2021 research by the DLA Piper: GDPR data breach survey states a 19% increase in the number of breach notifications, from 278 to 331 breach notifications per day, in the past year, continuing the trend of double-digit growth for breach notifications.
Although 2020 showed some increase in activity by data protection authorities, GDPR fines did not nearly reflect those data breach numbers, even though personal data breaches are just one of the aspects that the GDPR deals with.
At the same time, we see big tech giants like Facebook, Twitter, or Google that seem to be getting away with just a slap on the wrist.
Twitter was hit with a €450,000 GDPR fine, which many found to be significantly less than expected (and almost two years after the breach disclosure), leading to strong criticism of GDPR’s effectiveness.
There were a few other setbacks, like an 18 million euro GDPR fine for the Austrian Post that was overturned at the end of 2020 or a significant reduction in the amount of two most-talked-about fines (Marriot and British Airways), due to special circumstances of the Coronavirus pandemic.
However,2021 still suggests regulators will step up and test their powers.
Total amount of GDPR fines
The rough amount of all GDPR fines issued so far is currently a little over €293 million. Interestingly, both the smallest and the biggest fine to this date was issued to Google.
Total amount of GDPR fines by country
By the end of 2020, Italy has issued almost €70 million in fines, showing that the Italian Garante is ready to tackle serious GDPR violations with high penalties.
In 2021 Italy is still holding the first position with a little over €76 million, followed by Germany €63 million, France €54 million, UK €44 million and Spain €25 million.
If we look at the countries with the lowest total amounts of GDPR fines, surprisingly, Austria is at the bottom with only Iceland, Isle of Man, Malta, and Croatia behind- assuming that two Croatian fines were not publicly disclosed were lower than €70.000.
Countries with the biggest number of GDPR fines issued so far
If we look at the activity of all EU data protection authorities, head and shoulders above everybody is the Spanish Data Protection Authority (AEPD) with 212 fines.
Altogether, the AEPD issued over €25 million in fines, thanks to two big fines issued recently to Banco Bilbao Vizcaya Argentaria (€5 million) and €6 million to CaixaBank – the highest GDPR fine the DPA has issued so far.
Two levels of GDPR fines
Before we jump over to the fines, a quick recap; there are two levels of GDPR fines:
• the lower level is up to €10 million, or 2% of the worldwide annual revenue from the previous year, whichever is higher
• the upper level is twice that size or €20 million and 4% of the worldwide annual revenue.
Since we don’t want to repeat ourselves (too much), you can read more about GDPR fine in general in our glossary.
20 biggest GDPR fines so far
Among EU member states, the highest individual GDPR fines were issued by France, Germany, Italy, and the UK.
In the last year’s report, Austria was one of the leaders in the biggest individual GDPR fine issued so far. However, the order was changed after the beforementioned turnover of the fine.
1. Google France GDPR fine – €50 million
On January 21, 2019, the French National Commission on Informatics and Liberty (CNIL), fined Google a €50 million fine. Marking it as the biggest GDPR fine to this date, issued for violation of:
- Information to be provided where personal data are collected from the data subject – Article 13,
- Information to be provided where personal data have not been obtained from the data subject – Article 14,
- The lawfulness of processing – Article 6,
- Principles relating to the processing of personal data – Article 5
Therefore, the fine was issued because of a lack of transparency on how the data were harvested from individuals and used for ad targeting.
Google failed to provide enough information to users about consent policies and did not give them enough control over how their personal data is processed.
2. H&M GDPR fine- €35.25 million
The Hamburg Commissioner for Data Protection and Freedom of Information (BfDI) issued a €35,3 (or $41,5) million fine to Swedish retail conglomerate Hennes & Mauritz – H&M, for the violation of the General Data Protection Regulation (GDPR).
After a technical error, the issue became public. The data on the company’s network drive was accessible to everyone in the company for a few hours. The press picked up the news making the Commissioner aware of the violation.
The case is pretty interesting since the company collected sensitive personal data of their employees through whispering campaigns, gossip, and other sources to create profiles of employees and used that data in the employment process.
The personal data included medical records including diagnoses and symptoms of the illness and private details about vacation and family affairs.
3. TIM GDPR fine- €27.8 million
The scope of their illegal activities is hard to ignore. TIM have contacted non-customers multiple times (certain numbers over 150 times per month) without proper consent or other legal bases.
Few million individuals were affected by their aggressive marketing strategy. Violations included:
- Improper management of consent lists
- Excessive data retention
- Data Breaches
- Lack of proper consent
- Violation of GDPR rights.
The personal information included name, surname, or company name; tax code or VAT number; telephone line; address; contact details.
We recommend you read an entire article that explains this case in detail:
4. British Airways GDPR fine – €22.4 million
What was initially announced as the biggest GDPR fine ever issued ended up being reduced to £20 million, in light of the recent COVID-19 pandemic and its effect on the airline industry.
The incident occurred in July 2018 but was only discovered in September 2018. In those few months, the British Airways website diverted users’ traffic to a hacker website, which resulted in hackers stealing personal data of more than 400.000 customers.
