GDPR fines and penalties to date

Since the implementation of the General Data Protection Regulation (“GDPR”) in April 2016, over 2,000 fines have been issued to businesses and organizations by supervisory bodies throughout the European Union. It is critical for businesses across all industries to stay up-to-date on: (i) where fines have been assessed under the GDPR; (ii) how fines have been assessed under the GDPR; and (iii) why fines have been assessed under the GDPR.

This article will cover the following topics:

• Trends on fines and penalties issued under the GDPR
• The impact of GDPR fines on small businesses 
• The largest fines imposed under the GDPR to date
• How to avoid GDPR penalties and fines

Trends on fines and penalties issued under the GDPR

Various member states have been more proactive than others in the frequency of fines and penalties issued under the GDPR. Spain leads the European Union in fines issued with 800. In total, businesses have been fined more than 4,460,000,000 EUR under the GDPR as of Jan 2024.

Below is a ranking of fines by GDPR violation type since the GDPR’s implementation:

• Non-compliance with general data processing principles; € 2,068,693,259 (at 554 fines)
• Insufficient legal basis for data processing; € 1,649,213,212 (at 615 fines)
• Insufficient technical and organisational measures to ensure information security; € 388,455,875 (at 359 fines)
• Insufficient fulfilment of information obligations; € 247,306,420 (at 186 fines)
• Insufficient fulfilment of data subjects rights; € 98,366,170 (at 194 fines)
• Unknown; € 9,250,000 (at 9 fines)
• Insufficient cooperation with supervisory authority; € 6,191,329 (at 104 fines)
• Insufficient fulfilment of data breach notification obligations; € 1,805,082 (at 33 fines)
• Insufficient data processing agreement; € 1,057,110 (at 11 fines)
• Insufficient involvement of data protection officer; € 919,300 (at 15 fines)

Do major corporations only receive fines under the GDPR? 

While it is true that the largest fines issued under the GDPR have typically been large businesses (i.e. the largest fine issued was against Meta Platforms Ireland Limited for 1,200,000,000 EUR in May 2023), small businesses are not ignored by the supervisory bodies that assess GDPR fines and penalties. In fact, the fine and penalty structure under the GDPR was designed to ensure businesses of all sizes would be held liable for non-compliance. Below is a list of various small businesses and organizations that have been fined under the GDPR:

• The Spanish Data Protection Authority fined a solar-powered company $3,200 in December 2023 for GDPR non-compliance.
  
• The Romanian supervisory authority fined an infertility association 2,000 EUR in March 2020 for a failure to transmit requested information to authorities. The infertility association was under investigation to determine whether the association disclosed personal data without consent.

•  The Spanish supervisory authority fined a homeowner association 2,000 EUR in March 2020 for a violation of the GDPR principles  – specifically for video surveillance of a public space without any legal basis to do so.

• The Icelandic supervisory authority fined a secondary school 9,000 EUR in March 2020 for a lack of measures in place to ensure personal data security. A teacher at the school emailed students and parents an attachment containing the academic performance and overall well-being of students without their consent.

• The Spanish supervisory authority fined a local small business discount retail shop 3,200 EUR in March 2020 for a failure to provide notice to customers that video surveillance on the property was used.

• The Polish supervisory authority fined a primary school 4,600 EUR in March 2020 for not having a legal basis to process the personal data of students. The school utilized student fingerprinting in order to distribute meals in the cafeteria. The supervisory authority determined that the school could find other methods of distributing meals to students without the use of their biometric data.
  
•  The Norwegian supervisory authority fined a local grocery chain 36,800 EUR in February 2020 for distributing video surveillance of children who allegedly shoplifted from the grocery store. The supervisory authority determined that the store did not have a legal basis for releasing the video.

• The Spanish supervisory authority fined a real estate company 2,500 EUR in February 2020 for a breach of the GDPR principles of integrity and confidentiality of personal data. A real estate agent had disclosed the personal information of buyers to third parties in a property purchase agreement.

• The Spanish supervisory authority fined a street vendor 5,000 EUR in February 2020 for a failure to obtain the consent of their customers to process their personal data.

• The Spanish supervisory authority fined a bank 6,670 EUR in February 2020 for a failure to comply with a customer’s request to remove his personal data from the bank’s records. The bank continued to send advertisements to the customer via text and email after repeated requests to remove him from the mailing lists.

• The Spanish supervisory authority fined an online shopping retailer 5,000 EUR in December 2019 for a lack of measures in place to ensure personal data security. Advertising emails sent to customers had inadvertently revealed the personal data of all recipients on the advertising email list.

• The Danish supervisory authority fined a luxury furniture retailer 200,850 EUR in June 2019 for a violation of personal data storage restrictions. The company had processed the personal data of approximately 385,000 customers for a longer period than necessary. The company also failed to establish deadlines and procedures for the deletion of customer data.
  This list is constantly updating. For the latest fines, visit https://www.enforcementtracker.com/

Fines under the GDPR can be astoundingly large

While businesses of any size can be penalized and fined under the GDPR, the largest fines have been somewhat proportional to the size of those companies the fines were issued to. This is because under Art. 83 of the GDPR, fines are scaled to the size of the business. Below is a list of the largest fines issued under the GDPR to date:

• Meta Platforms (Ireland): The social platform was fined 1,200,000,000 EUR in May 2023 due to an insufficient legal basis for processing data.
• Amazon (Luxembourg): The e-commerce store was fined 746,000,000 EUR in July 2021 for non-compliance with general data processing principles.
• TikTok Limited (Ireland): The social media video sharing platform was fined 345,000,000 EUR in September 2023 for non-compliance with general data processing principles.
• British Airways (United Kingdom): The airline was fined 204,600,000 EUR in July 2019 for a failure to enact technical and organizational measures to ensure personal data protection;
• Marriott International (United Kingdom): the hotel chain was fined 110,390,200 EUR in July 2019 for a failure to enact technical and organizational measures to ensure personal data protection;
• Google (France): The technology company was fined 50,000,000 EUR in January for a lack of a legal basis for personal data processing;
• TIM (Italy): The telecommunications operator was fined 27,800,000 EUR in January 2020 for a lack of a legal basis for personal data processing;
• Austrian Post (Austria): The postal service company was fined 18,000,000 EUR in October 2019 for a lack of a legal basis for personal data processing;

How can businesses avoid being fined under the GDPR?

Under Art. 58 of the GDPR, businesses can be fined for a simple failure to respond to the supervisory authority investigating them, as was the case for this Romanian business. Cooperation and timely responses to requests from a supervisory authority is one way businesses can avoid further fines and penalties under the GDPR. Businesses can also utilize the GDPR compliance checklist provided by the E.U. 

The best way to avoid GDPR penalties and fines, however, is to ensure violations never occur in the first place. Termageddon’s products are designed to help give businesses the peace of mind knowing they’re taking steps toward complying with GDPR and other privacy laws that may apply to them. Use Termageddon’s  Privacy Policy generator to create a GDPR-ready privacy policy, rather than ending up on the next list of GDPR violators slapped with a fine.