GDPR Fine Risk Estimator
Estimates your potential GDPR fine exposure under Articles 83(4) and 83(5) of the GDPR, based on violation severity, annual global turnover, number of data subjects affected, and mitigating or aggravating factors.
Formula & Methodology
Step 1 – Statutory Maximum (Art. 83 GDPR):
- Lower Tier (Art. 83(4)):
Max(€10,000,000 ; Turnover × 2%) - Upper Tier (Art. 83(5)):
Max(€20,000,000 ; Turnover × 4%)
Step 2 – Subject Scale Factor:
subjectScale = min(log₁₀(subjects) / 6, 1.0)
Maps 1 to 1,000,000+ affected individuals onto a 0–1 scale using a logarithmic curve.
Step 3 – Base Fine Percentage:
basePct = 10% + (50% × subjectScale)
Ranges from 10% (minimal exposure) to 60% of the statutory maximum.
Step 4 – Base Fine:
baseFine = statutoryMax × basePct
Step 5 – Adjustment Multiplier (Art. 83(2) factors):
multiplier = sensitivity × intent × duration × cooperation × prior × remediation
Each factor reflects criteria listed in Art. 83(2)(a)–(k) GDPR.
Step 6 – Estimated Fine (capped at statutory max):
estimatedFine = min(baseFine × multiplier, statutoryMax)
Assumptions & References
- GDPR Art. 83(4): Infringements of processor obligations, child consent (Art. 8), privacy by design (Art. 25), DPO rules (Arts. 37–39), certification bodies (Arts. 42–43), monitoring bodies (Art. 41(4)).
- GDPR Art. 83(5): Infringements of basic principles (Arts. 5–7, 9), data subject rights (Arts. 12–22), international transfers (Arts. 44–49), supervisory authority orders (Art. 58(2)).
- Not legal advice. Consult a qualified data protection lawyer for formal risk assessment.