Iubenda logo
Start generating

Documentation

Table of Contents

The Biggest GDPR Fines to Date [2024]

GDPR fines: you’ve surely heard about companies that have been fined millions because they weren’t GDPR-compliant. In fact, these sanctions can pose serious consequences for businesses of all sizes.

It’s not only about the monetary value of the sanction, but also about the reputational damage that comes with it.

In this post, we’ll go over the biggest GDPR fines issued so far, to help you understand which are the criteria that European Data Protection Authorities take into consideration when evaluating GDPR breaches.

gdpr fines

Here’s everything you need to know about the biggest GDPR penalties ever issued and what it means for businesses. Let’s dive in!

How are GDPR fines calculated?

The penalty fines for non-compliance to GDPR can go up to 20 million euros, or 4% of the annual worldwide turnover (whichever is greater). Not always monetary, they can also be official reprimands (for first-time violations), a temporary or definitive ban on processing, periodic data protection audits and liability damages.

In fact, users have the right to file a complaint with a supervisory authority if they feel that the processing of their data wasn’t GDPR-compliant, and ask for compensation for any damages.

It is up to the Data Protection Authorities to decide whether to impose a monetary fine instead of, or in addition to, the other non-monetary possibilities mentioned before. If there is only a likely infringement, a warning is usually issued.

How are GDPR fines determined?

GDPR fines are collectively determined based on a range of factors such as nature, severity, duration and intent behind the violation. It considers how many data subjects were affected, the level of damage they experienced, and what types of personal data were compromised.

Regarding the violating entity’s side, key considerations are financial gains or losses from the infringement, whether actions were taken to mitigate the damage done, the level of cooperation with authorities and how the violation was reported (i.e. by the entity themselves or not). Past infringements, technical/organizational measures, adherence to codes of conduct or certifications will be evaluated as well.

This is all outlined in Article 83 of the GDPR official text.

What is considered a GDPR violation?

Violations of the GDPR can take various forms, depending on which provisions of the regulation are not adhered to. They can also be intricate depending on specific scenarios and types of data processing activities. The following can be considered a GDPR violation:

  • Using personal data for purposes other than those for which they were originally collected, collecting more data or keeping it longer than is necessary;
  • Processing personal data without proper, informed, and unambiguous consent from the data subject;
  • Not providing clear and accessible privacy notices or not informing data subjects about how their data will be used;
  • Failure to report GDPR data breaches in a compliant way;
  • Not honoring the rights of data subjects, such as the right to access, or right to erasure of their data;
  • Transferring personal data outside the EU to countries or organizations without adequate data protection measures in place or without proper mechanisms;
  • Not implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
  • and more.

What constitutes a GDPR data breach?

A GDPR data breach typically occurs when one or more activities involving individuals’ personal data and performed by your company are unauthorized or unlawful, in violation of data protection regulations like the GDPR.

The concept extends beyond a simple unauthorized or unlawful access or security incident. It also includes improper handling, storage, or processing of data that compromises the confidentiality, integrity, or availability.

The GDPR data breach can be intentional or accidental and may involve various types of personal data such as names, email addresses, financial information, medical records, or any other data that can identify an individual.

What is a Tier 1 fine for GDPR?

A Tier 1 fine for GDPR is part of the lower Tier and typically refers to less severe violations than Tier 2 ones. For a Tier 1 fine, companies can be fined up to 10 million euros or 2% of their annual global turnover, whichever is higher. For a Tier 2 fine, numbers go up respectively to 20 million and 4%.

Tiers are essentially two categories of penalties determined by the GDPR. Tier 1 fines are related to general obligations of data controllers and processors, certification or monitoring bodies. Tier 2 fines, however, include more severe violations of basic principles of processing or consent, individuals’ rights, data transfers to third-countries, etc.

What happens if you accidentally breach GDPR?

If you accidentally breach GDPR, several factors come into play to determine the outcome. Not all GDPR violations result in fines; the response depends on factors such as the nature, gravity, and duration of the infringement, as well as the intentional or negligent character of the infringement.

