Search
Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

20 biggest GDPR fines so far [2023]

The year 2023 witnessed a groundbreaking GDPR fine surpassing €1.2 billion to Meta (formerly known as Facebook). Of the top 20 GDPR fines recorded, seven were imposed on Meta or Meta-owned companies.

Astonishingly, this single fine alone comes close to eclipsing the combined total of all GDPR fines issued by January 28, 2022, which was approximately €1.64 billion.

Collectively, GDPR fines have now reached over €4 billion. These figures demonstrate the ongoing commitment to upholding data protection regulations and highlight the increasing financial consequences of non-compliance.

We will delve into the details of the 20 biggest GDPR fines, shedding light on the monumental penalties and providing insights into the evolving landscape of data protection enforcement.

20 biggest GDPR fines so far

1. Meta GDPR fine- €1.2 billion

In May 2023, in a groundbreaking decision in the past five years of GDPR enforcement, the Irish Data Protection Commission (DPC) imposed a historic fine of €1.2 billion on US tech giant Meta.

This record-breaking fine was issued for transferring personal data of European users to the United States without adequate data protection mechanisms and serves as a significant milestone in data protection regulation.

Meta, the parent company of popular platforms like Instagram and WhatsApp, has been penalized for failing to comply with the European Union’s General Data Protection Regulation (GDPR). Still, this fine highly surpasses all other fines.

As Meta plans to appeal the decision, the outcome of this legal battle will have far-reaching implications, shaping the future of data transfers and privacy rights in the digital age.

This fine serves as a clear warning to other companies that the GDPR’s requirements must be taken seriously, and non-compliance can result in severe financial consequences

Read the entire article: Meta Hit with Record €1.2B GDPR Fine

2. Amazon GDPR fine – €746 million luxembourg flag

On July 16, 2021, the Luxembourg National Commission for Data Protection (CNDP) issued a fine in the amount of  €746 million ($888 million) to Amazon.com Inc.

The fine was issued due to a complaint filed by 10,000 people against Amazon in May 2018 through a French privacy rights group that promotes and defends fundamental freedoms in the digital world- La Quadrature du Net.

The CNPD opened an investigation into how Amazon processes personal data of its customers and found infringements regarding Amazon’s advertising targeting system that was carried out without proper consent.

Read the entire article: Luxembourg DPA Issues €746 Million GDPR Fine to Amazon

3. Meta GDPR fine – €405 million

On September 5, 2022,  Ireland’s Data Protection Commission (DPC) issued a €405 million GDPR fine to Meta Ireland concerning the lawfulness of processing children’s personal data following the legal bases of performance of a contract and legitimate interest.

The DPCs’  investigation focused on teenagers between the ages of 13 and 17, the operation of Instagram business accounts, and how such accounts automatically displayed children’s contact information (email addresses and/or phone numbers) publicly.

According to DPC, Meta failed to take measures to provide child users with information using clear and plain language, lacked appropriate technical and organizational measures, and failed to conduct a Data Protection Impact Assessment where processing was likely to result in a high risk to the rights and freedoms of child users.

Read the entire article:  Meta Fined €405 Million for Mishandling Teenagers’ Data on Instagram

4. Meta GDPR fine – €390 million

On 4 January, Ireland’s Data Protection Commission (DPC) announced the conclusion of two inquiries against Meta Ireland and the decision to issue a €390 million fine in connection to its Facebook and Instagram services.

Meta changed the Terms of Service for its Facebook and Instagram users right before the GDPR was enforced, changing the legal basis from consent to contract for most of its processing activities.

Users were asked to accept new updated Terms of Services to access their Facebook and Instagram accounts; otherwise, the services would not be available.

Meta considered that, by accepting Terms of Services, users would enter into a contract with Meta, claiming that processing of personal data was necessary for the delivery of Facebook and Instagram services and performance of the contract, so any personalized and behavioral advertising would be considered in line with the GDPR.

However, two complainants contended that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta was, in fact, “forcing” them to consent.

