There’s a lot of talk about the European Union’s General Data Protection Regulation (GDPR) and what it means for websites. The law has strict requirements for how organizations can collect and use data and what they need to tell visitors.
It can be tempting to just ignore all of those rules — after all, the consequences for GDPR noncompliance can’t be that bad, right?
Wrong.
In just the past four years since the GDPR went into place, companies have routinely faced eight- and nine-digit fines from failing to comply with the GDPR to mishandling data breaches.
Use the table of contents below to skip to the biggest GDPR fines in a specific year, or keep reading to learn about the top 10 highest fines ever issued under the GDPR.
Top 10 GDPR Fines Ever Issued
The GDPR structures and issues fines based on a company’s international revenue. That’s why you’ll see some familiar names on the list below.
These ten companies were found to violate the GDPR’s rules and forced to pay fines to the tune of tens or hundreds of millions of euros.
1. Amazon — €746 million ($780.9 million)
Year Issued: 2021
The online retailer’s Luxembourg EU headquarters was found to be tracking user data without acquiring appropriate consent from users or providing the means to opt out from this tracking — resulting in Amazon being hit with the largest GDPR fine to date.
2. WhatsApp — €225 million ($247 million)
Year Issued: 2021
Ireland’s Data Protection Commission fined WhatsApp for unclear privacy policies and a lack of transparency in how it was using user data.
3. Google Ireland — €90 million ($99 million)
Year Issued: 2021
France’s CNIL fined Google Ireland for failing to give users an easy way to refuse cookies under both the GDPR and the ePrivacy Directive.
4. Google — €60 million ($66 million)
Year Issued: 2021
The CNIL also fined the US-based Google LLC for failing to give users appropriately simple ways to refuse cookies on YouTube.
5. Facebook — €60 million ($66 million)
Year Issued: 2021
The third CNIL fine in 2021, Facebook was also penalized for failing to give users easy methods to refuse cookies when using the website.
6. Google — €50 million ($55 million)
Year Issued: 2019
Yet another Google GDPR fine! The CNIL fined Google in 2019 for confusing and poorly structured privacy consent agreements that prevented users from understanding what they actually agreed to.
7. H&M — €35.3 million ($39 million)
Year Issued: 2020
The clothing retail giant was fined for collecting and storing information about its employees’ families, religions, and health histories for unlawful reasons.
8. TIM — €27.8 million ($30.7 million)
Year Issued: 2020
The Italian telecom was fined for using customer data without consent to perform telemarketing calls and improperly storing and processing customer data in ways that risked security breaches.
9. Enel Energia — €26.5 million ($29.3 million)
Year Issued: 2022
The multinational electric and gas supplier was fined for failing to get user consent or inform customers before using their personal data for telemarketing calls.
10. British Airways — £20 million ($26 million)
Year Issued: 2020
The airline was fined for failing to prevent a massive data breach that exposed the personal data of 400,000 customers and failing to spot and respond to the breach in a timely fashion.
How To Avoid GDPR Fines With Termly
These fines demonstrate precisely how important it is for businesses to comply with the GDPR no matter where they’re located.
Termly can help your organization implement GDPR-compliant policies and handle your data consent needs.
With Termly, you can:
- Generate a privacy policy that automatically update when laws change
- Implement cookie consent management that follows the GDPR, CCPA, and the ePrivacy Directive
- Track user consent to maintain cookie compliance
- Automatically block cookies for any user that chooses not to accept them
Working with Termly can ensure that you’re always complying with current international data protection laws.
Instead, you can focus on running your business and let Termly handle privacy and GDPR cookie compliance for you.
Biggest GDPR Fines in 2022
The year 2022 is only a few months old, and even so, since January, there have already been multiple massive fines issued to companies violating the GDPR. This is because these organizations have had multiple years to comply with the EU’s data protection law and did not do so. As a result, they’re facing dramatic fines for violating EU citizens’ rights to data privacy.
1. Instagram — €405 million ($401.3 million)
Instagram, owned by Meta Platforms, was fined by the Irish Data Protection Commissioner in the second the highest GDPR fine ever imposed.
Why They Were Fined
Instagram was fined €405 million for violating rules on the processing of children’s data without a legal basis. Children between 13 and 17 years old had their phone numbers and email addresses publicly available if they operated a business or creator Instagram account.
How They Responded
Instagram stated that it disagreed with the way the fine was calculated and was reviewing the decision.
2. Enel Energia — €26.5 Million ($29.27 Million)
Enel Energia, an international electricity and gas distributor headquartered in Italy, has received the highest GDPR fine of 2022 so far.
Why They Were Fined
Italy’s data protection agency, called the Garante, chose to fine Enel Energia €26.5 million after receiving hundreds of complaints against the company.
The Garante’s investigation found that Enel Energia was using the personal data of its customers unlawfully. The company used this private data to perform telemarketing calls without getting appropriate user consent or informing users how their information would be used.
How They Responded
Enel Energia claims that the calls were performed to contact customers during the pandemic. In a statement emailed to Compliance Week, Enel Energia stated it would “evaluate any subsequent action” regarding the Garante’s requirements that the company brings its data processing activities into compliance with the GDPR. The company also reserves the right to file an appeal.
3. Clearview AI — €20 million ($20.9 million)
Clearview AI is an American facial recognition company headquartered in New York.
