GDPR fines: you’ve surely heard about companies that have been fined millions because they weren’t GDPR-compliant. In fact, these sanctions can pose serious consequences for businesses of all sizes.
It’s not only about the monetary value of the sanction, but also about the reputational damage that comes with it.
In this post, we’ll go over the biggest GDPR fines issued so far, to help you understand which are the criteria that European Data Protection Authorities take into consideration when evaluating GDPR breaches.
Here’s everything you need to know about the biggest GDPR penalties ever issued and what it means for businesses. Let’s dive in!
Short on time? Jump to… ⬇️
The penalty fines for non-compliance to GDPR can go up to 20 million euros, or 4% of the annual worldwide turnover (whichever is greater). Not always monetary, they can also be official reprimands (for first-time violations), a temporary or definitive ban on processing, periodic data protection audits and liability damages.
In fact, users have the right to file a complaint with a supervisory authority if they feel that the processing of their data wasn’t GDPR-compliant, and ask for compensation for any damages.
It is up to the Data Protection Authorities to decide whether to impose a monetary fine instead of, or in addition to, the other non-monetary possibilities mentioned before. If there is only a likely infringement, a warning is usually issued.
GDPR fines are collectively determined based on a range of factors such as nature, severity, duration and intent behind the violation. It considers how many data subjects were affected, the level of damage they experienced, and what types of personal data were compromised.
Regarding the violating entity’s side, key considerations are financial gains or losses from the infringement, whether actions were taken to mitigate the damage done, the level of cooperation with authorities and how the violation was reported (i.e. by the entity themselves or not). Past infringements, technical/organizational measures, adherence to codes of conduct or certifications will be evaluated as well.
This is all outlined in Article 83 of the GDPR official text.
Violations of the GDPR can take various forms, depending on which provisions of the regulation are not adhered to. They can also be intricate depending on specific scenarios and types of data processing activities. The following can be considered a GDPR violation:
A GDPR data breach typically occurs when one or more activities involving individuals’ personal data and performed by your company are unauthorized or unlawful, in violation of data protection regulations like the GDPR.
The concept extends beyond a simple unauthorized or unlawful access or security incident. It also includes improper handling, storage, or processing of data that compromises the confidentiality, integrity, or availability.
The GDPR data breach can be intentional or accidental and may involve various types of personal data such as names, email addresses, financial information, medical records, or any other data that can identify an individual.
A Tier 1 fine for GDPR is part of the lower Tier and typically refers to less severe violations than Tier 2 ones. For a Tier 1 fine, companies can be fined up to 10 million euros or 2% of their annual global turnover, whichever is higher. For a Tier 2 fine, numbers go up respectively to 20 million and 4%.
Tiers are essentially two categories of penalties determined by the GDPR. Tier 1 fines are related to general obligations of data controllers and processors, certification or monitoring bodies. Tier 2 fines, however, include more severe violations of basic principles of processing or consent, individuals’ rights, data transfers to third-countries, etc.
If you accidentally breach GDPR, several factors come into play to determine the outcome. Not all GDPR violations result in fines; the response depends on factors such as the nature, gravity, and duration of the infringement, as well as the intentional or negligent character of the infringement.
Following the investigation, the DPA may issue warnings, reprimands, order the entity to take specific actions to comply with the law, or impose a fine.
The GDPR does not specify a “minimum fine” as such; instead, it outlines two tiers of fines based on the severity of the GDPR data breach. For less severe breaches, companies can be fined up to €10 million or 2% of the firm’s global annual turnover of the previous financial year, whichever is higher. For more severe breaches, the fines can be up to €20 million or 4% of the firm’s global annual turnover of the previous financial year, whichever is higher.
The DPAs are encouraged to take a balanced approach, considering the specifics of each case. Fines are considered a last resort and are meant to be “effective, proportionate and dissuasive.”
🔍 Click for a simple example of an infringement explained on the European Commission website.
Let’s go over the largest GDPR fines issued so far.
