There’s a lot of talk about the European Union’s General Data Protection Regulation (GDPR) and what it means for websites. The law has strict requirements for how organizations can collect and use data and what they need to tell visitors.
It can be tempting to just ignore all of those rules — after all, the consequences for GDPR noncompliance can’t be that bad, right?
Wrong.
In just the past four years since the GDPR went into place, companies have routinely faced eight- and nine-digit fines for failing to comply with the GDPR.
Use the table of contents below to skip to the biggest GDPR fines in a specific year, or keep reading to learn about the top 10 highest fines ever issued under the GDPR.
Top 10 GDPR Fines Ever Issued
The GDPR structures and issues fines based on a company’s international revenue. That’s why you’ll see some familiar names on the list below.
These ten companies were found to violate the GDPR’s rules and forced to pay fines to the tune of tens or hundreds of millions of euros.
1. Amazon — €746 million ($823.9 million)
Year Issued: 2021
The online retailer’s Luxembourg EU headquarters was found to be tracking user data without acquiring appropriate consent from users or providing the means to opt out from this tracking — resulting in Amazon being hit with the largest GDPR fine to date.
2. WhatsApp — €225 million ($247 million)
Year Issued: 2021
Ireland’s Data Protection Commission fined WhatsApp for unclear privacy policies and a lack of transparency in how it was using user data.
3. Google Ireland — €90 million ($99 million)
Year Issued: 2021
France’s CNIL fined Google Ireland for failing to give users an easy way to refuse cookies under both the GDPR and the ePrivacy Directive.
4. Google — €60 million ($66 million)
Year Issued: 2021
The CNIL also fined the US-based Google LLC for failing to give users appropriately simple ways to refuse cookies on YouTube.
5. Facebook — €60 million ($66 million)
Year Issued: 2021
The third CNIL fine in 2021, Facebook was also penalized for failing to give users easy methods to refuse cookies when using the website.
6. Google — €50 million ($55 million)
Year Issued: 2019
Yet another Google GDPR fine! The CNIL fined Google in 2019 for confusing and poorly structured privacy consent agreements that prevented users from understanding what they actually agreed to.
7. H&M — €35.3 million ($39 million)
Year Issued: 2020
The clothing retail giant was fined for collecting and storing information about its employees’ families, religions, and health histories for unlawful reasons.
8. TIM — €27.8 million ($30.7 million)
Year Issued: 2020
The Italian telecom was fined for using customer data without consent to perform telemarketing calls and improperly storing and processing customer data in ways that risked security breaches.
9. Enel Energia — €26.5 million ($29.3 million)
Year Issued: 2022
The multinational electric and gas supplier was fined for failing to get user consent or inform customers before using their personal data for telemarketing calls.
10. British Airways — £20 million ($26 million)
Year Issued: 2020
The airline was fined for failing to prevent a massive data breach that exposed the personal data of 400,000 customers and failing to spot and respond to the breach in a timely fashion.
How To Avoid GDPR Fines With Termly
These fines demonstrate precisely how important it is for businesses to comply with the GDPR no matter where they’re located.
Termly can help your organization implement GDPR-compliant policies and handle your data consent needs.
With Termly, you can:
- Generate a privacy policy that automatically update when laws change
- Implement cookie consent management that follows the GDPR, CCPA, and the ePrivacy Directive
- Track user consent to maintain cookie compliance
- Automatically block cookies for any user that chooses not to accept them
Working with Termly can ensure that you’re always complying with current international data protection laws.
Instead, you can focus on running your business and let Termly handle privacy and GDPR cookie compliance for you.
Biggest GDPR Fines in 2022
The year 2022 is only a few months old, and even so, since January, there have already been multiple massive fines issued to companies violating the GDPR. This is because these organizations have had multiple years to comply with the EU’s data protection law and did not do so. As a result, they’re facing dramatic fines for violating EU citizens’ rights to data privacy.
1. Enel Energia — €26.5 Million ($29.27 Million)
Enel Energia, an international electricity and gas distributor headquartered in Italy, has received the highest GDPR fine of 2022 so far.
Why They Were Fined
Italy’s data protection agency, called the Garante, chose to fine Enel Energia €26.5 million after receiving hundreds of complaints against the company.
The Garante’s investigation found that Enel Energia was using the personal data of its customers unlawfully. The company used this private data to perform telemarketing calls without getting appropriate user consent or informing users how their information would be used.
How They Responded
Enel Energia claims that the calls were performed to contact customers during the pandemic. In a statement emailed to Compliance Week, Enel Energia stated it would “evaluate any subsequent action” regarding the Garante’s requirements that the company brings its data processing activities into compliance with the GDPR. The company also reserves the right to file an appeal.
2. REWE International — €8 Million ($8.8 Million)
The Austrian food retailer REWE International has been fined €8 million by the Austrian Data Protection Authority (DPA).
Why They Were Fined
The company was fined for mismanaging the data of users involved in its loyalty program. The program, called jö Bonus Club, collected the data of its users without their consent and used that data for marketing purposes.
How They Responded
REWE International intends to appeal the decision. The company argues that jö Bonus Club is a subsidiary company that operates independently from REWE International as a whole. Therefore, according to this argument, jö Bonus Club was responsible for using client data, not REWE International.
The parent company further claims that this means jö Bonus Club should be fined instead. This would significantly reduce the fine since GDPR penalties are set according to the fined organizations’ revenue. However, it’s unclear whether this appeal will successfully reduce the fine.