Why They Were Fined
Clearview AI collects selfies and images off the internet and compiles them into a database for facial recognition that it then sells to third parties (like law enforcement). It was fined €20 million by the Italian Privacy Regulator (Garante della privacy) after they investigated several complaints.
Garante found that Clearview AI processed personal data, including biometric and geolocation information, without an appropriate legal basis. It also violated GDPR principles of transparency, purpose limitation, and storage limitation.
In Italy, Clearview AI is now prohibited from collecting images and processing the data. It was also ordered to erase the data it had of anyone in Italy.
How They Responded
Clearview AI CEO Hoan Ton-That stated that Clearview AI does not have any business operations or customers in Italy or the European Union, so it is not subject to the GDPR.
4. Clearview AI — €20 million ($20.9 million)
Clearview AI was also found to have violated the GDPR by the French data protection agency, Commission nationale de l’informatique et des libertés (CNIL).
Why They Were Fined
CNIL opened the investigation into Clearview AI in 2020 after receiving complaints about the facial recognition software. In November 2021, it ordered Clearview to delete all the data of people in French territory, as it did not have a legal basis to protect individual rights and comply with deletion requests.
The CNIL fined Clearview AI for unlawfully processing personal data and not protecting the rights of those in French territory.
How They Responded
Clearview AI responded that it was impossible to determine from public photos on the internet who was in French territory and, therefore, could not delete the data. It also stated that it only collected public information and that it did not do business in France or the EU and so was not subject to the GDPR.
5. Clearview AI — €20 million ($20.9 million)
In another move against Clearview AI, the Hellenic Data Protection Agency in Greece also fined it for violating the GDPR.
Why They Were Fined
Clearview AI was found to violate the GDPR principles of legality and transparency by collecting photos and selfies without consent.
How They Responded
Again, Clearview AI responded, stating that it did not have any customers or a place of business in Greece or the EU and therefore was not subject to the GDPR.
6. Meta Platforms Ireland Limited — €17 million ($18.7 million)
Meta Platforms Ireland Limited (Meta), formerly Facebook Ireland Limited, was fined by the Data Protection Commission (DPC) in Ireland.
Why They Were Fined
The DPC investigated Meta after it received notification of 12 data breaches between June 2018 and December 2018. After an investigation, it found that Meta did not have the proper technical and organizational measures, so it could not demonstrate the security measures it had to protect user data.
The DPC fined Meta €17 million.
How They Responded
A Meta representative responded to the DPC’s decision: “This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously and will carefully consider this decision as our processes continue to evolve.”
7. Google LLC — €10 million ($10.47 million)
Google was fined €10 million by the Spanish data protection authority, Agencia Española de Protección de Datos (AEPD) after it initiated an investigation.
Why They Were Fined
The AEPD found that Google was transferring data collected from EU citizens to the Lumen Project, a research project based in the United States, without its permission. Further, the form users had to fill out to delete their information was complicated and thereby violated the right to be forgotten.
For these two violations, Google was fined €5 million each.
How They Responded
A representative from Google maintained the company’s promise of transparency and would review the decision to reexamine its practices to be compliant with privacy regulations.
8. Clearview AI Inc. — €8.75 million ($9.34 million)
Clearview AI was also fined by the data protection agency in the United Kingdom.
Why They Were Fined
The Information Commissioner’s Office (ICO) found that Clearview AI was collecting the images for its facial recognition software without having a lawful reason. It ordered Clearview AI to delete the data it collected on UK residents.
How They Responded
The CEO of Clearview AI, Hoan Ton-That, stated that the ICO “misinterpreted” his technology and motivations. He maintained that Clearview AI only collects public information and obeys all data privacy laws and standards.
9. REWE International — €8 Million ($9 Million)
The Austrian food retailer REWE International was fined €8 million by the Austrian Data Protection Authority (DPA).
Why They Were Fined
The company was fined for mismanaging the data of users involved in its loyalty program. The program, called jö Bonus Club, collected the data of its users without their consent and used that data for marketing purposes.
How They Responded
REWE International intends to appeal the decision. The company argues that jö Bonus Club is a subsidiary company that operates independently from REWE International as a whole. Therefore, according to this argument, jö Bonus Club was responsible for using client data, not REWE International.
The parent company further claims that this means jö Bonus Club should be fined instead. This would significantly reduce the fine since GDPR penalties are set according to the fined organizations’ revenue. However, it’s unclear whether this appeal will successfully reduce the fine.
10. Cosmote Mobile Telecommunications — €6 Million ($6.6 Million)
The Greek mobile phone operator Cosmote Mobile Telecommunications was fined €6 million by the Hellenic Data Protection Authority (HDPA).
Why They Were Fined
The fine had two root causes. First, a hack in September 2020 into the company’s private data led to a significant data breach, exposing customers’ private information.
Second, the company was found to be illegally processing customer data. As a result, the September hack exposed significantly more data than it should have. In addition, private data was not fully pseudonymized, making it easier for hackers to identify individuals based on the leaked data.
How They Responded
The company has not yet issued a response to the fine.
11. Interserve Group Limited — €5 million ($4.94 million)
Interserve Group Limited is a British construction and support service company headquartered in the United Kingdom. It was found to have breached the GDPR based on a data breach that occurred two years ago.
Why They Were Fined
The UK ICO held that Interserve Group Limited failed to secure employee personal data, which led to a cyberattack between March 2020 to May 2020, where the data of 113,0000 employees were affected. Personal data, including contact details, national insurance numbers, bank account details, and special category data (ethnic origins, religion, disabilities, sexual orientation, and health information) were exposed.