Read the entire article: DPC fines META €390 million for violation of the GDPR

5. TikTok GDPR fine- €345 million

TikTok is facing a substantial fine of €345 million due to violations of GDPR, with a specific focus on its handling of children’s accounts.

The Irish Data Protection Commission (DPC) concluded its investigation in September 2023, examining TikTok’s data practices between July 31 and December 31, 2020, particularly concerning young users.

The inquiry assessed various aspects, including platform settings, age verification, and communication with child users. The DPC’s decision revealed multiple GDPR breaches related to data processing, transparency, and fairness.

To address these violations, the DPC issued a reprimand, instructed TikTok to rectify its data processing practices within three months, and imposed a significant administrative fine of €345 million.

Read the entire article: TikTok fined €345m for violation of GDPR

6. Meta GDPR fine – €265 million

On November 25, 2022, the Irish DPA fined Meta €265 million. The DPA had previously launched an investigation against Meta back in 2021 after several media reports indicated that Facebook’s dataset with personal information was made available on a public hacking platform.

This data leak affected up to 533 million users, disclosing their personal data (phone numbers and email addresses) to third parties without authorization.

The DPA reviewed and analyzed the Facebook Search, Messenger Contact Importer, and Instagram Contact Importer Tools. The DPA’s main goal was to assess the implementation of organizational and technical measures that would protect personal data, and they found a breach of Art. 25 GDPR.

Read the entire article: DPC imposes €265 million fine on Meta

7. WhatsApp GDPR fine – €225 million

On 2 September 2021, Ireland’s data protection authority, the Data Privacy Commission (DPC), announced their decision to issue a GDPR fine to a Facebook-owned instant messaging and voice-over-IP service, WhatsApp Ireland €225 million (or $267 million) after a three-year investigation.

The binding decision was issued after the European Data Protection Board (EDPB) intervened and required the DPC (lead supervisory authority for WhatsApp Ireland Ltd.), to reassess the initially proposed fine regarding infringements of transparency in the calculation of the fine as well as the timeframe for WhatsApp to comply.

Read the entire article:  WhatsApp faces €225 million for transparency violation

8. Google LLC fine- €90 million French GDPR fine for Google

On December 31, 2021, CNIL issued a €90 million fine to GOOGLE LLC over the inability to allow YouTube users in France to refuse cookies as easily as they could accept them.

The CNIL concluded that making refusal mechanisms more complex than they should be, discourages users from refusing cookies and benefits a company that bases its main revenue streams on advertising and targeting based on cookies.

The CNIL ordered the companies to provide users located in France with a means of refusing cookies as simple as the existing means of accepting them within three months or pay the penalty of €100.000 euros per day of delay.

Cookie regulation, or the ePrivacy Directive, does not directly fall under the GDPR,  but GDPR defines how data controllers can obtain consent and therefore counts as the GDPR fine.

Read the entire article: CNIL fines Google and Facebook a total of €210 million over cookies

9. Google Ireland fine- €60 million French GDPR fine for Google

The €60 million fine to Google Ireland was issued by the CNIL on the same day as the abovementioned fine to Google LLC.

The smaller fine of 60 million euros was issued for the exact same reasons as the €90 million fine. However, this fine was issued concerning the google.fr search website.

10. Facebook Ireland-  €60 million French GDPR fine for Google

Facebook failed to provide mechanisms allowing its users to refuse cookies as easily as they can accept them.

The investigation, which started in April, uncovered that, as opposed to a single button to accept cookies, Facebook requires several clicks to refuse cookies.

In addition, the button to refuse cookies is located at the bottom of the second page and was labeled “Accept cookies,” which was confusing and misleading.

11. Google France GDPR fine – €50 million  French GDPR fine for Google

On January 21, 2019, the French National Commission on Informatics and Liberty (CNIL) fined Google a €50 million fine for lack of transparency, inadequate information, and valid consent regarding the ads personalization.

Google failed to provide enough information to users about consent policies and did not give them enough control over how their personal data is processed.

