Compliance · Free tool
Estimate in seconds the range of a possible fine under Article 83 GDPR: type of infringement, your turnover and the aggravating or mitigating factors the Spanish DPA (AEPD) weighs before deciding.
Indicative result
Risk medium
—
—
—
How it works
01
You choose whether the infringement falls under Art. 83.4 (€10M/2% cap) or Art. 83.5 (€20M/4% cap) of GDPR.
02
The tool calculates the real cap: the higher of the fixed amount and the percentage of your global turnover.
03
Intent, repeat offences, cooperation with the AEPD and categories of data affected add or subtract severity.
04
These factors place the case at low, medium or high risk within the legal cap calculated in step 2.
05
A range in euros is shown, never an exact figure — the AEPD never decides a case with an automatic calculator.
GDPR fines in Spain
The General Data Protection Regulation (GDPR) sets out two maximum caps for fines in its Article 83, depending on the severity of the infringement. Infringements under Article 83.4 — obligations of the controller or processor, the data protection officer (DPO), or certification and monitoring bodies — carry a cap of 10 million euros or 2% of the company's global annual turnover, whichever is higher. Infringements under Article 83.5 — basic processing principles, legal basis, data subjects' rights, or international data transfers — raise the cap to 20 million euros or 4% of global turnover.
Those caps are the maximum ceiling, not the figure the AEPD actually applies in each case. The real amount of every fine comes from Article 83.2 of GDPR, which requires the supervisory authority to weigh up to eleven criteria before setting the fine: the nature, gravity and duration of the infringement; whether it was intentional or negligent; the measures taken to mitigate the damage to those affected; the degree of responsibility of the offender given the technical and organisational measures it had in place; the history of previous infringements; the degree of cooperation with the authority to remedy the infringement; the categories of personal data affected (health, biometric, belief or children's data make a fine heavier); how the AEPD became aware of the infringement; compliance with previously ordered measures; adherence to approved codes of conduct; and any other aggravating or mitigating factor, including financial benefits gained or losses avoided.
The European Data Protection Board (EDPB) harmonised that process in its Guidelines 04/2022 on the calculation of administrative fines, which set out a five-step methodology for all European authorities, including the AEPD. This calculator simplifies those criteria into four practical factors — intent, repeat offences, cooperation and categories of data — to give a sense of range, not an official figure.
2025 was the AEPD's busiest enforcement year since GDPR came into force: around 31,000 complaints received and roughly 48 million euros in fines imposed, with more than 300 sanctioning procedures resolved with a fine. The trend continues into 2026, with new files also opened over misuse of artificial intelligence. If your company processes customer, employee or user data — and today almost every company does — understanding what drives the amount of a fine is the first step to avoiding one.
This calculator is a good starting point, but it does not replace a real regulatory compliance audit. If you want to understand in depth which GDPR obligations apply to your company and how to avoid fines, see also our complete GDPR guide for businesses.
Real cases
€10,043,002
Aena
Deployed biometric facial recognition for boarding at several airports without a valid Data Protection Impact Assessment (DPIA) under Article 35 GDPR.
Source: coverage of the AEPD decision
€6,000,000
CaixaBank
Transferred personal data to other group entities without a valid legal basis and without properly informing those affected. Spain's National Court later reduced the amount to €2M on appeal.
Source: FACUA, on the AEPD file
€5,000,000
BBVA
Sent commercial communications without a valid consent basis: the opt-out checkbox did not amount to properly obtained consent.
Frequently asked questions
No. It's an indicative estimate based on the economic tiers of GDPR Article 83 and a simplified version of the Article 83.2 factors. The AEPD follows its own procedure, applying the European Data Protection Board's (EDPB) Guidelines 04/2022 on the calculation of fines, and assesses every case individually. The result of this tool is not an official or binding figure.
Article 83.4 sets a maximum cap of 10 million euros or 2% of the company's global annual turnover, whichever is higher. Article 83.5 covers the most serious infringements (basic processing principles, data subjects' rights or international transfers) with a cap of 20 million euros or 4% of global turnover, again whichever is higher.
GDPR Article 83.2 lists up to eleven criteria: nature, gravity and duration of the infringement; intentional or negligent character; categories of personal data affected; number of people affected; measures taken to mitigate the damage; repeat offences; degree of cooperation with the authority; how the infringement became known; compliance with previous measures; adherence to approved codes of conduct; and any other aggravating or mitigating factor, including financial benefits gained.
Yes. GDPR does not exempt SMEs or sole traders, though in practice the AEPD tends to apply proportionally smaller fines to this category, and Spain's Organic Law 3/2018 (LOPDGDD) provides for a formal warning instead of a fine for minor first infringements committed by entities with fewer than 250 employees or reduced turnover, when there is no intent or repeat offence.
You have a set deadline to respond, usually 10 working days from notification. This is the moment to gather all your documentation (records of processing activities, impact assessments, evidence of security measures applied) and decide with an advisor whether to accept, submit allegations or appeal. Acting in the first few days makes a real difference to the final amount.
An indicative range is a starting point, not a diagnosis. Book a free 30-minute session and we'll review together your real exposure to GDPR fines and how to reduce it.
GDPR Art. 83 tiers and AEPD case data updated 16 July 2026 · sources cited on each case.