This failure to secure personal data and keep appropriate safeguards violated the GDPR.
How They Responded
An Interserve representative stated, “Notwithstanding the inconsistencies between the ICO’s penalty notice and press release, and concerns that the ICO has not followed a fair and proper process, Interserve will continue to prioritise the interests of its past and present staff, counterparties, and other stakeholders while engaging with the ICO to resolve their investigations.”
Interserve has until November 21, 2022, to pay the fine, unless it appeals the decision in the next 28 days following the issuance of the fine (October 24, 2022).
12. Uber B.V. and Uber Technologies, Inc. — €4.24 million ($4.47 million)
The popular ride service company Uber was fined €4.24 million by the Italian data protection authorities. Uber B.V. is a Dutch-incorporated company, and Uber Technologies, Inc., is the U.S. parent.
Why They Were Fined
Uber sustained a data breach in 2016 where 57 million users worldwide had their personal data hacked, including their name, last name, phone number, email, app access credentials, localization data, and data related to other users, like ride shares. In Italy, 52,000 drivers and 243,000 passengers were affected.
The Italian DPA found that Uber breached the GDPR. The privacy policy Uber gave to its users was insufficient. Further, Uber had processed data without their consent. Lastly, it did not comply with its duty to notify the Italian DPA of processing for geolocation purposes.
How They Responded
Throughout the proceedings, Uber stated it always provided its users with information on how the processing of data was performed and provided its users with updated privacy policies. It stated it had shared its procedures and policies with the DPA in 2015, and the DPA never questioned anything.
Uber’s arguments were not enough to overcome the GDPR violations.
13. Vodafone España — €3.94 million ($4 million)
Vodafone España was fined by the Spanish data protection agency AEPD for violating the GDPR after conducting an investigation.
Why They Were Fined
The AEPD found that the methods Vodafone used to duplicate SIM cards violated a loss of confidentiality and transferred personal data to a third party. The investigation also found that Vodafone did not maintain a sufficient GDPR compliance program with sufficient security measures, which increased the risk of identity theft.
How They Responded
Vodafone disagreed and said its priority is customer privacy.
14. Dutch Tax & Customs Administration— €3.7 million ($3.8 million)
The Dutch Tax and Customs Administration is the tax collection and customs service in the Netherlands. It was fined by the Dutch Data Protection Authority.
Why They Were Fined
The Dutch Tax and Customs Administration was found to have illegally processed personal data when it kept a blacklist in its Fraude Signalering Voorziening (FSV) — or “fraud identification facility” — which it used to register suspected fraud. Many people were incorrectly included on the list.
The Dutch data protection agency found that:
- There was no legal basis for collecting the information
- The purpose was not specified
- The data was stored for too long
- The data was not protected
- They did not involve a data protection officer when conducting their assessments.
How They Responded
The Dutch Tax and Customs Administration can file an objection to the fine. It has already apologized to 60 individuals harmed by this “blacklist.”
15. OTE Group — €3.25 Million ($3.59 Million)
In connection with the Cosmote fine above, Cosmote’s parent company OTE Group was also fined by the HDPA.
Why They Were Fined
This additional fine of €3.25 million was issued separately after the Cosmote investigation determined that OTE should have been included in the process from the beginning but had not been.
The HDPA also found that OTE Group was partially responsible for the hack into Cosmote’s data. The hacker used an OTE Group administrator password to enter Cosmote’s systems. As such, the HDPA issued an additional fine against OTE Group for failing to secure their data systems properly.
16. Amazon Road Transport — €2 million ($2.27 million)
Amazon Road Transport was fined by the Spanish data protection agency AEPD.
Why They Were Fined
AEPD began investigating a claim against Amazon Road Transport. It found that in hiring self-employed truck drivers, Amazon required that the contractors provide a certificate proving the absence of a criminal record (a negative certificate). Amazon also required these contractors to consent to allow this data (negative certificates) to be transferred to group companies and supplies outside the European Economic Area.
The AEPD determined that these negative certificates were personal data. And because there was no Spanish law allowing for a company to process the criminal history of its truck drivers, there was no legal basis for Amazon to require negative certificates.
Further, the consent given is not informed because no information is given about the processing, purpose, legal basis, or how to withdraw the consent. And the consent is not voluntarily given because it is a condition of moving forward in the hiring process.
How They Responded
Amazon tried to argue that the certificate was legitimate due to it safeguarding the customers’ safety. The AEPD was not persuaded.
17. Easylife Limited — € 1.53 million ($1.6 million)
Easylife Limited is a catalog retailer.
Why They Were Fined
The UK ICO found that Easylife had built profiles on 145,400 people for inferred health conditions without their consent. They made their inferences from the products the customers purchased from Easylife’s Health Catalogue.
Because they did not notify their customers of this use of their data, the ICO found that Easylife violated the GDPR article against the “unlawful and invisible” processing of special category data.
How They Responded
Easylife stated that they would appeal the decision of the ICO. If Easylife does decide to proceed with the appeal, it has until November 1, 2022, to do so.
18. Dedalus Biologie — €1.5 million ($1.56 million)
Dedalus Biologie, a medical software vendor in Europe, was fined by the French data protection agency CNIL.
Why They Were Fined
The French data protection authority fined Dedalus Biology €1.5 million for violating the GDPR. Its database was leaked online and revealed patients’ full names, social security numbers, doctors’ names, examination dates, medical information, and genetic information.
