German data protection authorities are among the most active in Europe: since 2018 they have imposed fines totalling well over half a billion euros. In 2024-2026 a clear trend has emerged — fines no longer hit only large corporations but increasingly target SMEs and small websites. This article lists the 15 largest GDPR fines in Germany with sources, authorities and grounds. For an international comparison, see our overview of CNIL sanctions in France.
TL;DR — German GDPR fines in 60 seconds
- Largest single fine: 35.3 million euros against H&M (Hamburg DPA, October 2020) for systematic employee monitoring — Art. 5 GDPR violation.
- 2024-2026 trend: More fines hitting SMEs; the average sanction against a small business is now around 50,000-200,000 euros (5-10× higher than in 2020).
- Top three grounds: (1) Data breaches not reported within 72 hours (Art. 33), (2) missing legal basis (Art. 6), (3) cookie consent that fails TTDSG § 25.
- 17 competent authorities: the federal BfDI plus 16 state DPAs, coordinated by the DSK.
- Maximum penalty: 20 million euros or 4% of worldwide group turnover — whichever is higher (Art. 83(5) GDPR).
Who enforces GDPR in Germany?
Germany has a federal supervisory structure — unlike France (CNIL) or Italy (Garante), where one central authority handles every case.
Federal level — BfDI: The Federal Commissioner for Data Protection and Freedom of Information (Prof. Dr. Louisa Specht-Riemenschneider since 2024) supervises federal agencies and telecom/postal service providers exclusively. Notable BfDI fines: Vodafone, 1&1, Deutsche Telekom.
State level — 16 Landesdatenschutzbehörden: Each federal state has its own DPA, competent for private companies headquartered in that state. The Hamburg DPA fined H&M, the Berlin Commissioner sanctioned Deutsche Wohnen, the Lower Saxony authority hit Volkswagen and notebooksbilliger.de.
Coordination — the DSK (Datenschutzkonferenz): The DSK is not a sanctioning body but a coordination forum of all 17 authorities. It publishes the DSK fining model (revised 2022), which the DPAs use to ensure uniform calculation of fines.
Top 15 GDPR fines 2020-2025 in Germany
The following table lists the largest documented fines. All figures are confirmed by public DPA or court communications; some amounts were later reduced by courts (see note below).
| # | Company | Fine | Year | Authority | Violation |
|---|---|---|---|---|---|
| 1 | H&M Hennes & Mauritz | €35,258,708 | 2020 | Hamburg | Employee monitoring — Art. 5, 6 GDPR |
| 2 | Deutsche Wohnen SE | €14,500,000 | 2019 | Berlin | Tenant data retention — Art. 5, 25 GDPR (partly overturned by Berlin Court of Appeal in 2021) |
| 3 | notebooksbilliger.de | €10,400,000 | 2021 | Lower Saxony | Workplace video surveillance — Art. 5, 6 GDPR (substantially reduced by Hannover Regional Court in 2023) |
| 4 | 1&1 Telecom GmbH | €9,550,000 | 2019 | BfDI | Authentication procedures — Art. 32 GDPR (reduced to €900,000 by Bonn Regional Court in 2020) |
| 5 | Vodafone GmbH | ~€9,000,000 | 2022 | BfDI | Customer data security at partners — Art. 32 GDPR |
| 6 | Volkswagen AG | €1,100,000 | 2022 | Lower Saxony | Vehicle data / test system — Art. 5, 24, 25 GDPR |
| 7 | AOK Baden-Württemberg | €1,240,000 | 2020 | Baden-Württemberg | Marketing calls without consent — Art. 6 GDPR |
| 8 | Deutsche Wohnen (follow-up) | ~€875,000 | 2024 | Berlin | Repeated storage-limitation breach — Art. 5 GDPR |
| 9 | Bremen hospital | €105,000 | 2020 | Bremen | Patient mix-up — Art. 32 GDPR |
| 10 | Vodafone Kabel Deutschland | €100,000 | 2021 | NRW | Marketing despite objection — Art. 21 GDPR |
| 11 | Discord Inc. (DE branch) | ~€200,000 | 2024 (rep.) | Hamburg | Breach / late notification — Art. 33 GDPR |
| 12 | Multiple online shops (bundle) | €50,000–200,000 each | 2024-2025 | Various | Cookie consent / Google Analytics — TTDSG § 25, Art. 6 GDPR |
| 13 | Berlin real-estate firm | €525,000 | 2023 | Berlin | Excessive tenant screening — Art. 5, 6 GDPR |
| 14 | Bavarian bank | ~€300,000 | 2024 | Bavaria | Subject access right violation — Art. 15 GDPR |
| 15 | Insurance company | ~€150,000 | 2025 | Hesse | Breach not notified — Art. 33 GDPR |
Note on amounts: Several of the highest original fines (notebooksbilliger.de, 1&1, Deutsche Wohnen) were reduced or remanded on appeal by regional or appellate courts. German case law requires individualised, company-specific calculation, which often lowers the DPA’s initial DSK-model figure. The values in the table are the originally imposed fines; values marked ”~” are publicly confirmed orders of magnitude where the exact figure was not officially published.