  • Investigation: Initially, the relevant Data Protection Authority (DPA) would likely investigate the GDPR data breach. You’re expected to cooperate fully with this investigation.
  • Intent and Negligence: The DPA considers whether the breach was intentional or a result of negligence. Accidental breaches may be viewed more leniently than intentional violations.
  • Mitigation Efforts: The DPA also considers any efforts you made to mitigate the damage suffered by data subjects.
  • Previous Violations: Your history of compliance with GDPR is also relevant. A clean record might result in a lighter response.
  • Notification: Under GDPR, you are required to report a GDPR data breach to the relevant supervisory authority within 72 hours of becoming aware of it, unless the breach is unlikely to result in a significant risk. Failure to notify can result in penalties on its own.

Following the investigation, the DPA may issue warnings, reprimands, order the entity to take specific actions to comply with the law, or impose a fine.

What is the minimum fine for GDPR?

The GDPR does not specify a “minimum fine” as such; instead, it outlines two tiers of fines based on the severity of the GDPR data breach. For less severe breaches, companies can be fined up to €10 million or 2% of the firm’s global annual turnover of the previous financial year, whichever is higher. For more severe breaches, the fines can be up to €20 million or 4% of the firm’s global annual turnover of the previous financial year, whichever is higher.

The DPAs are encouraged to take a balanced approach, considering the specifics of each case. Fines are considered a last resort and are meant to be “effective, proportionate and dissuasive.”

🔍 Click for a simple example of an infringement explained on the European Commission website.

Not sure how to get started with GDPR Compliance?

Use our site scanner for a FREE website compliance audit

Scan your website now

Top 25 GDPR fines by amount

Let’s go over the largest GDPR fines issued so far.

top 10 gdpr fines
Image credit: GDPR Enforcement Tracker

List of fines

1. Meta Platforms Ireland Limited, €1.2 billion

Our winner by far on this list is a 1.2 billion million euros fine for Meta/Facebook, issued in May 2023 following an inquiry into its Facebook service, by the Irish Data Protection Authority (IE DPA). The largest GDPR fine to date was imposed as a result of Meta’s transfers of personal data to the U.S. on the basis of SCCs. Dispute resolution was ordered by the EDPB.

2. Amazon Europe, €746 million

The second biggest GDPR penalty was issued by the Luxembourg DPA on July 16th, 2021. The DPA fined Amazon Europe 746 million euros, after a series of 10,000 complaints filed by the French group La Quadrature du Net.

The Authority found that Amazon was showing targeted advertising without the users’ proper consent.

3. Meta Platforms, Inc., €405 million

On September 5th, 2022, Ireland’s Data Protection Commission issued a 405 million euros fine to Meta Platforms, Inc.

The DPC investigated the processing of children’s personal data and found that the company was publicly disclosing email addresses and/or phone numbers of children using the Instagram business account feature.

👉 Want to learn more about this story? Check our blog!

4. Meta Platforms Ireland Limited, €390 million

Yet another Meta GDPR penalty. On January 4th, 2023, Ireland’s Data Protection Commission (DPC) issued a 390 million euros fine against Meta Ireland Limited.

After NOYB filed three different complaints, the DPC concluded that the processing on the basis of a contract for personalized ads is not GDPR-compliant. Meta was relying on a consent clause in their Terms of Service to show its users personalized ads.

👉 This story is way more complicated than this. We tried to shed some light in our article here.

5. TikTok Limited, €345 million

The famous social media platform TikTok received its first fine ever amounting to 345 million euros in September 2023 (issued by the Irish DPC) for failing to protect children’s privacy – the accounts belonging to teens were public by default during the sign-up process, allowing anyone to view and comment on their videos.

6. Meta Platforms Ireland Limited, €265 million

On November 25th, 2022, Ireland’s DPC fined Meta 265 million euros.

The DPA launched an investigation in April 2021, after media reports discovered that Facebook’s dataset had been made available on the internet. This data breach affected the personal information of 533 million users. 