The CNIL found that Dedalus Biologie did not comply with the controller’s instruction when it extracted more information than required, which included personal health information. CNIL also found that Dedalus broke its duty to secure personal data.
How They Responded
Dedalus Biologie responded to the decision by declaring its willingness to improve its security and GDPR compliance.
Biggest GDPR Fines in 2021
2021 is the most recent year for which we have a full 12 months of GDPR fine issuance data.
It’s also the year that saw all of the top five highest GDPR fines ever. Likely because the infrastructure behind investigating GDPR violations matured fully in 2021.
As a result, massive companies that operate on a global scale could be accurately audited, and many were found wanting in terms of data protection.
Here are the biggest fines from 2021, including the record-breaking Amazon fine.
1. Amazon — €746 Million ($823.9 Million)
This fine isn’t just the highest GDPR fine of 2021 — it’s also the single highest GDPR fine ever issued.
Luxembourg’s National Commission fined amazon’s EU base in Luxembourg €746 million for Data Protection (NCDP).
The penalty is nearly three times larger than the next highest GDPR fine.
Why They Were Fined
The NCDP was prompted to start the investigation after the French NGO La Quadrature du Net (Squaring the Net) filed a complaint on behalf of 10,000 Amazon customers. La Quadrature du Net complained that Amazon was clearly tracking user data in impermissible ways to perform its targeted advertising.
During the investigation, the NCDP found that Amazon was tracking the data of its users without acquiring appropriate consent. However, the organization has not released specific details on the grounds of professional secrecy.
How They Responded
Amazon has made it clear that it intends to fight the decision. The company’s argument is that because there have been no data breaches or private data exposed to third parties, its practices do not violate the GDPR. However, La Quadrature du Net responded that “it is the system of targeted advertising itself, and not merely occasional security breaches, that our legal action attacked.”
Whether the appeal will succeed is yet to be seen.
2. WhatsApp — €225 Million ($248.5 Million)
Directly after the Amazon fine, the communication app company WhatsApp is the second-highest GDPR fine both of 2021 and of all time.
Why They Were Fined
Ireland’s Data Protection Commission (DPC) investigated WhatsApp’s data handling processes and found multiple violations, leading to a fine of €225 million. The DPC determined that WhatsApp had failed to provide appropriate transparency to users about how it used data. The DPC also found that WhatsApp didn’t provide clear enough privacy policies to users.
How They Responded
However, the size of the fine is up for debate. WhatsApp has appealed the DPC’s decision, arguing that it provides accurate information about its data use to all users. The DPC’s decision has also faced objections from other EU countries, including France, Germany, and Italy, which debated the details of the DPC’s reasoning.
The fine may not go down even if the appeal causes any changes. On the contrary, the European Data Protection Board specifically told the DPC to reassess the fine and set out a higher fine amount after the agency’s original proposal named an amount between €30-50 million.
WhatsApp’s appeal is ongoing.
3. Google Ireland — €90 Million ($99 Million)
Ireland is also the source of the third-highest GDPR fine of 2021.
Why They Were Fined
The French data protection authority (the CNIL) fined Google’s Ireland branch €90 million as a GDPR enforcement method after determining that the company had failed to meet the GDPR’s requirements for cookies, specifically due to making them difficult to refuse on YouTube. The GDPR requires companies to make it equally easy to accept and refuse cookies.
But why did a French authority fine an Irish company?
The CNIL argued that the fine is, in part, related to the EU’s ePrivacy Directive, not just the GDPR. The ePrivacy Directive allows regulators to take direct actions against any website that operates within their jurisdiction.
So, as a result, Google Ireland’s lack of cookie compliance was something that the CNIL could take on directly instead of referring it to the DPC.
How They Responded
Google’s spokespeople have stated that “People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision.”
4. Google — €60 Million ($66 Million)
Yes, Google is responsible for multiple chart-topping fines in the same calendar year.
Why They Were Fined
Google was found partially responsible for the same cookie compliance problem as Google Ireland. The CNIL determined that Google LLC, the American branch of the company, was also liable for Youtube’s lack of simple cookie refusals.
This decision demonstrates that large companies may face more than one fine. For example, if a business has multiple branches in various countries, each of those subsidiaries could be at risk of major GDPR enforcement fines.
5. Facebook — €60 Million ($66 Million)
This is the third massive GDPR fine coming from the CNIL in 2021.
Why They Were Fined
Facebook’s Ireland branch, Facebook Ireland Limited, was fined on the same basis as Google Ireland and Google LLC. The CNIL found that Facebook France, a subsidiary of Facebook Ireland, required users to select several options to refuse all nonessential cookies but only one option to accept all cookies.
According to the CNIL, this violated the GDPR and ePrivacy Directives’ rules on cookie usage and rated a fine of €60 million based on Facebook’s revenue.
How They Responded
Facebook has appealed the fine. The company argues that the CNIL is actually trying to enforce its national Guidelines and Recommendations instead of the ePrivacy Directive or the GDPR.
Facebook argues that the CNIL should only be able to fine Facebook France instead of Facebook Ireland, which would significantly reduce the fines the company would have to pay based on revenue.
6. Notebookbilliger.de — €10.4 Million ($11.5 Million)
German online electronics retailer Notebookbilliger.de received a fine of €10.4 million from the German state Lower Saxony’s data protection commissioner.