According to the ICO official statement, “…investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.”
The company had inadequate security mechanisms to prevent such cyber-attacks from happening.
The ICO stated that a “variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well name and address information.”
5. Marriott GDPR fine – €20.45 million
In July 2019, ICO issued an intent to fine Marriott International £99 million fine for infringements of the GDPR. The fine was related to the cyber attack, exposing personal data of over 339 million guest records.
Out of those 339 million individuals, 31 million were residents of the EEA.
Marriott international exposed itself to the cyber-attack after the acquisition of the Starwood hotels group.
The ICO concluded that Marriott failed to undertake sufficient due diligence after the acquisition and should have implemented appropriate security measures.
On October 30, 2020, the ICO issued a penalty notice explaining its decision. After more than a year, there is finally a conclusion to the ICO investigation, the fine is settled from a massive £99 million to £18, 4million.
In their penalty notice, the ICO explains the reasons behind the decision taking into account a range of mitigating factors and the impact of the Covid-19 pandemic.
Marriott also commented on the decision on their official website stating:
“Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognizes. The ICO also recognizes the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”
In 2020, Marriott suffered another data breach, this time affecting 5.2 million individuals. Read more about the second Marriot breach:
6. Wind GDPR fine – €16.7 million
On July 13, 2020, the Italian DPA- Garante issued a €16,700,000 GDPR fine to telecommunication operator – Wind Tre S.p.A.
The fine was issued following complex investigations after numerous complaints from individuals. More than a hundred clients filed a complaint about unsolicited marketing activities conducted without proper consent via calls, fax, automated telephone calls, and SMS.
Also, several customers complained that they could not withdraw their consent or even object to the processing while their personal data was published in public directories.
The DPA investigation showed that the apps that were used (MyWind and My3 ) had been configured to require the user to consent, on each access, to processing for various purposes including marketing, profiling, communication of data to third parties, data enrichment, and geolocation; withdrawal of such consent was allowed only after 24 hours.
7. Vodafone Italia GDPR fine- €12.25 million
On November 12, 2020, the Italian data protection authority – Garante issued a €12.25 million GDPR fine to Vodafone Italia for unlawful processing of personal data of millions of users for telemarketing purposes.
Garante conducted a complex investigation following numerous complaints about continuous unwanted telephone calls made by Vodafone and their sales network to promote their services.
The investigation unveiled an information storage system that had up to 4.5 million contacts, the list was purchased from external providers without proper consent. The violations affected Vodafone’s entire Italian customer base.
As the EDPB noted “The investigation brought to light major criticalities of a ‘structural’ nature having to do with the violation not only of consent requirements but also of key principles such as accountability and data protection by design as set forth in the EU GDPR. These criticalities could be traced down to the processing activities performed both in respect of Vodafone’s customer database and – more broadly – with regard to prospective users of electronic communications services.”
on January 8, 2021, German electronics retailer Notebooksbilliger.de received a €10.4 million GDPR fine for video monitoring employees for over two years without any legal basis, recording workplace, salesrooms, warehouses, and common areas.
Notebooksbilliger claimed that the reason behind the CCTV monitoring was theft prevention and criminal offenses investigation as well as tracking the flow of goods from the warehouse.
Two main objections of the LfD was that video monitoring was done without a proper legal basis and kept for significantly longer than necessary (60 days), in the time span of at least two years.
The fine was issued for unlawful processing in connection with telemarketing and teleselling activities. The Eni Gas e Luce conducted advertising calls without proper consent and regardless of customers’ previous refusal to receive advertising calls.
The company did not implement appropriate technical and organizational measures for consent management or any other appropriate solution for recording data subjects’ communication preferences and without verifying the public opt-out register.
Adding to the really serious list of violations is purchasing the data of potential customers from the list providers without any consent for the disclosure of those data sets.
On March 11, 2021, the Spanish Data Protection Authority (the AEPD) issued an €8.15 million fine to Vodafone Spain.
The fine actually consists of four fines; two for violation of the GDPR and two for violation ofo Spanish laws on digital rights and telecommunications and cookies.
Vodafone had targeted customers with unsolicited marketing activities including calls, emails, and SMS without proper consent. Some customers who have been contacted were even listed in the directory of people who do not want to receive marketing communications.
Vodafone was outsourcing some of its operations and was no longer able to identify which customers had opted out of third-party communications.
They also approved an international data transfer that didn’t meet the requirements of the GDPR and was found operating without any means to verify the origin or legality of the data being processed.
On January 13, 2021, the Spanish Data Protection Authority (AEPD) issued a €6 million fine to CaixaBank, S.A. for unlawful processing of personal data and for not providing sufficient information regarding the processing of personal data.
Just one month earlier Spanish DPA issued a €5 million GDPR fine to the BBVA bank, which indicates that AEPD wants to keep its status as one of the busiest data protection authorities in the EU.
The fine was issued for two infringements of GDPR, the first violation for how CaixaBank established a legal basis for personal data processing. Second, for violation of transparency requirements for Articles 13 and 14.
