Updated 18/08/2020
5 Biggest GDPR Fines So Far [2020]

Most recent research by the DLA Piper: GDPR data breach survey January 2020, reported there had been 160,921 personal data breaches within the EEA, from May 25, 2018, up until now.

However, the total amount of issued GDPR fines so far does not really follow those numbers. Despite the 160 something thousand violations reported to the data protection authorities, GDPR fines are a little bit over €175 million, which is not a staggering number.

showing the sum of gdpr fines so far
Source: Privacy Affairs

The report continues with the most active EU member states, in the past. France, Austria, and Germany banked the title, issuing the biggest GDPR fines, but with mostly one big penalty. To be fair, Germany had two multimillion fines toping little over €24 million.

Although, if the beginning of the year is any indicator, the citizens of the EU can sleep soundly. There is an indication that other authorities will start being more proactive this year. Just like the Spanish Data Protection Authority (AEPD) and Italian Garante who both showed a lot of activities recently even with the Corona pandemic in the background.

Two levels of GDPR fines

Before we jump over to the fines a quick recap; there are two levels of GDPR fines:

• the lower level is up to €10 million, or 2% of the worldwide annual revenue from the previous year, whichever is higher
• the upper level is twice that size or €20 million and 4% of the worldwide annual revenue.

Since we don’t want to repeat ourselves (too much), you can read more about GDPR fine in general in our glossary.

Honorable mentions- BA and Marriott

We also have to mention two GDPR cases regarding British Airways and Marriot International. Both cases are under the jurisdiction of the UK’s independent body Information Commissioner’s Office (ICO).

However, the ICO issued only a notice of its intention to fine Marriott International and intention to fine British Airways under GDPR for a data breach.

Remember, the first GDPR fine issued by the ICO was actually to the Doorstep Dispensaree pharmacy.

So, since the fines are not yet final, we will not include them on our list, but we still think they are worth mentioning:

➕British Airways – €204,600,000 UK gdpr fine

In July 2019, the ICO announced its intention to issue a €204,6 million (183.39 million pounds) fine to the British Airways for violation of Article 31 of the GDPR. The incident occurred in September 2018, when the British Airways website diverted users’ traffic to a hacker website. This resulted in hackers stealing the personal data of more than 500.000 customers.

The company had inadequate security mechanisms to prevent such cyber-attacks from happening. The ICO stated that a “variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well name and address information.”

➕ Marriott International – €110 390 200  UK gdpr fine

Also in July of 2019, ICO issued the statement of their intent to fine Marriott International for infringements of the GDPR. ICO explained the fine was related to the cyber attack, in which personal data of over 339 million guest records, were exposed. Out of those 339 million individuals, 31 million were residents of the EEA.

Marriott international exposed itself to the cyber-attack after the acquisition of the Starwood hotels group. The ICO concluded that Marriott failed to undertake sufficient due diligence after the acquisition and should have implemented appropriate security measures.

5 biggest GDPR fines in 2020

top gdpr fine in 2020 google tim telecom

1. Google – €50 000 000  French GDPR fine for Google

On 21 January 2019, the French National Commission on Informatics and Liberty or CNIL, fined Google with a €50 million fine. This is the biggest GDPR fine to this date was issued for violation of:
Information to be provided where personal data are collected from the data subjectArticle 13,
Information to be provided where personal data have not been obtained from the data subjectArticle 14,
Lawfulness of processingArticle 6,
• and Principles relating to the processing of personal dataArticle 5

The fine was therefore issued on the account of lack of transparency on how the data were harvested from data subjects and used for ad targeting. Google failed to provide enough information to users about consent policies and did not give them enough control over how their personal data is processed.

2. TIM – 27,800 000 gdpr fines in italy

January 15, 2020, was a critical day for Italian telecommunications operator TIM. The Italian DPA Garante issued 27,8 million GDPR fine for quite an extensive list of violations. The scope of their illegal activities is hard to ignore. They have contacted non-customers multiple times (certain numbers over 150 times per month) without proper consent or other legal bases.

Few million individuals were affected by their aggressive marketing strategy. The activities involved: Improper management of consent lists ❌Excessive data retention ❌Data Breaches ❌Lack of proper consent ❌Violation of GDPR rights. The personal information included name, surname or company name; tax code or VAT number; telephone line; address; contact details.

We recommend you read an entire article that explains violations in detail:

€27,8 million GDPR fine for Italian Telecom -TIM

3. Austrian Post – €18 000 000

We talked about this case before in one of our blogs, so you can read the entire case here. In short, the Austrian Data Protection Authority,  issued an €18 million GDPR fine (+ cost of the investigation in the amount of 1.8 million) to the Austrian national postal service on 23 October 2019. It is to date the biggest GDPR fine issued in Austria.

Austrian Post had created profiles of more than 3 million Austrian citizens, which accounts for over one-third of Austria’s total population. Personal preferences, political interests, addresses and, other information were collected and then sold to the Third Parties.

Will Austrian Post Pay €18 million GDPR Fine?

4. Wind Tre S.p.A. – €16,700,000 gdpr fines in italy

Just as we predicted in our blog, the Italian DPA- Garante has increased their activities in 2020, and issued a €16,700,000 GDPR fine to telecommunication company – Wind Tre S.p.A.

The fine was issued due to unlawful processing of personal data for marketing purposes when more than a hundred clients filed a complaint over unsolicited marketing emails that included calls and SMS, as well as listing their phone numbers on public phonebooks against their wish.

What really pushed Garante to issue such a huge fine was the fact that clients weren’t able to withdraw their consent since the company’s Data Protection Policy did not provide all the necessary information. GDPR Articles violated in the process were:

• Principles relating to processing of personal data – Art. 5
• Lawfulness of processing Art. 6,
• Transparent information, communication and modalities for the exercise of the rights of the data subject Art. 12,
• Responsibility of the controller Art. 24 
• Data protection by design and by default Art. 25 

5. Deutsche Wohnen SE – €14 500 000 german gdpr fine

The highest German GDPR fine to date has been issued to a real estate company Deutsche Wohnen, on October 30, 2019. The fine related to the retention period of personal data was issued by the Berlin Commissioner for Data Protection and Freedom of Information. The company failed to provide GDPR-compliant data retention and data removal procedure for the personal data of the tenants.

The official statement clarified: “[…]the company used an archive system for the storage of personal data of tenants that did not provide the possibility of removing data that was no longer required.”

€14.5 Million GDPR Fine for non-compliant Data Retention

5 biggest GDPR fines so far -conclusion

This is the up to date and current list of biggest GDPR fines so far, but we have a feeling that in 2020, this list is going to change a lot. As the DLA Piper report is stating:

“Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime.”

So we believe there will be a lot more GDPR related activities in 2020.

How can you become compliant faster?

Data Privacy Manager can help you with:

✅ central management and connectivity with other systems
✅ collaboration through all organizational units
✅ automated data removal
✅ managing compliant record of processing activities
✅ risk-free third-party management

Try a 14-day free trial of the Data Privacy Manager and experience how you can simplify managing records of processing activities and risk assignment!