12. CRITEO fine -€40 million  French GDPR fine for Google

On June 15, 2023, (CNIL) levied a substantial fine of €40 million against CRITEO, an online advertising company renowned for its expertise in behavioral retargeting.  CRITEO failed to obtain proper consent, provide clear information, and enable user rights.

CNIL found multiple violations, including trackers without user consent, lack of transparency in privacy policy, incomplete access to personal data, inadequate consent withdrawal and data erasure procedures, and absence of joint controller agreements.

Read the entire article: CRITEO Fined €40 Million Over Targeted Advertising

13. H&M GDPR fine- €35.25 million german-gdpr-fine

The Hamburg Commissioner for Data Protection and Freedom of Information (BfDI) issued a €35,3 million fine to Swedish retail conglomerate Hennes & Mauritz – H&M for violating the GDPR.

After a technical error, the data on the company’s network drive was accessible to everyone for a few hours. The press picked up the news making the Commissioner aware of the violation.

The case is pretty interesting since the company collected sensitive personal data of their employees through whispering campaigns, gossip, and other sources to create profiles of employees and used that data in the employment process.

The personal data included medical records, diagnoses and symptoms of the illness, and private details about vacation and family affairs.

Read the entire article: H&M fined €35,3 Million for violation of the GDPR

14. Amazon France Logistique- €32 Million GDPR Fine French GDPR fine for Google

Amazon France Logistique, responsible for managing Amazon’s warehouses in France, incurred a €32 million GDPR fine from the CNIL for implementing an intrusive employee monitoring system.

This system utilized scanners to track employee activity, leading to data retention and statistical indicators that the CNIL deemed disproportionate and excessive.

The investigation stemmed from employee complaints and media coverage, revealing violations such as unlawful data retention, excessive monitoring, failure to ensure lawful processing, and lack of transparency and security measures.

The CNIL criticized indicators like tracking scanner inactivity and fast scanning, considering them invasive and unnecessary.

Despite acknowledging Amazon’s business challenges, CNIL penalized the company due to the extensive monitoring’s impact on employees’ privacy and its contribution to Amazon’s competitive advantage.

Read the entire article: €32 Million GDPR Fine for Amazon France Logistique

15. TIM GDPR fine- €27.8 million gdpr fines in italy

On January 15, 2020, the Italian DPA Garante issued a 27,8 million GDPR fine to  Italian telecommunications operator TIM for an extensive list of violations.

TIM has contacted non-customers multiple times (certain numbers over 150 times per month) without proper consent or other legal bases.

A few million individuals were affected by their aggressive marketing strategy. Violations included:

  • Improper management of consent lists
  • Excessive data retention
  • Data Breaches
  • Lack of proper consent
  • Violation of GDPR rights.

The personal information included name, surname, or company name; tax code or VAT number; telephone line; address; and contact details.

Read the entire article: €27,8 million GDPR fine for Italian Telecom -TIM

16. British Airways GDPR fine – €22.4 million UK gdpr fine

In 2019, the ICO announced the intention to issue €204,6 million (£183.39 million) to British Airways for violation of GDPR (Article 32 and Art. 5 (1) f) ). 

What was initially announced as the biggest GDPR fine ever issued ended up being reduced to £20 million in light of the COVID-19 pandemic and its effect on the airline industry.

The incident occurred in July 2018 but was only discovered in September 2018. In those few months, the British Airways website diverted users’ traffic to a hacker website, which resulted in hackers stealing personal data of more than 400.000 customers.

According to the ICO official statement, “…investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.”

The ICO stated that a “variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well name and address information.”

Read the entire article: British Airways fine for 2018 data breach reduced to £20 million

17. Marriott GDPR fine – €20.45 million UK gdpr fine

In July 2019, ICO issued an intent to fine Marriott International £99 million for infringements of the GDPR.  

The fine was related to the cyber attack, exposing personal data of over 339 million guest records

Out of those 339 million individuals, 31 million were residents of the EEA.

