Last year, European data protection authorities issued over 330 penalties for GDPR non-compliance, totaling nearly €1,15-billion in fines. The most expensive mistake was processing personal data without a sufficient legal basis, particularly within the media, telecoms, and broadcasting sector, which accounted for over 80% of the total fines in euros.
However, although the fines seem large, major technology companies such as TikTok paid only 2.64 euros per user, according to a Surfshark study.
According to Tomas Stamulis, chief security officer at Surfshark, these figures clearly show the urgency to scrutinise the apps we use and the permissions we grant these companies to collect our personal information, as our data can be valued as little as a couple of euros.
“The scale of fines reflects how seriously unlawful data practices are now being treated. A significant concern, however, is that most of these penalties are aimed at companies that process our personal data without a valid legal basis. Big Tech companies often push the limits to gather more information than permitted, highlighting how cheap a commodity our personal data is, with it being valued at only a couple of euros.”
He emphasises that users should be more cautious about the apps and services we use, question why our data is being collected, and take active steps to secure our privacy. “GDPR fines may serve as warnings to companies, but they are also a crucial reminder to all of us that our personal data requires conscious protection, not passive trust.”
According to a Surfshark study, the most costly penalty for companies under GDPR in 2025 was an insufficient legal basis for data processing, totaling €1,03-billion. The media, telecoms, and broadcasting sector experienced the greatest financial impact, comprising over 80% of the total fines in euros. TikTok received the largest fine in this sector in 2025, totaling 530-million euros or 2.64 euros per user, Google received fines of 200-million and 125-million euros, and Shein – 150-million euros.
However, the most common fine in 2025 was for insufficient technical and organizational measures to ensure information security. These violations increased significantly from 69 cases in 2024 to 97 in 2025, accounting for 29% of all fines imposed. This type of fine was a result of often cyberattacks, unauthorised disclosure of personal data, and data leaks.
The industry and commerce sector was hit most often, due to its insufficient technical and organizational measures to ensure information security, with nearly a third of the fines (31 out of 97) directed at them. The finance, insurance, and consulting sector followed with 21 fines, while healthcare faced 14 fines, rounding out the top three sectors.
Stamulis explains that fines resulting from insufficient security measures are not surprising as Surfshark’s data shows a broader and persistent global trend: a staggering 3,2-billion data breaches occurred globally since 2004.
“As AI is used more and more, the risk of personal data being exposed gets much higher. A big issue is that people are not careful with their sensitive information. They often share too much of personal details, letting third-party tools use it without clear or good privacy policies. This lack of oversight makes it easier for cybercriminals to attack, especially since they can use AI to make their attacks more powerful and easier to perfom.”
He explains that the severity of these security threats is underscored by last year’s large-scale autonomous AI cyberattack, which demonstrated how readily AI can exploit corporate vulnerabilities. This situation explains the substantial fines against major tech companies, emphasizing the critical need for them to properly secure our data and uphold our fundamental right to digital privacy.