-Protection Data Protection Law IT-Law Media Law Sports Law Scotland

Explore more

Publication Brazil

Financial Market: Main News from March 23 to March 27

27 Mar 2026 5 min read
Back to top Back to top
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.