Search Client login

Compliance · Free tool

Calculate your indicative GDPR fine

Estimate in seconds the range of a possible fine under Article 83 GDPR: type of infringement, your turnover and the aggravating or mitigating factors the Spanish DPA (AEPD) weighs before deciding.

1 · Category of infringement (Art. 83 GDPR)

Total group turnover for the previous financial year — GDPR compares global turnover, not just revenue in Spain.

How it works

A transparent calculation, in five steps

01

Category of infringement

You choose whether the infringement falls under Art. 83.4 (€10M/2% cap) or Art. 83.5 (€20M/4% cap) of GDPR.

02

Maximum legal cap

The tool calculates the real cap: the higher of the fixed amount and the percentage of your global turnover.

03

Article 83.2 factors

Intent, repeat offences, cooperation with the AEPD and categories of data affected add or subtract severity.

04

Risk level

These factors place the case at low, medium or high risk within the legal cap calculated in step 2.

05

Indicative range

A range in euros is shown, never an exact figure — the AEPD never decides a case with an automatic calculator.

GDPR fines in Spain

What GDPR fines are and how they're really calculated

The General Data Protection Regulation (GDPR) sets out two maximum caps for fines in its Article 83, depending on the severity of the infringement. Infringements under Article 83.4 — obligations of the controller or processor, the data protection officer (DPO), or certification and monitoring bodies — carry a cap of 10 million euros or 2% of the company's global annual turnover, whichever is higher. Infringements under Article 83.5 — basic processing principles, legal basis, data subjects' rights, or international data transfers — raise the cap to 20 million euros or 4% of global turnover.

Those caps are the maximum ceiling, not the figure the AEPD actually applies in each case. The real amount of every fine comes from Article 83.2 of GDPR, which requires the supervisory authority to weigh up to eleven criteria before setting the fine: the nature, gravity and duration of the infringement; whether it was intentional or negligent; the measures taken to mitigate the damage to those affected; the degree of responsibility of the offender given the technical and organisational measures it had in place; the history of previous infringements; the degree of cooperation with the authority to remedy the infringement; the categories of personal data affected (health, biometric, belief or children's data make a fine heavier); how the AEPD became aware of the infringement; compliance with previously ordered measures; adherence to approved codes of conduct; and any other aggravating or mitigating factor, including financial benefits gained or losses avoided.

The European Data Protection Board (EDPB) harmonised that process in its Guidelines 04/2022 on the calculation of administrative fines, which set out a five-step methodology for all European authorities, including the AEPD. This calculator simplifies those criteria into four practical factors — intent, repeat offences, cooperation and categories of data — to give a sense of range, not an official figure.

The AEPD's enforcement activity, in numbers

2025 was the AEPD's busiest enforcement year since GDPR came into force: around 31,000 complaints received and roughly 48 million euros in fines imposed, with more than 300 sanctioning procedures resolved with a fine. The trend continues into 2026, with new files also opened over misuse of artificial intelligence. If your company processes customer, employee or user data — and today almost every company does — understanding what drives the amount of a fine is the first step to avoiding one.

This calculator is a good starting point, but it does not replace a real regulatory compliance audit. If you want to understand in depth which GDPR obligations apply to your company and how to avoid fines, see also our complete GDPR guide for businesses.

Real cases

3 real AEPD decisions

€10,043,002

Aena

Nov. 2025 · File EXP202304532 · Art. 83.5 GDPR

Deployed biometric facial recognition for boarding at several airports without a valid Data Protection Impact Assessment (DPIA) under Article 35 GDPR.

Source: coverage of the AEPD decision

€6,000,000

CaixaBank

Jan. 2021 · Proc. PS/00477/2019 · Arts. 6, 13, 14 GDPR

Transferred personal data to other group entities without a valid legal basis and without properly informing those affected. Spain's National Court later reduced the amount to €2M on appeal.

Source: FACUA, on the AEPD file

€5,000,000

BBVA

Dec. 2020 · Proc. PS/00070/2019 · Art. 6.1 GDPR

Sent commercial communications without a valid consent basis: the opt-out checkbox did not amount to properly obtained consent.

Source: AEPD decision PS/00070/2019 (official PDF)

Frequently asked questions

Common questions about GDPR fines

Does this calculator replace an official decision by the Spanish DPA (AEPD)?

No. It's an indicative estimate based on the economic tiers of GDPR Article 83 and a simplified version of the Article 83.2 factors. The AEPD follows its own procedure, applying the European Data Protection Board's (EDPB) Guidelines 04/2022 on the calculation of fines, and assesses every case individually. The result of this tool is not an official or binding figure.

What is the difference between GDPR Article 83.4 and Article 83.5?

Article 83.4 sets a maximum cap of 10 million euros or 2% of the company's global annual turnover, whichever is higher. Article 83.5 covers the most serious infringements (basic processing principles, data subjects' rights or international transfers) with a cap of 20 million euros or 4% of global turnover, again whichever is higher.

What factors does the AEPD weigh to set the exact amount of a fine?

GDPR Article 83.2 lists up to eleven criteria: nature, gravity and duration of the infringement; intentional or negligent character; categories of personal data affected; number of people affected; measures taken to mitigate the damage; repeat offences; degree of cooperation with the authority; how the infringement became known; compliance with previous measures; adherence to approved codes of conduct; and any other aggravating or mitigating factor, including financial benefits gained.

Can the AEPD fine sole traders and small businesses?

Yes. GDPR does not exempt SMEs or sole traders, though in practice the AEPD tends to apply proportionally smaller fines to this category, and Spain's Organic Law 3/2018 (LOPDGDD) provides for a formal warning instead of a fine for minor first infringements committed by entities with fewer than 250 employees or reduced turnover, when there is no intent or repeat offence.

What should I do if I've received a request or the opening of a file from the AEPD?

You have a set deadline to respond, usually 10 working days from notification. This is the moment to gather all your documentation (records of processing activities, impact assessments, evidence of security measures applied) and decide with an advisor whether to accept, submit allegations or appeal. Acting in the first few days makes a real difference to the final amount.

Want us to review it together?

An indicative range is a starting point, not a diagnosis. Book a free 30-minute session and we'll review together your real exposure to GDPR fines and how to reduce it.

GDPR Art. 83 tiers and AEPD case data updated 16 July 2026 · sources cited on each case.