Meta was fined because it wasn’t complying with the principles of Privacy by Design and Privacy by Default stated in the GDPR.

Do you even really need to comply with the GDPR?

7. WhatsApp Ireland Ltd., €225 million

On September 2nd, 2021, Ireland’s Data Protection Commission issued a 225 million euros fine against WhatsApp Ireland, in conclusion to an investigation that had started in 2018.

WhatsApp wasn’t complying with the GDPR principle of transparency, not giving users enough information about its processing activities and the legal basis it was using.

UPDATE

On January 19th, 2023, the DPC issued a further €5.5 million fine.

👉 Learn more here

8. Google LLC., €90 million

On December 31, 2021, the CNIL issued a 90 million euros fine to GOOGLE LLC, because it wasn’t complying with the French Data Protection Act.

In particular, the CNIL found that YouTube users couldn’t reject cookies as easily as they could accept them. Besides the fine, Google LLC was given three months to change the look and functioning of its cookie banner.

youtube cookie banner
YouTube cookie banner after the CNIL sanction

9. Facebook Ireland Ltd., €60 million

On the same day, December 31, 2021, the CNIL also fined Facebook Ireland 60 million euros.

The reason was the same: Facebook users couldn’t reject cookies as easily as they could accept them.

10. Google Ireland Ltd., €60 million

A smaller fine of 60 million euros was issued by the CNIL to Google Ireland Ltd. 

The reason was always the same as above, but it referred to the website google.fr.

11. Google LLC, €50 million

On January 19th, 2019, CNIL fined Google LLC 50 million euros after a series of complaints by NOYB and La Quadrature du Net.

The main reason for this fine was a lack of transparency, unsatisfying information and lack of valid consent. Users didn’t have enough information about the processing of their personal data.

This was one of the first big fines issued under GDPR.

12. Criteo, €40 million

In June 2015, the French DPA (CNIL) fined Criteo, specialized in retargeting advertising, for various deficiencies in data processing such as being able to demonstrate user consent proofs to using trackers from both Criteo and its partners. Criteo also did not entirely fulfill data subject requests to withdraw or delete their data.

13. H&M Hennes & Mauritz, €35.2 million

On October 1st, 2020, the Hamburg Commissioner for Data Protection and Freedom of Information issued a 35.2 million euros fine to H&M.

Since at least 2014, parts of the employees were subject to an extensive recording of details about their private lives. These details – such as vacation experiences, but also symptoms of illness and diagnoses – were then recorded, stored, and used to make decisions about their employment.

The DPA became aware of this violation only because, due to a technical error, the data was accessible to everyone in the company for a few hours.

14. Amazon France Logistique, €32 million

The French DPA fined Amazon France Logistique in January 2024 for unlawful surveillance of employees through a scanner to document certain tasks in order to provide information on the productivity of each employee. This statistical data was deemed disproportionately and extensively stored.

15. TIM, €27.8 million

The Italian DPA, the Garante, fined TIM (a telecommunications operator) in January 2020. For a few years, the DPA received hundreds of notifications regarding the receipt of unsolicited commercial communications of users that did not give their consent or were registered in the public register of objections.

Among other things, the fine was imposed for:

  • lack of consent for marketing activities (telemarketing and cold calling) and addressing people who asked not to be contacted with marketing offers;
  • invalid consents collected in TIM apps;
  • lack of appropriate security measures to protect personal data (including incorrect exchange of blacklists with call centres); and
  • lack of clear data retention periods.

Are your email marketing activities compliant?

👉 Find out here

16. British Airways, €22.046 million

This fine was issued in October 2020 by the UK’s DPA, the ICO, and was related to a cyber incident notified in September 2018 regarding the British airline company. A variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address.

17. Marriott International, Inc., €22.450 million

Similar to the previous one, the ICO fined hospitality company Marriott following a cyber incident notified in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident. This is due to a failure to undertake sufficient due diligence during an acquisition and systems were not secure.