Why They Were Fined
The commissioner had ordered an investigation into Notebookbilliger.de’s data collection practices. The investigation found that Notebookbilliger.de had installed CCTV cameras in workplaces, sales areas, common areas, and warehouses throughout its business. This footage was retained for 60 days.
While CCTV surveillance is permitted under the GDPR, it has to be performed for a lawful reason and only after other crime prevention methods have not proved successful. Furthermore, video surveillance should be limited, which was not the case in the sales areas.
The commissioner determined that Notebookbilliger.de’s use of video surveillance was disproportionate and fined the company accordingly.
How They Responded
The company’s CEO argued that this fine was unjust, disproportionate, and poorly investigated. Notebookbilliger.de’s appeal of the fine is ongoing.
7. Austrian Post — €9.5 Million ($10.5 Million)
While Austria is not quite as aggressive with GDPR enforcement as France, it is still one of the most assertive countries regarding data protection. For example, the Austrian DPA fined the country’s own national post service €9.5 million for failing to comply with the GDPR.
Why They Were Fined
According to the Austrian DPA, the Austrian Post refused to let people inquire about their stored personal data by email. Although the agency permitted several other methods of inquiry, they specifically refused emails. The DPA determined that this put an undue burden on customers and violated the GDPR.
This fine comes after the Austrian Federal Administrative Court overturned a prior €18 million GDPR fine against the Post for processing customer data to determine the political affiliations of Austrian citizens.
How They Responded
The Post has stated it will appeal this fine just like it appealed the previous one.
8. Vodafone España — €8.15 Million ($9 Million)
The Spanish telecommunications provider Vodafone España faced an €8.15 million fine in 2021 for reported “multiple and repeated GDPR violations.”
Why They Were Fined
According to the Agencia Española Proteccion Datos (AEPD), Vodafone had violated three GDPR articles and multiple other Spanish data protection laws.
Vodafone used customer data to perform illegal telemarketing calls. Furthermore, customers who requested that these calls stop continued to receive telemarketing calls at an aggressive rate. It appears that this is due to Vodafone’s decision to use third-party marketing agencies with no access to do-not-call lists that the company is required to maintain.
How They Responded
Vodafone has argued that its actions are not in violation of the GDPR and that it will appeal the fine. The company has received more than 30 GDPR fines in the four years since the law went into effect.
9. Grindr — €6.3 Million ($7 Million)
US-based dating app Grindr received a €6.3 million fine from Norway’s DPA.
Why They Were Fined
The fine was based on charges that the company has been sending sensitive personal data to third-party advertisers without consent.
While Norway is not a member of the EU, the country has adopted and enforces the GDPR. As such, when Norway’s Consumer Council filed a complaint with the DPA that Grindr shared private data like GPS location, IP addresses, ages, and genders of users, the DPA used GDPR guidelines to investigate the company.
According to the DPA, Grindr requires users to accept the privacy policy in its entirety to use the app. The GDPR specifically bars services from requiring users to accept having non-essential data saved and processed to access the service.
Furthermore, the DPA found that users were not informed about how their data was being used and could not properly consent to the usage.
How They Responded
Grindr has announced that it plans to appeal the decision on the grounds that it has changed its practices and is now in compliance with GDPR requirements.
10. CaixaBank — €6 Million ($6.6 Million)
Another Spanish AEPD fine went to the Spanish bank CaixaBank.
Why They Were Fined
This €6 million fine was issued on the grounds that CaixaBank didn’t meet the GDPR’s requirements for valid consent and that the bank’s consent-acquisition methods were inadequate. The AEPD also found that CaixaBank performed “illicit transfers” of personal data to other companies with its banking ground.
Banks have access to significant sensitive user data, from financial details to identification numbers. Therefore, failing to inform users about how their data will be used and transferring it to other companies by definition violates multiple elements of the GDPR.
How They Responded
CaixaBank will be appealing the decision.
11. Fastweb S.p.A — €4.5 Million ($5 Million)
The Garante, Italy’s DPA, has fined the Italian internet service provider Fastweb €4.5 million for violating the GDPR after receiving hundreds of customer complaints.
Why They Were Fined
According to the Garante, Fastweb used customer data to perform promotional telemarketing calls without their consent. Fastweb has been fined for similar violations in the past.
The fine comes with other requirements, too. Fastweb will also need to prove that all future telemarketing calls are performed through registered numbers. Furthermore, the company will no longer be allowed to use customer data lists from other providers without proof that users consented to have their data used for marketing purposes.
How They Responded
Fastweb has cooperated with the investigation and has not argued with the fine.
12. Sky Italia — €3.3 Million ($3.6 Million)
The Garante issued another major telecom fine against the Italian television platform Sky Italia.
Why They Were Fined
Like the case against Fastweb, the €3.3 million fine was issued because Sky Italia improperly processed and used customer data for promotional purposes. As a result, sky Italia customers received unsolicited telemarketing calls that did not stop when they requested the company to no longer contact them.
Also, like Fastweb, Sky Italia is no longer permitted to make any marketing calls through unregistered numbers and may no longer use third-party contact lists without proof of consent.
How They Responded
Sky Italia is not appealing the fine.
13. Caixabank Payments & Consumer — €3 Million ($3.3 Million)
Yes, CaixaBank received two separate GDPR fines in 2021. This case was unrelated to the €6 million fine also issued by Spain’s AEPD.
