GDPR Fine Risk Estimator

Estimates your potential GDPR fine exposure under Articles 83(4) and 83(5) of the GDPR, based on violation severity, annual global turnover, number of data subjects affected, and mitigating or aggravating factors.

Total worldwide annual revenue of the undertaking
Select the tier matching your violation type
Individuals whose personal data was involved
Higher sensitivity increases regulatory scrutiny

Formula & Methodology

Step 1 – Statutory Maximum (Art. 83 GDPR):

  • Lower Tier (Art. 83(4)): Max(€10,000,000 ; Turnover × 2%)
  • Upper Tier (Art. 83(5)): Max(€20,000,000 ; Turnover × 4%)

Step 2 – Subject Scale Factor:
subjectScale = min(log₁₀(subjects) / 6, 1.0)
Maps 1 to 1,000,000+ affected individuals onto a 0–1 scale using a logarithmic curve.

Step 3 – Base Fine Percentage:
basePct = 10% + (50% × subjectScale)
Ranges from 10% (minimal exposure) to 60% of the statutory maximum.

Step 4 – Base Fine:
baseFine = statutoryMax × basePct

Step 5 – Adjustment Multiplier (Art. 83(2) factors):
multiplier = sensitivity × intent × duration × cooperation × prior × remediation
Each factor reflects criteria listed in Art. 83(2)(a)–(k) GDPR.

Step 6 – Estimated Fine (capped at statutory max):
estimatedFine = min(baseFine × multiplier, statutoryMax)

Assumptions & References

  • GDPR Art. 83(4): Infringements of processor obligations, child consent (Art. 8), privacy by design (Art. 25), DPO rules (Arts. 37–39), certification bodies (Arts. 42–43), monitoring bodies (Art. 41(4)).
  • GDPR Art. 83(5): Infringements of basic principles (Arts. 5–7, 9), data subject rights (Arts. 12–22), international transfers (Arts. 44–49), supervisory authority orders (Art. 58(2)).
  • The logarithmic subject scale reflects regulatory guidance that the number of affected individuals is a key severity indicator (EDPB Guidelines 04/2022 on calculation of fines).
  • Multiplier factors are derived from the eight criteria in Art. 83(2)(a)–(k), including nature/gravity/duration, intentional/negligent character, mitigation actions, categories of data, and prior infringements.
  • The EDPB's 2023 Guidelines on Administrative Fines (04/2022) establish a five-step methodology; this tool approximates that framework for estimation purposes.
  • "Undertaking" is interpreted per EU competition law (entire economic entity), not just the legal entity — turnover should reflect the entire corporate group where applicable.
  • This tool does not account for jurisdiction-specific DPA practices, reputational costs, litigation exposure, or remediation costs.
  • Not legal advice. Consult a qualified data protection lawyer for formal risk assessment.

More Calculators

Browse All 1861 Free Calculators at National Calculator Authority

In the network

Network