European authorities have imposed more than 7.144 billion euros in fines on companies for breaches of the General Data Protection Regulation (GDPR) since the regulation came into force. The latest report from 2025 confirms that sanctioning pressure remains high throughout Europe, with a special impact in Spain.
Spain leads the number of sanctions for data protection
Spain tops the European ranking with 3,034 sanctions imposed since the implementation of the GDPR, far ahead of Italy, Romania, Germany, Poland, and Greece. In 2025, the country added 291 sanctioning files, once again positioning itself as the State with the most open procedures for violations in the processing of personal data.
The Spanish business environment, including companies with activity in Barcelona, Girona, and Tarragona, faces exhaustive control by the Spanish Data Protection Agency. Among the most relevant sanctions, the one imposed on Vodafone stands out, which received a fine of 8.15 million euros for making commercial communications to people registered on the Robinson List.
Vodafone and Xfera, among the most sanctioned companies
Vodafone leads the statistics of sanctions in Europe for improper use of customers' personal data. In addition to the sanction in Spain, the company was fined in Germany with 45 million euros for security problems and lack of supervision of external providers that managed sensitive information.
In the case of Xfera, operator of the Yoigo brand of the MásMóvil group, the fine amounted to 4 million euros after a security breach that allowed access to personal data of approximately 1.7 million customers, including unencrypted bank account numbers. These incidents have highlighted the importance of strengthening data protection protocols in the telecommunications sector.
Ireland and Luxembourg concentrate the most elevated fines
The ranking by economic amount of the sanctions is led by Ireland, with more than 4,038 million euros, followed by Luxembourg, France, Spain, United Kingdom and Germany. Ireland and Luxembourg concentrate the highest fines due to the presence of European headquarters of large technological multinationals such as Meta, Amazon or TikTok.
Among the most substantial sanctions are the 1.2 billion euros imposed on Meta and the 746 million on Amazon for the improper use of users' personal data for advertising purposes. In total, almost 5,000 sanctions have been recorded against companies in Europe for GDPR non-compliance.
Balance of sanctions in 2025
During 2025, 526 sanctions were registered throughout Europe, with a total value of 1.172 million euros. Spain added 291 sanctions in that period, consolidating its position as the country with the highest number of open files. The report confirms that control over the processing of personal data continues to be a priority for European and national authorities.