Why They Were Fined
In this case, the investigation found that the CaixaBank subsidiary Caixabank Payments & Consumer EFC was processing personal data for unlawful reasons and fined the bank €3 million.
According to the AEPD, CaixaBank requested individual information from solvency files despite not having active contracts with those individuals. Furthermore, the bank used this data to support marketing campaigns without the individuals’ consent.
How They Responded
CaixaBank argues that its data usage was permitted and is appealing the AEPD’s fine.
14. Iren Mercato — €2.9 Million ($3.2 Million)
The Garante was busy in 2021. The agency also fined Iren Mercato, an Italian energy company, €2.9 million for failing to follow the GDPR’s data processing requirements.
Why They Were Fined
The Garante determined that Iren Mercato had accepted and processed private data from various other sources without receiving consent from those individuals to use that data for telemarketing purposes.
The GDPR requires all organizations to process the minimum amount of data relevant to perform their services. Furthermore, the regulation mandates that all users have the opportunity to consent before an organization processes their data, which Iren Mercato did not do, thus the fine.
How They Responded
Iren Mercato has not made a public statement on whether they are appealing the decision.
15. Dutch Minister of Finance — €2.75 Million ($3 Million)
Even governments and government employees aren’t immune to the GDPR. For example, the Dutch Minister of Finance was forced to pay a €2.75 million fine after the Dutch national data protection authority determined the tax authority had recorded and processed people’s nationalities illegally.
Why They Were Fined
Under the GDPR, no organization can track personal information like nationality except for a “lawful reason.” Neither can organizations track this data without consent. The Dutch tax authority had used individual nationality information to perform discriminatory and unlawful childcare benefit refunds and perform frivolous fraud investigations against parents.
How They Responded
The Dutch Minister of Finance has not successfully appealed the fine.
16. Foodinho — €2.6 Million ($2.9 Million)
The Italian food delivery company Foodinho was the target of yet another multimillion-euro fine leveled by the Garante.
The agency investigated Foodinho’s rider rating system and privacy notices and found both wanting, leading to a €2.6 million fine.
Why They Were Fined
In particular, Foodinho’s rider rating system was found to possibly encourage discrimination based on a rider’s personal information. Their automated system may have prevented riders from getting work with unconscious biases connected to the rider’s personal data.
Meanwhile, the Garante determined that Foodinho was not clear enough for customers to grant valid consent to how their data was being used.
How They Responded
Foodinho has announced that they are considering appealing the decision. The company has also declared that complying with the GDPR is one of its top priorities.
Biggest GDPR Fines in 2020
In 2020, there were still a large number of high-value fines. However, fines in this year didn’t quite reach the same nine-digit peak they would hit later. 2020 was a year when many companies that aren’t obviously in the data industry found out that they would be held to the GDPR’s standards just like any other business. The top GDPR fines for 2020 included:
1. H&M — €35.3 Million ($39 Million)
While the clothing retailer H&M doesn’t immediately spring to mind as a data collector, the company actually processes significant customer data daily.
Why They Were Fined
German regulators found that H&M was violating the GDPR’s requirements by keeping excessive records on its workforce, including details like employees’ families, religions, and illnesses. This led to the German DPA issuing a €35.3 million fine, which was, at the time, the second-highest GDPR enforcement fine ever.
This action violates the GDPR’s requirement that organizations only retain data for lawful purposes. Since family and religious beliefs don’t affect a worker’s abilities, a business has no reason to track this data. However, H&M disregarded this rule and performed invasive staff surveys on these issues, and retained the data for long periods.
How They Responded
After the fine was issued, H&M accepted full responsibility for the violation and set up a compensation plan for employees in addition to complying with regulators’ requirements.
2. TIM (Telecom Italia) — €27.8 Million ($30.7 Million)
The Garante has spent a lot of time investigating Italian telecoms.
In 2020, the Garante fined TIM (formerly known as Telecom Italia) €27.8 million for using private user data to perform telemarketing calls.
Why They Were Fined
Investigations also determined that TIM improperly required the consent to use sensitive data for customers to enter prize drawings.
Furthermore, Garante asserted that TIM was processing private data improperly and not protecting it appropriately. TIM did not show users useful privacy policies, and they kept the collected data in ways that did not protect it from data breaches.
How They Responded
TIM attempted to appeal the fine, but the appeal has not succeeded. As a result, the company was required to pay the fine and heavily rework its data collection, processing, and storage methods to comply with the GDPR.
3. British Airways — £20 Million ($26.4 Million)
While the UK has since left the EU, in 2020, the country was still held to the GDPR. As a result, the UK Information Commissioner’s Office (ICO) followed the GDPR’s rules to fine British Airways £20 million.
Why They Were Fined
The fine was issued because of British Airway’s handling of a significant data breach that exposed the private information of more than 400,000 customers over the course of three months.
Initially, the ICO intended to level a fine of £183 million for the breach because of the dramatic impact and the revenue earned by British Airways. However, the agency adjusted the final amount due to the financial impact of the COVID-19 pandemic.
The original breach occurred in 2018, and the investigation continued into 2019.
How They Responded
British Airways immediately appealed the decision when the ICO issued its original fine amount. As a result, the ultimate fine wasn’t officially issued until 2020.
Despite the best efforts from British Airways, though, it was still hit with a dramatic fine intended to send a message about how seriously GDPR enforcement agencies will take data breaches of any size.
4. Marriott — £18.4 Million ($24.3 Million)
The GDPR also applies to data breaches that occurred before it went into effect.