Our winner by far on this list is a 1.2 billion million euros fine for Meta/Facebook, issued in May 2023 following an inquiry into its Facebook service, by the Irish Data Protection Authority (IE DPA). The largest GDPR fine to date was imposed as a result of Meta’s transfers of personal data to the U.S. on the basis of SCCs. Dispute resolution was ordered by the EDPB.
The second biggest GDPR penalty was issued by the Luxembourg DPA on July 16th, 2021. The DPA fined Amazon Europe 746 million euros, after a series of 10,000 complaints filed by the French group La Quadrature du Net.
The Authority found that Amazon was showing targeted advertising without the users’ proper consent.
On September 5th, 2022, Ireland’s Data Protection Commission issued a 405 million euros fine to Meta Platforms, Inc.
The DPC investigated the processing of children’s personal data and found that the company was publicly disclosing email addresses and/or phone numbers of children using the Instagram business account feature.
👉 Want to learn more about this story? Check our blog!
Yet another Meta GDPR penalty. On January 4th, 2023, Ireland’s Data Protection Commission (DPC) issued a 390 million euros fine against Meta Ireland Limited.
After NOYB filed three different complaints, the DPC concluded that the processing on the basis of a contract for personalized ads is not GDPR-compliant. Meta was relying on a consent clause in their Terms of Service to show its users personalized ads.
👉 This story is way more complicated than this. We tried to shed some light in our article here.
The famous social media platform TikTok received its first fine ever amounting to 345 million euros in September 2023 (issued by the Irish DPC) for failing to protect children’s privacy – the accounts belonging to teens were public by default during the sign-up process, allowing anyone to view and comment on their videos.
On November 25th, 2022, Ireland’s DPC fined Meta 265 million euros.
The DPA launched an investigation in April 2021, after media reports discovered that Facebook’s dataset had been made available on the internet. This data breach affected the personal information of 533 million users.
Meta was fined because it wasn’t complying with the principles of Privacy by Design and Privacy by Default stated in the GDPR.
On September 2nd, 2021, Ireland’s Data Protection Commission issued a 225 million euros fine against WhatsApp Ireland, in conclusion to an investigation that had started in 2018.
WhatsApp wasn’t complying with the GDPR principle of transparency, not giving users enough information about its processing activities and the legal basis it was using.
On December 31, 2021, the CNIL issued a 90 million euros fine to GOOGLE LLC, because it wasn’t complying with the French Data Protection Act.
In particular, the CNIL found that YouTube users couldn’t reject cookies as easily as they could accept them. Besides the fine, Google LLC was given three months to change the look and functioning of its cookie banner.
On the same day, December 31, 2021, the CNIL also fined Facebook Ireland 60 million euros.
The reason was the same: Facebook users couldn’t reject cookies as easily as they could accept them.
A smaller fine of 60 million euros was issued by the CNIL to Google Ireland Ltd.
The reason was always the same as above, but it referred to the website google.fr.
On January 19th, 2019, CNIL fined Google LLC 50 million euros after a series of complaints by NOYB and La Quadrature du Net.
The main reason for this fine was a lack of transparency, unsatisfying information and lack of valid consent. Users didn’t have enough information about the processing of their personal data.
This was one of the first big fines issued under GDPR.
In June 2015, the French DPA (CNIL) fined Criteo, specialized in retargeting advertising, for various deficiencies in data processing such as being able to demonstrate user consent proofs to using trackers from both Criteo and its partners. Criteo also did not entirely fulfill data subject requests to withdraw or delete their data.
On October 1st, 2020, the Hamburg Commissioner for Data Protection and Freedom of Information issued a 35.2 million euros fine to H&M.
Since at least 2014, parts of the employees were subject to an extensive recording of details about their private lives. These details – such as vacation experiences, but also symptoms of illness and diagnoses – were then recorded, stored, and used to make decisions about their employment.
The DPA became aware of this violation only because, due to a technical error, the data was accessible to everyone in the company for a few hours.
