GDPR Fines for Small Businesses: Real Cases and Amounts

When people talk about GDPR fines, they mention the big numbers. 1.2 billion euros for Meta. 746 million for Amazon. These headlines create two problems. They make GDPR feel like a big-company problem. And they make the real fines for small businesses seem minor by comparison.

They're not minor if you're the one paying them.

Small business GDPR fines typically range from 1,000 to 50,000 euros. That's not millions, but for a local salon, restaurant or dental practice, a 5,000 euro fine hurts. And the fine often comes with a corrective order that costs even more to fix.

Here are real cases with real amounts.

Real GDPR fines for small businesses

Romanian hairdresser: 2,500 EUR for CCTV without notice (2019)

A hair salon in Romania installed CCTV cameras covering the salon floor and entrance. The cameras recorded clients and staff without any visible notice or privacy policy explaining the recording. The Romanian data protection authority, ANSPDCP, fined the salon 2,500 euros.

The issue wasn't the cameras themselves. The issue was that nobody was informed they were being recorded. A simple sign explaining what was recorded, why and how long the footage was kept would have prevented the fine.

German bakery: employee data violation (2020)

A bakery in Lower Saxony was fined for improperly handling employee data. The business collected health data from staff without a valid legal basis and stored it without adequate security measures.

The fine was relatively small by German standards, but the corrective order required the bakery to overhaul its entire data handling process for employees. The compliance cost exceeded the fine itself.

Greek company: 20,000 EUR for missing privacy policy (2022)

The Hellenic Data Protection Authority fined a small Greek company 20,000 euros for operating a website that collected personal data through contact forms without any privacy policy. No cookie consent, no information about data processing, no contact details for the data controller.

This one stings because a basic privacy policy takes an afternoon to set up. Twenty thousand euros for something that could have been prevented with a few hours of work.

Spanish restaurant: 3,000 EUR for Google Analytics without consent (2023)

The AEPD fined a restaurant in Spain 3,000 euros for running Google Analytics on their website without obtaining visitor consent first. The restaurant's website had no cookie banner at all. Google Analytics was loading on every page, sending visitor IP addresses and browsing behavior to Google's servers in the US.

After the Schrems II ruling invalidated the EU-US Privacy Shield, transferring visitor data to US-based services without consent became a much bigger problem. This restaurant was an early example of enforcement reaching small hospitality businesses.

Dutch AP cookie enforcement (2024)

The Autoriteit Persoonsgegevens ramped up cookie enforcement in the Netherlands throughout 2024. While many actions targeted larger companies, the AP also sent warning letters and corrective orders to small business websites.

The pattern was consistent: websites using tracking cookies, analytics or embedded third-party content without prior consent. The AP's approach started with warnings and moved to fines for businesses that didn't comply after being notified.

You can read more about the Dutch AP cookie enforcement actions and what they mean for your website.

Warnings vs. corrective orders vs. fines

Not every GDPR violation leads to a fine. Data protection authorities have a range of tools.

Warnings. A formal letter telling you that something on your website violates GDPR and giving you a deadline to fix it. This is the most common first step for small businesses. No fine, but you must act.

Corrective orders. An instruction to change specific practices within a set timeframe. Failure to comply leads to fines. The cost of implementing corrections can be significant, especially if you need to change how your entire website handles data.

Fines. The headline punishment. For small businesses, these typically range from 1,000 to 50,000 euros. Repeat offenders and businesses that ignore warnings face higher amounts.

The EDPB's fine guidelines published in 2023 established a more structured approach to calculating penalties. The guidelines consider turnover, severity, intent, cooperation and prior violations. For a small business with 200,000 euros in annual revenue, a "standard" fine for a basic website violation would typically land between 2,000 and 10,000 euros.

What triggers enforcement against small businesses

Data protection authorities don't randomly audit websites. Here's what actually triggers an investigation.

Customer complaints. This is the number one trigger. A visitor to your website submits a complaint to the local data protection authority. Maybe they couldn't figure out how to opt out of cookies. Maybe they asked you to delete their data and you didn't respond. One complaint is enough to start an investigation.

Competitor reports. In some countries, particularly Germany, competitors can file complaints about your data practices. This is sometimes used as a competitive tactic, especially in industries where local businesses compete for the same customers.

Automated scans by authorities. Several DPAs now run their own website scanning programs. The Dutch AP, French CNIL and Spanish AEPD have all conducted mass scans of websites looking for cookie consent violations.

Data breaches. If your website is hacked and customer data is exposed, you're required to report this to your data protection authority within 72 hours. The investigation that follows often reveals other compliance gaps on your website.

The principle of proportionality

GDPR Article 83 requires that fines be "effective, proportionate and dissuasive." For a small business, proportionate means the fine should be meaningful enough to motivate change but not so large that it destroys the business.

In practice, this means:

• A salon with 150,000 euros annual revenue won't get the same fine as a tech company with 150 million
• First-time violations with good-faith cooperation typically receive lower fines
• Corrective actions taken before the decision can reduce the penalty
• The number of affected data subjects matters. A local business affecting 500 people faces lower fines than one affecting 50,000

This doesn't mean small businesses are safe from fines. It means the fines are scaled to what the authority believes will actually change behavior.

How to reduce your risk

Most small business GDPR violations come from websites, not deliberate data misuse. The most common website issues are:

1. No cookie consent banner, or a banner that doesn't actually block cookies until consent is given
2. Google Analytics, Facebook Pixel or similar tracking running without consent
3. Third-party embeds like Google Fonts, YouTube videos or Google Maps loading visitor data before consent
4. Missing or incomplete privacy policy
5. Contact forms collecting data without explaining what happens to it

You can check all of these with a free compliance scan. It takes two minutes and covers the issues that most commonly trigger enforcement.

If you want a full walkthrough of what your website needs, our GDPR compliance checklist breaks it down step by step.

Common Questions

Can a data protection authority fine me without warning first?

Technically, yes. In practice, most DPAs issue a warning or corrective order to small businesses before imposing a fine. But this isn't guaranteed. If the violation is serious, intentional or involves a data breach, a fine can come without prior warning.

Does GDPR apply to my website if I'm a sole trader?

Yes. GDPR applies to all organizations that process personal data of EU residents, regardless of size. Sole traders, freelancers and one-person businesses are all covered. The only thing that changes with size is the proportionality of fines.

What's the smallest GDPR fine ever issued?

Fines as low as 28 euros have been recorded in the GDPRhub enforcement tracker, though these are unusual. For website-related violations, fines below 1,000 euros are rare. Most authorities consider anything below that threshold not worth the administrative effort.

Can I appeal a GDPR fine?

Yes. Every fine decision includes information about how to appeal. Appeals go to the courts in the country where the fine was issued. Small businesses have successfully reduced or overturned fines on appeal, particularly when they can show they've taken corrective action.

Is GDPR enforcement getting stricter or more lenient?

Stricter. The total value of GDPR fines has increased every year since 2018. More importantly for small businesses, DPAs are increasingly using automated scanning tools that can check thousands of websites at once. The Dutch AP, French CNIL and Italian Garante have all announced expanded enforcement programs targeting website compliance.

---

Check your website now Scan your website for GDPR compliance issues and more. Free, no signup, takes two minutes. Scan your website