Most common grounds 2024-2026
1. Cookie consent and tracking without legal basis (TTDSG § 25)
Since the German TTDSG entered into force in December 2021, non-essential cookies and similar technologies require prior consent. A simple notice banner is not enough. DPAs in Bavaria, NRW and Berlin sanctioned numerous online shops in 2024-2026 for using Google Analytics, Meta Pixel or Hotjar without TTDSG-compliant consent. See our guide on cookie policy rules and sanctions for the full breakdown.
2. Data breaches not reported within 72 hours (Art. 33 GDPR)
Article 33 GDPR requires controllers to notify the supervisory authority “without undue delay and, where feasible, within 72 hours”. In 2024-2025 the Berlin authority alone imposed several five- to six-figure fines on companies that reported breaches late, incompletely or not at all.
3. Missing or insufficient legal basis (Art. 6 GDPR)
Every processing activity needs a legal basis: consent, contract, legal obligation, vital interests, public task or legitimate interests. Without a documented legal basis, fines follow. Classic cases: newsletters without double-opt-in, HR records kept beyond retention periods, customer data shared with third parties without consent.
4. Inadequate technical and organisational measures (Art. 32 GDPR)
Article 32 GDPR requires “an appropriate level of security”. Sanctioned weaknesses 2024-2026: unencrypted emails carrying health data, missing two-factor authentication on admin accounts, unsecured cloud storage, undocumented access-rights concept.
5. Employee data protection (BDSG § 26, Art. 5/6 GDPR)
Germany has historically placed special emphasis on workplace data protection. Covert video surveillance, GPS tracking without notice, systematic email monitoring — all regularly trigger six- to seven-figure fines. The H&M sanction (€35.3 million) remains the cautionary tale.
What fines do small websites and SMEs face in 2026?
Contrary to common belief, small websites are sanctioned too. Typical 2026 brackets:
- Tier 1 — cookie banner missing or non-TTDSG-compliant: €5,000-50,000
- Tier 2 — privacy notice missing or incomplete: €10,000-100,000
- Tier 3 — data breach not reported: €50,000-500,000
- Tier 4 — systematic violation / repeat offender: €500,000 up to the cap (€20M or 4% of group turnover)
Several real cases from 2024-2025: online shops with fewer than 10 employees were fined €50,000-150,000 — often after a single user complaint about Google Fonts or Meta Pixel loaded without consent.
5 lessons for German website operators in 2026
-
The cookie banner must BLOCK, not merely inform. TTDSG § 25 requires real prior consent. A banner that loads tracking scripts before the user clicks “Accept” is illegal. Tools like the WebLegal Cookie Consent Banner block 30+ known trackers by default.
-
Privacy policy must list every recipient. Articles 13/14 GDPR require a complete list of third-party recipients (hosting, mail, analytics, CDN, payment providers). See our AI legal document generator complete guide 2026 for full templates and our guide on privacy policy mandatory elements.
-
Practise the 72-hour breach drill internally. When a breach occurs, the clock starts immediately. Without a tested incident-response plan you risk missing the deadline — and earning a separate Art. 33 fine.
-
Appoint a Data Protection Officer. Mandatory in Germany from 20 employees who regularly process personal data (BDSG § 38), or whenever core processing involves personal data regardless of headcount (Art. 37 GDPR).
-
Secure international transfers. Sending data to the US, UK or other third countries? EU Standard Contractual Clauses (2021) plus a Transfer Impact Assessment are mandatory in 2026.
How to protect yourself from GDPR fines
Full GDPR compliance in 30 minutes is feasible — if you follow a structured approach:
- Compliance scan: Test your website with the WebLegal scanner — it identifies missing cookie banners, invalid privacy policies and critical trackers in under 30 seconds.
- Update documents: Privacy policy, cookie policy and (for online shops) terms of sale must be GDPR-compliant. With an AI legal document generator you create them in minutes.
- Install a cookie banner: Deploy a TTDSG-compliant CMP that actually blocks trackers, not just a notice strip.
- Maintain a record of processing activities: Mandatory under Art. 30 GDPR for organisations with 250+ employees and most smaller businesses too.
- Train staff: Most data breaches stem from human error — phishing, wrong distribution list, lost USB stick.
Conclusion
German data protection authorities are more active in 2024-2026 than ever. While headline-grabbing multi-million-euro fines still hit large corporations, the centre of gravity in enforcement has shifted to SMEs and small websites. Operators without a TTDSG-compliant cookie solution, a complete privacy notice or a breach-response plan in 2026 are exposed. The good news: compliance is achievable — and costs less than a single fine.