The French DPA fined Amazon France Logistique in January 2024 for unlawful surveillance of employees through a scanner to document certain tasks in order to provide information on the productivity of each employee. This statistical data was deemed disproportionately and extensively stored.
The Italian DPA, the Garante, fined TIM (a telecommunications operator) in January 2020. For a few years, the DPA received hundreds of notifications regarding the receipt of unsolicited commercial communications of users that did not give their consent or were registered in the public register of objections.
Among other things, the fine was imposed for:
Are your email marketing activities compliant?
This fine was issued in October 2020 by the UK’s DPA, the ICO, and was related to a cyber incident notified in September 2018 regarding the British airline company. A variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address.
Similar to the previous one, the ICO fined hospitality company Marriott following a cyber incident notified in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident. This is due to a failure to undertake sufficient due diligence during an acquisition and systems were not secure.
Clearview AI was actually fined the same amount by the French, Greek and Italian DPAs. This company holds a database of more than 20 billion facial images.
It was found that the personal data contained in the company’s database had been processed unlawfully and without a valid legal basis. In addition, the DPA found that Clearview AI restricted and did not properly handle the exercise of data subjects’ rights, as well as failed to adequately inform users about the processing of their data. It also violated several GDPR principles such as purpose limitation and storage limitation.
In May 2022, the Irish DPA imposed a GDPR penalty of 17 million euros on Meta, based on 12 notifications of data breaches that occurred back in 2018.
Meta failed to demonstrate that it had taken appropriate technical and organizational measures to protect the data of EU users, especially in terms of cross-border data processing.
Among other things, the Garante fined the Italian telecommunications company Wind Tre (July 2020) for several unlawful data processing activities relating to unsolicited direct marketing through SMS, e-mail and calls. People also weren’t able to exercise their right to withdraw because of an incomplete policy.
The UK’s ICO fined TikTok 14.5 million euros in April 2023. It found out that more than one million British children under the age of 13 were using TikTok without the consent of their parents. TikTok was also criticized for failing to identify and remove underage children from its platform.
👉Read our blog post if you want to know more about this fine. Click here
Another telecommunications company on the list of Italian DPA’s greatest GDPR fines, issued in November 2020. Here again, telemarketing activities were unlawful, including hundreds of complaints about unsolicited telephone calls and the use of fake numbers to make promotional calls.
notebooksbilliger.de is an electronics retailer and has been fined 10.4 million euros by the DPA of Lower Saxony. The company had video-monitored its employees for at least two years without having a legal basis for doing so. So far, the fine against notebooksbilliger.de is the highest fine that the LfD Niedersachen has issued under the GDPR.
The Dutch DPA in the Netherlands fined both Uber Technologies Inc. and Uber B.V. in December 2023 for failing to provide sufficient information about the storage period of European drivers’ data. The DPA also found that Uber made it unnecessarily difficult for drivers to request access to their data and did not respond in a comprehensible manner.
The Italian DPA has imposed a GDPR penalty of 10 million euros on electricity and gas supplier Axpo Italia Spa. The DPA had received numerous complaints from data subjects who complained that, without their knowledge, electricity and gas contracts had been activated in their own names. Their personal data in the contract was incorrect or outdated. Axpo had been acquiring new contracts through a network of vendors.
The countries that issue the biggest fines are not necessarily the countries that issue the highest number of fines. Let’s take a look.
While these sanctions are huge, there are also smaller fines that are issued every day. European DPAs are very active in monitoring GDPR compliance.
Here is the top 10 EU countries with the highest number of GDPR fines issued so far:
Yes, it can happen. Of course, your small business won’t probably receive a fine as huge as the ones above, but even a smaller amount can really impact your processes.
Also, don’t forget that a monetary sanction isn’t the only consequence of non-compliance: official reprimands, periodic data protection audits and liability damages can be as scary as a fine. Not to mention the reputational damage a GDPR sanction can cause.
But don’t worry! GDPR compliance doesn’t have to be difficult.