5 Biggest GDPR Fines So Far [2020]

Research from the beginning of the year by the DLA Piper: GDPR data breach survey January 2020, reported there had been 160,921 personal data breaches within the EEA, from May 25, 2018, up until January 2020. Since the report, the numbers have gone up.

However, the total amount of issued GDPR fines does not really follow those numbers. Despite the 160 something thousand violations reported to the data protection authorities.

Total amount of GDPR fines

The rough amount of all GDPR fines issued so far is currently a little bit over €220 million, which is not a staggering number, and that is if we include recent Marriot and British Airways fines. Interestingly, both the smallest and the biggest fine to this date was issued to Google.

There are also some GDPR fines (7 in total), where the amounts were not made public, so we cannot include them.

sum of all gdpr fines so far, including smallest and biggest GDPR fine

The report continues with the highest GDPR fines among EU member states, with France, Austria, and Germany as leading countries that issued the biggest GDPR fines so far, but with mostly one big penalty.

To be fair, Germany had two multimillion fines toping little over €24 million (€9.55 million GDPR fine for 1&1 Telecom and €14.5 million GDPR fine to Deutsche Wohnen SE).

Total amount of GDPR fines by country

However, by the end of 2020, Italy has issued almost €70 million in fines, showing that the Italian Garante is ready to tackle serious GDPR violations with high penalties, leaving behind Germany, France, and the UK.

Total amount of GDPR fines by country

Countries with the most GDPR fines issued so far

If we look at the activity of all EU data protection authorities, head and shoulders above everybody is the Spanish Data Protection Authority (AEPD) with 158 fines, starting from €540, with the highest fine in the amount of €125 000- all together AEPD issued over €3,85 million in fines.

Number of GDPR fines by country in EU and EEU

Two levels of GDPR fines

Before we jump over to the fines, a quick recap; there are two levels of GDPR fines:

• the lower level is up to €10 million, or 2% of the worldwide annual revenue from the previous year, whichever is higher
• the upper level is twice that size or €20 million and 4% of the worldwide annual revenue.

Since we don’t want to repeat ourselves (too much), you can read more about GDPR fine in general in our glossary.

5 biggest GDPR fines so far


1. Google – €50 000 000  French GDPR fine for Google

On 21 January 2019, the French National Commission on Informatics and Liberty or CNIL, fined Google with a €50 million fine. This is the biggest GDPR fine to this date, issued for violation of:
Information to be provided where personal data are collected from the data subjectArticle 13,
Information to be provided where personal data have not been obtained from the data subjectArticle 14,
Lawfulness of processingArticle 6,
• and Principles relating to the processing of personal dataArticle 5

The fine was therefore issued on the account of lack of transparency on how the data were harvested from data subjects and used for ad targeting. Google failed to provide enough information to users about consent policies and did not give them enough control over how their personal data is processed.

2. H&M – €35 200 000 german-gdpr-fine

The Hamburg Commissioner for Data Protection and Freedom of Information (BfDI) issued a €35,3 (or $41,5) million fine to Swedish retail conglomerate Hennes & Mauritz – H&M, for the violation of the General Data Protection Regulation (GDPR).

The issue became public after a technical error, the data on the company’s’ network drive was accessible to everyone in the company for a few hours and the press picked up the news making the Commissioner aware of the violation.

The case is pretty interesting since the company collected sensitive personal data of their employees through whispering campaigns, gossip, and other sources to create profiles of employees and used that data in the employment process.

The personal data included medical records including diagnoses and symptoms of the illness as well as private details about vacation and family affairs.

H&M fined €35,3 Million for violation of the GDPR

3. TIM – €27 800 000 gdpr fines in italy

January 15, 2020, was a critical day for Italian telecommunications operator TIM. The Italian DPA Garante issued 27,8 million GDPR fine for quite an extensive list of violations. The scope of their illegal activities is hard to ignore. They have contacted non-customers multiple times (certain numbers over 150 times per month) without proper consent or other legal bases.

Few million individuals were affected by their aggressive marketing strategy. The activities involved: Improper management of consent lists ❌Excessive data retention ❌Data Breaches ❌Lack of proper consent ❌Violation of GDPR rights. The personal information included name, surname or company name; tax code or VAT number; telephone line; address; contact details.

We recommend you read an entire article that explains violations in detail:

€27,8 million GDPR fine for Italian Telecom -TIM

4. British Airways – €22 000 000 UK gdpr fine

In July 2019, the ICO initially announced its intention to issue €204,6 million (£183.39 million) to British Airways for violation of Article 31 of the GDPR. What was announced as the biggest GDPR fine every set in the UK, ended up being reduced to £20 million, in the light of a recent COVID-19 pandemic and the effect it had on the airline industry.

The incident occurred in July 2018 but was only discovered in September 2018. In those few months, the British Airways website diverted users’ traffic to a hacker website, which resulted in hackers stealing personal data of more than 400.000 customers.

According to the ICO official statement “…investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.”

The company had inadequate security mechanisms to prevent such cyber-attacks from happening. The ICO stated that a “variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well name and address information.”

British Airways fine for 2018 data breach reduced to £20 million

5. Marriott International – €20,450,000   UK gdpr fine

In July 2019, ICO issued an intent to fine Marriott International more than £99 million for infringements of the GDPR. The fine was related to the cyber attack, in which personal data of over 339 million guest records, were exposed. Out of those 339 million individuals, 31 million were residents of the EEA.

Marriott international exposed itself to the cyber-attack after the acquisition of the Starwood hotels group. The ICO concluded that Marriott failed to undertake sufficient due diligence after the acquisition and should have implemented appropriate security measures.

On October 30, 2020, the ICO issued a penalty notice explaining their decision. After more than a year, there is finally a conclusion to the ICO investigation, the fine is settled from a massive £99 million to £18, 4million.

In their penalty notice, the ICO explains the reasons behind the decision taking into account a range of mitigating factors and the impact of the Covid-19 pandemic.

Marriott also commented on the decision on their official website stating:

“Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognizes. The ICO also recognizes the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”

In 2020, Marriott suffered another data breach, this time affecting 5.2 million individuals. Read more about the second Marriot breach:

New Marriott breach- What is going on?

GDPR fines so far -conclusion

This is the up to date and current list of biggest GDPR fines so far, but the list is constantly changing indicating a lot of activities from data protection authorities. As the DLA Piper report is stating:

“Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime.”

An important takeaway from the recent ICO decision to reduce fine for British Airways shows that regulators are adjusting to the special circumstances of the current global situation. What remains to be seen is will other data protection authorities follow?

How can you become compliant faster?

Data Privacy Manager can help you with:

✅ central management and connectivity with other systems
✅ collaboration through all organizational units
✅ automated data removal
✅ managing compliant record of processing activities
✅ risk-free third-party management

Try a 14-day free trial of the Data Privacy Manager and experience how you can simplify managing records of processing activities and risk assignment!