On December 11, 2020, the Spanish Data Protection Authority (AEPD) issued €2 million for violation of Article 13, about information that needs to be provided where personal data are collected from the individuals and €3 million for violation of Article 6 on the lawfulness of processing to Banco Bilbao Vizcaya Argentaria (BBVA).
This is the second largest fine issued to a financial institution in Spain.
The Swedish Data Protection Authority issued a 75 million Swedish kronor fine (approximately €7 million or $8 million ) to Google for violation of General Data Protection Regulations.
It all started in 2017 when the DPA conducted an audit concerning how Google handles individuals’ right to have search result listings for searches that include their name, removed from Google’s search engine under the right-to-be-forgotten requests.
In the follow-up audit, the DPA concluded that Google did not fully comply with their order to remove several search results listing which resulted in huge fine.
14. Fastweb GDPR fine – €4.5 million
On March 25, 2021, Italian DPA (Garante) fined Fastweb €4.5 million for processing personal data of millions of users for telemarketing purposes without their consent.
Fastweb was also using unlisted telephone numbers that the company had not registered with Italy’s Register of Communication Operators.
15. Eni Gas e Luce GDPR fine- €3 million
This fine was issued to Eni Gas e Luce, on the same day (17 January 2020) as the fine currently listed as number 9. The two fines were issued the same day to the same entity.
The “smaller” GDPR fine in the amount of 3 million EUR was issued for unsolicited contracts in the free market for the supply of energy and gas, with 7200 affected individuals.
The Garante stated: “The […] investigations revealed that the conduct adopted by Egl in the acquisition of new customers through some external agencies operating on its behalf, due to organizational and management methods, resulted in treatments not compliant with the EU Regulation, as they are contrary to the principles of correctness, accuracy, and updating of data.”
On March 12, 2020, the Swedish data protection authority issued a fine to a medical company Capio St. Göran for insufficient technical and organizational measures to ensure information security.
The investigation uncovered the hospital information system was not appropriately secured ignoring the principle of minimum access which gave users full access to all patient data, including sensitive information.
On May 13, 2021, one of the busiest DPA in the EU, the Italian Garante, issued a new multimillion GDPR fine to Iren Mercato S.p.A. for the insufficient legal basis for data processing and violation of Articles 5(1) and (2), 6(1) and 7(1).
The insufficient legal basis refers to telemarketing activities without obtaining proper consent. Personal data that the organization used in its telemarketing activities was also purchased from a third party -Nethex Digital Marketing.
On June 10, 202, Italian DPA issued a fine to a Glovo-owned company Foodinho €2.6 million for numerous privacy violations regarding the algorithms used for management of its employees.
The Garante found that Foodinho had not adequately informed employees on how the system works and did not guarantee the accuracy and correctness of the results of the algorithms used for the evaluation of the workers.
Foodinho did not have proper procedures in place to protect the right to obtain human intervention, express opinion, or contest the decisions adopted through the use of the algorithms, excluding some of its employees from job opportunities.
The Garante also identified a number of shortcomings regarding technical and organizational security measures, data protection impact assessments, and record-keeping.
On August 28, 2019, Bulgaria’s Data Protection Authority, issued a €2.6 million fine to the country’s National Revenue Agency for violations of the GDPR.
The DPA conducted an investigation over a data breach that affected 5 million Bulgarian citizens and uncovered there was a lack of appropriate technical and organizational security measures, which resulted in unauthorized access, unauthorized disclosure, and dissemination of the sensitive categories of personal data, including names, PINs and addresses, telephone numbers, e-mail addresses and other contact information, among others.
On November 18, 2020, the French Data Protection Authority (CNIL) issued a €2.25 million fine for non-compliance with general data processing principles.
The investigation uncovered that Carrefour retained the data of more than 28 million inactive customers, through its customer loyalty program, for an excessive period and failed to act upon customer requests to delete their data as well as customer objections to SMS and telemarketing.
Carrefour made the process of exercising data subject rights unreasonably difficult by excessively asking for proof of identity from its customers, and not respecting the time limit for responding set by the GDPR. It also failed to provide adequate information on data transfers and the legal basis of processing.
GDPR fines so far -conclusion
This is the up-to-date and current list of the biggest GDPR fines so far, but the list is constantly changing indicating a lot of activities from data protection authorities. As the DLA Piper report is stating:
“Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime.”
An important takeaway from the recent ICO decision to reduce the fine for British Airways shows that regulators are adjusting to the special circumstances of the current global situation. What remains to be seen is will other data protection authorities follow?
How can you become compliant faster?
Data Privacy Manager is a modular solution that tackles real day-to-day challenges of small, medium-sized companies and enterprises, and can help you with:
✅ central management and connectivity with other systems
✅ collaboration through all organizational units
✅ automated data removal
✅ managing compliant record of processing activities
✅ risk-free third-party management
Try a 14-day free trial of the Data Privacy Manager and experience how you can simplify you compliance journey using technology.