How does the Article 83 cap actually work?

GDPR sets two caps per tier and applies whichever is higher. The higher tier is the greater of 4 percent of total worldwide annual turnover or 20 million euros. The lower tier is the greater of 2 percent or 10 million euros. So a large company is bounded by the turnover percentage, while a small one is bounded by the fixed figure.

Which infringements fall in each tier?

The lower tier (Article 83(4)) covers obligations of controllers and processors, certification bodies, and monitoring bodies — for example records, security, and breach notification duties. The higher tier (Article 83(5)) covers the core principles, lawful basis, data-subject rights, and international transfer rules. Pick the tier that matches the breached article.

Is the maximum the likely fine?

No. The cap is the ceiling, not the expected penalty. Regulators weigh Article 83(2) factors — gravity, intent, mitigation, prior infringements, cooperation, and categories of data — so most fines land well below the cap. The tool shows an illustrative range, not a prediction; consult counsel for a real assessment.

Does turnover mean the single company or the whole group?

GDPR uses the concept of an undertaking, which competition-law case law interprets broadly to include the entire corporate group acting as a single economic unit. For large groups the relevant turnover can be the consolidated group figure, materially raising the percentage cap. Enter the figure your legal analysis supports.

Are UK GDPR fines the same?

The structure is the same but the fixed caps are in pounds — the higher tier is the greater of 4 percent of worldwide turnover or 17.5 million pounds, and the lower tier 2 percent or 8.7 million pounds. This tool uses the EU euro figures; adjust the fixed cap if you are assessing UK GDPR.

GDPR Fine Estimator — Gera Tools

The GDPR backs its rules with steep administrative fines, capped by a two-tier formula in Article 83. This estimator applies that formula to a company’s worldwide turnover and the relevant infringement tier to show the statutory maximum and an illustrative likely range for risk planning.

How it works

Each tier sets two caps and the regulator may impose up to whichever is higher:

lower tier (83(4)):  max( 2% × turnover , €10,000,000 )
higher tier (83(5)): max( 4% × turnover , €20,000,000 )

For large undertakings the percentage of turnover dominates; for small ones the fixed figure does. The result is a ceiling — actual fines are set after weighing the Article 83(2) aggravating and mitigating factors and usually fall below it.

Tips and notes

Treat the output as a maximum exposure, not a forecast. Regulators rarely impose the cap; they weigh gravity, intent, the categories of data, mitigation, cooperation, and prior history under Article 83(2), so a realistic figure is often a fraction of the ceiling. The relevant turnover may be the whole corporate group’s consolidated revenue under the broad “undertaking” concept, which can sharply raise the percentage cap for large groups. If you are assessing UK GDPR rather than EU GDPR, substitute the pound-denominated fixed caps. This is a planning aid for risk quantification, not legal advice — engage qualified counsel for any live matter.