Most European businesses don't know how exposed they are to GDPR fines. Not out of negligence, but because the system is designed to be opaque: the legal maximums (\u20ac20 million or 4% of global annual turnover) are frightening enough to generate anxiety, but not concrete enough to drive action. Numbers that large end up feeling unreal, distant, something that only happens to multinationals.<\/p>\n
That perceived distance is exactly the problem.<\/p>\n
From May 2018 to date, European authorities have issued over 2,800 GDPR enforcement cases totalling more than \u20ac6.2 billion<\/strong>, with over 60% of all fines issued since January 2023. Yet the most common reaction among SMEs remains the same: \"That's a Meta and Google thing. I'm too small to end up in the crosshairs.\"<\/p>\n It's an understandable reaction. And it's wrong.<\/p>\n Spain is the European country with the highest number of published enforcement cases \u2014 over 932 \u2014 and the majority involve small local businesses, not international groups. In France, in November 2025, the CNIL fined vanityfair.fr \u20ac750,000<\/strong> for cookies placed before consent, a repeated violation following a prior formal notice. In September 2025, Shein received \u20ac150 million<\/strong> from the same authority for the same type of infringement. The mechanism is identical \u2014 only the scale changes.<\/p>\n The common thread across these cases is not company size, but the violation: tracking scripts active without consent, non-compliant cookie banners, advertising pixels firing before the user has made a choice. Widespread technical issues that authorities are verifying with increasing frequency, including through sample checks on small and medium-sized sites.<\/p>\n The right question isn't \"am I at risk?\". It's \"how much do I risk, in my specific situation, based on what authorities have already decided for businesses similar to mine?\"<\/strong><\/p><\/blockquote>\n European authorities concentrate most of their inspections on three specific areas, which together cover the vast majority of professional websites.<\/p>\n The first is a missing or non-compliant cookie banner<\/strong>: without a mechanism that allows users to reject as easily as they accept, any active tracking script \u2014 Google Analytics, Meta Pixel, Hotjar \u2014 is potentially unlawful, because the banner must precede script activation, not follow it. Typical fines observed in this cluster range from \u20ac5,000 to over \u20ac100,000.<\/p>\n The second is tracking pixels and scripts without consent<\/strong>: if Meta Pixel, Google Ads or other remarketing scripts fire before the user has made a choice, every recorded session is data collected without a legal basis. This is one of the most frequently sanctioned cookie consent GDPR violations, with fines observed between \u20ac20,000 and \u20ac200,000, and significant peaks in cases of repeated infringement.<\/p>\n The third, often underestimated, is the absence of data processing agreements with vendors<\/strong>: GDPR Art. 28 requires a written data processing agreement with every vendor handling data on your behalf \u2014 hosting, CRM, newsletter tools, analytics platforms. Its absence is an independent procedural violation, sanctionable separately from any other breach, with an estimated additional risk of \u20ac5,000 to \u20ac25,000.<\/p>\n
\nThree violations that probably apply to your website too<\/h2>\n
\nA GDPR compliance risk assessment based on real data, not theoretical maximums<\/h2>\n