GDPR Fine Risk Calculator
Estimates potential GDPR fine exposure under Articles 83(4) and 83(5) of the GDPR, based on violation severity, annual turnover, number of data subjects affected, and mitigating or aggravating factors.
Formula
1. Statutory Maximum
StatutoryMax = max(AbsoluteCap, AnnualTurnover × PercentageCap)
Lower Tier (Art. 83(4)): AbsoluteCap = €10M, PercentageCap = 2%
Upper Tier (Art. 83(5)): AbsoluteCap = €20M, PercentageCap = 4%
2. Subject Scale Factor
SubjectScale = min( log₁₀(subjects + 1) / log₁₀(10,000,000), 1.0 ), floored at 0.05
3. Base Fine
BaseFine = StatutoryMax × SubjectScale
4. Adjusted Fine
AdjustedFine = BaseFine × SensitivityMultiplier × DurationMultiplier × CooperationMultiplier × PriorMultiplier × RemediationMultiplier
5. Final Fine Exposure
FinalFine = min(AdjustedFine, StatutoryMax)
Risk Band: RiskRatio = FinalFine / StatutoryMax
<25% → Low | 25–55% → Moderate | 55–80% → High | >80% → Critical
Assumptions & References
- GDPR Art. 83(4): Fines up to €10,000,000 or 2% of total worldwide annual turnover (whichever is higher) for lower-tier infringements (e.g. processor obligations, DPO, certification bodies).
- GDPR Art. 83(5): Fines up to €20,000,000 or 4% of total worldwide annual turnover (whichever is higher) for upper-tier infringements (e.g. basic principles, data subject rights, international transfers).
- Art. 83(2) factors considered: nature/gravity/duration of infringement, number of data subjects affected, categories of data, cooperation with supervisory authority, prior infringements, and remediation measures.
- The logarithmic subject scale reflects regulatory practice of proportional but diminishing marginal increases in fines for very large breaches.
- Multiplier ranges are calibrated against published enforcement decisions from the EDPB, ICO, CNIL, and BfDI (2018–2024).
- This tool does not constitute legal advice. Consult a qualified data protection lawyer for formal risk assessment.
- Reference: European Data Protection Board, Guidelines 04/2022 on the calculation of administrative fines under the GDPR.