That’s what happened when the British ICO issued an £18.4 million fine to Marriott for a significant breach that potentially affected as many as a third of a billion guests.
Why They Were Fined
The company suffered a breach in 2014 that leaked customer names, contact information, and passport details of as many as 339 million guests. Unfortunately, this breach remained unnoticed and unaddressed until 2018, when the GDPR was in effect, giving the hacker continued access for four years.
As such, the ICO initially intended to level a fine of £99 million, which the agency stated was intended to be a deterrent to other companies failing in a similar way.
How They Responded
Marriott appealed the fine because it had acted quickly once the issue was brought to its attention.
In the final decision, the ICO acknowledged this and the fact that Marriott had significantly improved its systems in the meantime and lowered the fine to just £18.4 million.
5. Wind Tre — €16.7 Million ($18.4 Million)
Yet another Italian telecom GDPR fine was issued to Wind Tre.
Why They Were Fined
The Garante investigated Wind based on more than a hundred complaints about how the company performed telemarketing calls, text messages, and even faxes. Customers also complained that Wind didn’t provide them with ways to opt out of data collection or prevent their contact information from being made public.
This behavior led to the Garante issuing a fine of €16.7 million for the company’s many GDPR violations.
How They Responded
While Wind Tre tried to appeal the decision, the appeal didn’t succeed. As a result, the Garante’s fine stood.
Additionally, the company was forced to stop collecting certain data and stop using customer information to perform marketing activities without direct, proven consent.
6. Vodafone Italia — €12.25 Million ($13.5 Million)
Continuing the trend of Italian telecom GDPR enforcement actions, the Garante also hit Vodafone Italia with a €12.25 million fine for misusing customer data.
Why They Were Fined
Like other telecoms on this list, the Garante found that Vodafone Italia had been using customer data for marketing activities without consent. As a result, Vodafone customers filed hundreds of complaints against the company’s constant calls that continued after requests to stop.
How They Responded
Vodafone attempted to appeal the decision but got denied.
Unfortunately, Vodafone would not learn its lesson either, with other branches of the international corporation having faced dozens of fines since 2018.
7. Google Sweden — 75 Million Swedish Kronor ($7.9 Million)
Google appears on this list yet again for violations in Sweden.
The Swedish DPA investigated the local branch of Google after complaints that the company might be violating the GDPR’s “right to be forgotten.”
Why They Were Fined
Under the GDPR, everyone has the right to have their work delisted from search engines or to essentially “be forgotten.”
The Swedish DPA determined that Google was permitting site owners to republish content that had been delisted by other sites and people, undermining the right to delist entirely. This discovery led the agency to issue a fine of SEK 75 million, or about $7.9 million.
How They Responded
While Google appealed the decision, the fine was upheld in Swedish courts. The company was also banned from informing site owners about delisting requests.
8. BBVA — €5 Million ($5.5 Million)
The Spanish AEPD issued two fines to the Banco Bilbao Vizcaya Argentaria (BBVA), one of €2 million and one of €3 million, for two separate GDPR violations.
Why They Were Fined
One fine was because the bank used customer information to perform marketing activities over SMS without acquiring customer consent. The other was because the organization didn’t include all relevant information in its privacy notice.
How They Responded
The BBVA attempted to appeal both fines, arguing that its actions were not actually in violation of the GDPR. However, Spanish courts upheld the AEPD’s decision, and BBVA was forced to pay both fines.
9. Carrefour Group — €3.05 Million ($3.5 Million)
The French CNIL hit two subsidiaries of the retail conglomerate Carrefour Group with fines totaling €3.05 million.
Why They Were Fined
The CNIL began investigating Carrefour Group after receiving customer complaints that the business failed to comply with data erasure requests, sent them unsolicited telemarketing communications, and did not permit people to unsubscribe from marketing emails.
The CNIL found that these complaints were accurate and determined that Carrefour Group violated the GDPR.
According to the CNIL, Carrefour Group violated the GDPR by failing to give users the ability to have their data deleted or opt out of cookie usage.
How They Responded
The company’s attempt to appeal these decisions failed.
10. Capio St. Göran AB — 30 Million Swedish Kroner ($3.2 Million)
The Swedish healthcare provider Capio St. Göran AB received a fine of SEK 30 million, or about €2.9 million, for failing to protect patient data adequately.
Why They Were Fined
The Swedish DPA investigated the hospital and determined that the organization had not performed any risk analysis regarding patient data storage, so they had no idea what dangers they faced.
The DPA also found that Capio St. Göran’s information systems were not properly configured to provide minimum necessary access. As a result, employees with no need to see certain sensitive data could access important private patient information.
Both of these flaws are in direct violation of the principles of the GDPR.
How They Responded
While Capio St. Göran attempted an appeal, it did not succeed. The healthcare provider was required to pay the total fine and rework its entire data processing and storage systems to protect confidential patient information more effectively.
Biggest GDPR Fines in 2019
Things started to ramp up in the second year of the GDPR’s existence. 2019 was the first year that GDPR fines broke the €10 million mark.
It was also the year that companies outside the EU started to realize how critical it would be to follow the GDPR’s guidelines.
The largest GDPR fine for 2019 was actually against Google’s US-based headquarters.
Here’s what the highest GDPR fines of 2019 looked like:
1. Google — €50 Million ($56.8 Million)
Yes, Google has made it onto the list yet again.