Marriott International exposed itself to the cyber-attack after acquiring the Starwood Hotels group.

The ICO concluded that Marriott failed to undertake sufficient due diligence after the acquisition and should have implemented appropriate security measures.

On October 30, 2020, the ICO issued a penalty notice explaining its decision. After over a year, the fine was settled from £99 million to £18,4 million.

In their penalty notice, the ICO explains the reasons behind the decision, taking into account a range of mitigating factors and the impact of the COVID-19 pandemic.

18. Clearview AI fine- €20 million gdpr fine france

On 20 October 2022, the French Data Protection Agency – CNIL, imposed a €20 million fine on Clearview AI over their facial recognition technology.

Following the unaddressed formal notice, the CNIL issued a maximal fine and ordered Clearview AI to cease collecting and using personal data on individuals in France without the proper legal basis and to delete the data already in use.

If they fail to do so, Clearview AI could face additional penalties of €100,000 per day of delay two months after the decision.

Read the entire article: CNIL issues €20 million GDPR fine to Clearview AI

19. Clearview AI fine – €20 million gdpr fine in Greece

On 13 July 2022, Hellenic DPA fined Clearview AI €20 million for violating lawfulness and transparency principles and its obligations under Articles 12, 14, 15, and 27 of the GDPR.

The DPA examined a complaint against Clearview AI, filed by the civil non-profit organization “Homo Digitalis,” on behalf of a complainant, who claimed that s/he was unsatisfied with the right of access s/he exercised before the aforementioned company.

With the complaint at issue, it was also requested that the company be examined on the whole from the point of view of protecting personal data.

The DPA ordered Clearview AI to comply while imposing a ban on collecting and processing personal data of subjects located in the Greek territory, using methods included in the facial recognition service.

Finally, the DPA ordered Clearview AI Inc. to delete the personal data of those subjects located in Greece.

Read the entire article: Hellenic DPA fines Clearview AI 20 million euros

20. Clearview AI fine- €20 million gdpr fines in italy

On 2 October 2022, the Italian Data Protection Authority (Garante) imposed a hefty fine of €20 million on Clearview Al, a US-based company, for its non-compliance.

The company, which owns an extensive database containing over 10 billion facial images worldwide, was found to have engaged in biometric surveillance activities within Italy.

The DPA found unlawful processing of personal data without a legal basis and violations of GDPR principles, including transparency, purpose limitation, and storage limitation.

GDPR fines so far -conclusion

This is the up-to-date list of the biggest GDPR fines so far, but the list is constantly changing, indicating a lot of activities from data protection authorities. As the DLA Piper report states:

“Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime.”

2023 is likely to give rise to more data privacy laws and could prove to be a year of increased enforcement and greater penalties for violations of GDPR.

How to start your compliance journey

Data Privacy Manager consists of four products and 11 modules that tackle real day-to-day challenges and can help you with:

GDPR software vs. Excel

  • PERSONAL DATA DISCOVERYAI-based solution designed to automate personal data discovery and classification across your systems in any language and script from structured and unstructured sources through machine learning and database connectivity, eliminating false positives and providing accurate insight into personal data. 
  • PRIVACY PROGRAM AUTOMATIONSix modules (Data Processing Inventory (ROPA), Data Subject Requests, Third Party Management, Assessment Automation, Risk Management, and Incident Management) designed to automate privacy processes, support cross-departmental cooperation and minimize privacy-related risks.
  • CONSENT AND PREFERENCE MANAGEMENTManage consents in real-time and provide customers with easy and secure access to their data. It gives a clear overview of activities and enables you to keep records of consent in one central place. Real-time insight into the complete personal data lifecycle from the moment of opt-in to the data removal
  • DATA REMOVAL ORCHESTRATION A clear and automated way to delete personal data that is no longer needed or is requested to be removed. Data Privacy Manager has paired up with filerskeepers to provide a privacy platform with instant access to data retention information across hundreds of countries worldwide.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top