18. Clearview AI Inc., €20 million

Clearview AI was actually fined the same amount by the French, Greek and Italian DPAs. This company holds a database of more than 20 billion facial images.

It was found that the personal data contained in the company’s database had been processed unlawfully and without a valid legal basis. In addition, the DPA found that Clearview AI restricted and did not properly handle the exercise of data subjects’ rights, as well as failed to adequately inform users about the processing of their data. It also violated several GDPR principles such as purpose limitation and storage limitation.

19. Meta Platforms Ireland Limited, €17 million

In May 2022, the Irish DPA imposed a GDPR penalty of 17 million euros on Meta, based on 12 notifications of data breaches that occurred back in 2018.

Meta failed to demonstrate that it had taken appropriate technical and organizational measures to protect the data of EU users, especially in terms of cross-border data processing.

20. Wind Tre S.p.A., €16.7 million

Among other things, the Garante fined the Italian telecommunications company Wind Tre (July 2020) for several unlawful data processing activities relating to unsolicited direct marketing through SMS, e-mail and calls. People also weren’t able to exercise their right to withdraw because of an incomplete policy.

21. TikTok, €14.5 million

The UK’s ICO fined TikTok 14.5 million euros in April 2023. It found out that more than one million British children under the age of 13 were using TikTok without the consent of their parents. TikTok was also criticized for failing to identify and remove underage children from its platform.

👉Read our blog post if you want to know more about this fine. Click here

22. Vodafone Italia S.p.A., €12,25 million

Another telecommunications company on the list of Italian DPA’s greatest GDPR fines, issued in November 2020. Here again, telemarketing activities were unlawful, including hundreds of complaints about unsolicited telephone calls and the use of fake numbers to make promotional calls.

23. notebooksbilliger.de, €10.4 million

notebooksbilliger.de is an electronics retailer and has been fined 10.4 million euros by the DPA of Lower Saxony. The company had video-monitored its employees for at least two years without having a legal basis for doing so. So far, the fine against notebooksbilliger.de is the highest fine that the LfD Niedersachen has issued under the GDPR.

24. Uber, €10 million

The Dutch DPA in the Netherlands fined both Uber Technologies Inc. and Uber B.V. in December 2023 for failing to provide sufficient information about the storage period of European drivers’ data. The DPA also found that Uber made it unnecessarily difficult for drivers to request access to their data and did not respond in a comprehensible manner.

25. Axpo Italia Spa, €10 million

The Italian DPA has imposed a GDPR penalty of 10 million euros on electricity and gas supplier Axpo Italia Spa. The DPA had received numerous complaints from data subjects who complained that, without their knowledge, electricity and gas contracts had been activated in their own names. Their personal data in the contract was incorrect or outdated. Axpo had been acquiring new contracts through a network of vendors.

Which European countries have issued the highest number of GDPR fines?

The countries that issue the biggest fines are not necessarily the countries that issue the highest number of fines. Let’s take a look.

gdpr data breach
Image credit: GDPR Enforcement Tracker

While these sanctions are huge, there are also smaller fines that are issued every day. European DPAs are very active in monitoring GDPR compliance.

Here is the top 10 EU countries with the highest number of GDPR fines issued so far:

  1. Spain
  2. Italy
  3. Romania
  4. Germany
  5. Hungary
  6. Poland
  7. Greece
  8. Norway
  9. France
  10. Belgium

Can small businesses be fined for GDPR non-compliance?

Yes, it can happen. Of course, your small business won’t probably receive a fine as huge as the ones above, but even a smaller amount can really impact your processes. 

Also, don’t forget that a monetary sanction isn’t the only consequence of non-compliance: official reprimandsperiodic data protection audits and liability damages can be as scary as a fine. Not to mention the reputational damage a GDPR sanction can cause.

But don’t worry! GDPR compliance doesn’t have to be difficult.

🚀
In fact, you can get started in under 5 minutes!

See how 👉 5-minute compliance for your website

About us

iubenda

GDPR compliance for your site, app and organization

www.iubenda.com