Why They Were Fined
In 2019, Google Ireland was fined €50 million for two different failures by the CNIL.
First, the CNIL found that Google did not make its disclosures easily accessible to users and that the information in the disclosures was split between several documents — which included various links that users had to click on to view the disclosures.
Furthermore, the privacy policy’s explanation of the types of data processed and the reason for the processing was too vague.
Secondly, because the disclosures were split over several documents, CNIL found that Google violated users’ consent to ad personalization. The structure of the consent document made it difficult for users to understand what they were actually agreeing to.
How They Responded
Google appealed this case before France’s highest administrative court, the Conseil d’État. Google claimed that because Ireland is its main location in the EU, the Irish Data Protection Commissioner should have overseen Google’s data protection issues.
Google also claimed that the CNIL did not apply the GDPR’s laws correctly.
The Conseil d’État rejected Google’s arguments and upheld the decision, finalizing the largest ever GDPR fine at the time.
2. Eni Gas e Luce — €11.5 Million ($12.7 Million)
Returning to Italy, the Italian gas and oil provider Eni Gas e Luce was fined €11.5 million for improper use of customer data.
Why They Were Fined
The company was storing customer information without an appropriate legal basis and using that information to perform telemarketing calls, leading to individual fines of €8.5 million and €3 million.
How They Responded
While the company attempted an appeal, it did not succeed. As a result, Eni was also required to stop performing telemarketing calls or offering unsolicited contracts using customer data.
3. 1&1 Telecom GmbH — €9.55 Million ($10.55 Million)
Italian telecoms aren’t the only ones to face hefty GDPR fines in 2019. The German telecom giant 1&1 was fined €9.55 million by the Federal Commissioner for Data Protection and Freedom of Information (BfDI).
Why They Were Fined
The organization collected significantly more data than was necessary for each customer. Furthermore, the BfDI’s investigation found that this data was accessible to a broader range of 1&1 employees than needed.
How They Responded
Unlike other telecoms on this list, 1&1 did not appeal the fine. Instead, the provider worked closely with BfDI during the investigation to provide clear and accessible information about its processes. As such, the BfDI didn’t feel the need to issue the highest possible fine.
Keeping good records and working closely with regulators can help companies reduce the amount they need to pay if they get investigated for GDPR noncompliance.
4. Bulgarian National Revenue Agency — 5.1 Million Bulgarian Lev ($2.9 Million)
Bulgaria’s National Revenue Agency was fined BGN 5.1 million by the country’s own Commission for Personal Data Protection.
Why They Were Fined
According to the Commission, the National Revenue Agency suffered a data breach that exposed the private data of more than five million Bulgarian citizens. The Commission found that the National Revenue Agency had not adequately protected this information and, therefore, had violated the GDPR.
How They Responded
The Agency did not appeal the decision and paid the fine out of its own budget. This case is likely the first case in which a government had to pay a fine for violating the data protection rights of its citizens.
Biggest GDPR Fines in 2018
In the first year of the GDPR’s existence, fines were relatively rare. That doesn’t mean they weren’t issued, though.
Even while many businesses did their best to comply with the laws, the EU issued multiple fines against organizations that were clearly not following the GDPR’s requirements.
The two biggest GDPR fines of 2018 were:
1. Barreiro Montijo Hospital — €400,000 ($441,000)
While fines did not get excessively high in 2018, they did hit six figures.
The first hospital GDPR fine was also the highest penalty of 2018. The Portuguese data protection authority, Comissão Nacional de Proteção de Dados (CNPD), leveled a €400,000 fine against the Barreiro Montijo Hospital just outside of Lisbon.
Why They Were Fined
The CNPD issued the fine after investigating the hospital’s control over patient data. It found that Barreiro Montijo did not appropriately restrict access to the information stored in its patient management system.
According to the agency, 985 hospital employees had full access to sensitive patient health information, despite just 296 physicians with the appropriate medical clearance working for the hospital. Furthermore, nine social workers and a test profile had similar full, unrestricted access to patient data.
How They Responded
The hospital appealed the ruling, claiming that the CNPD did not have the authority to issue the fine. However, the decision was upheld.
2. Knuddels.de — €20,000 ($22,000)
The other significant GDPR fine of 2018 was issued to Knuddels.de, a German chat service.
Why They Were Fined
The Baden-Württemberg data protection authority (LfDI) issued a €20,000 fine after the service suffered a data breach that allowed cybercriminals access to unencrypted user information.
The service ultimately failed to encrypt critical information such as usernames and passwords. As a result, between 300,000 and 1.8 million sets of login credentials got compromised in the breach.
How They Responded
The LfDI considered issuing a higher fine, but Knuddels.de took swift action to resolve the breach.
As a result, the LfDI was relatively lenient and only required the €20,000 fine. For this reason, Knuddels.de did not appeal the decision.
GDPR Compliance Is Essential
Many data privacy statistics show that consumers increasingly demand transparency, so it is more important than ever to comply with data privacy laws. Any business with a website that targets EU citizens needs to comply with the GDPR or face dramatic fines.
Organizations as diverse as government agencies, hospitals, and massive corporations have all had their violations identified and penalized to the tune of thousands, millions, or tens of millions of euros.
That’s why your organization must comply with the GDPR. You can begin complying today by getting in touch with Termly.
Whether you need a privacy policy, a cookie consent manager, or a complete compliance solution, Termly can help.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes... More about the author