3. Cosmote Mobile Telecommunications — €6 Million ($6.6 Million)
The Greek mobile phone operator Cosmote Mobile Telecommunications was fined €6 million by the Hellenic Data Protection Authority (HDPA).
Why They Were Fined
The fine had two root causes. First, a hack in September 2020 into the company’s private data led to a significant data breach, exposing customers’ private information.
Second, the company was found to be illegally processing customer data. As a result, the September hack exposed significantly more data than it should have. In addition, private data was not fully pseudonymized, making it easier for hackers to identify individuals based on the leaked data.
How They Responded
The company has not yet issued a response to the fine.
4. OTE Group — €3.25 Million ($3.59 Million)
In connection with the Cosmote fine above, Cosmote’s parent company OTE Group was also fined by the HDPA.
Why They Were Fined
This additional fine of €3.25 million was issued separately after the Cosmote investigation determined that OTE should have been included in the process from the beginning but had not been.
The HDPA also found that OTE Group was partially responsible for the hack into Cosmote’s data. The hacker used an OTE Group administrator password to enter Cosmote’s systems. As such, the HDPA issued an additional fine against OTE Group for failing to secure their data systems properly.
Biggest GDPR Fines in 2021
2021 is the most recent year for which we have a full 12 months of GDPR fine issuance data.
It’s also the year that saw all of the top five highest GDPR fines ever. Likely because the infrastructure behind investigating GDPR violations matured fully in 2021.
As a result, massive companies that operate on a global scale could be accurately audited, and many were found wanting in terms of data protection.
Here are the biggest fines from 2021, including the record-breaking Amazon fine.
1. Amazon — €746 Million ($823.9 Million)
This fine isn’t just the highest GDPR fine of 2021 — it’s also the single highest GDPR fine ever issued.
Luxembourg’s National Commission fined amazon’s EU base in Luxembourg €746 million for Data Protection (NCDP).
The penalty is nearly three times larger than the next highest GDPR fine.
Why They Were Fined
The NCDP was prompted to start the investigation after the French NGO La Quadrature du Net (Squaring the Net) filed a complaint on behalf of 10,000 Amazon customers. La Quadrature du Net complained that Amazon was clearly tracking user data in impermissible ways to perform its targeted advertising.
During the investigation, the NCDP found that Amazon was tracking the data of its users without acquiring appropriate consent. However, the organization has not released specific details on the grounds of professional secrecy.
How They Responded
Amazon has made it clear that it intends to fight the decision. The company’s argument is that because there have been no data breaches or private data exposed to third parties, its practices do not violate the GDPR. However, La Quadrature du Net responded that “it is the system of targeted advertising itself, and not merely occasional security breaches, that our legal action attacked.”
Whether the appeal will succeed is yet to be seen.
2. WhatsApp — €225 Million ($248.5 Million)
Directly after the Amazon fine, the communication app company WhatsApp is the second-highest GDPR fine both of 2021 and of all time.
Why They Were Fined
Ireland’s Data Protection Commission (DPC) investigated WhatsApp’s data handling processes and found multiple violations, leading to a fine of €225 million. The DPC determined that WhatsApp had failed to provide appropriate transparency to users about how it used data. The DPC also found that WhatsApp didn’t provide clear enough privacy policies to users.
How They Responded
However, the size of the fine is up for debate. WhatsApp has appealed the DPC’s decision, arguing that it provides accurate information about its data use to all users. The DPC’s decision has also faced objections from other EU countries, including France, Germany, and Italy, which debated the details of the DPC’s reasoning.
The fine may not go down even if the appeal causes any changes. On the contrary, the European Data Protection Board specifically told the DPC to reassess the fine and set out a higher fine amount after the agency’s original proposal named an amount between €30-50 million.
WhatsApp’s appeal is ongoing.
3. Google Ireland — €90 Million ($99 Million)
Ireland is also the source of the third-highest GDPR fine of 2021.
Why They Were Fined
The French data protection authority (the CNIL) fined Google’s Ireland branch €90 million as a GDPR enforcement method after determining that the company had failed to meet the GDPR’s requirements for cookies, specifically due to making them difficult to refuse on YouTube. The GDPR requires companies to make it equally easy to accept and refuse cookies.
But why did a French authority fine an Irish company?
The CNIL argued that the fine is, in part, related to the EU’s ePrivacy Directive, not just the GDPR. The ePrivacy Directive allows regulators to take direct actions against any website that operates within their jurisdiction.
So, as a result, Google Ireland’s lack of cookie compliance was something that the CNIL could take on directly instead of referring it to the DPC.
How They Responded
Google’s spokespeople have stated that “People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision.”
4. Google — €60 Million ($66 Million)
Yes, Google is responsible for multiple chart-topping fines in the same calendar year.
Why They Were Fined
Google was found partially responsible for the same cookie compliance problem as Google Ireland. The CNIL determined that Google LLC, the American branch of the company, was also liable for Youtube’s lack of simple cookie refusals.
This decision demonstrates that large companies may face more than one fine. For example, if a business has multiple branches in various countries, each of those subsidiaries could be at risk of major GDPR enforcement fines.
5. Facebook — €60 Million ($66 Million)
This is the third massive GDPR fine coming from the CNIL in 2021.
Why They Were Fined
Facebook’s Ireland branch, Facebook Ireland Limited, was fined on the same basis as Google Ireland and Google LLC. The CNIL found that Facebook France, a subsidiary of Facebook Ireland, required users to select several options to refuse all nonessential cookies but only one option to accept all cookies.
According to the CNIL, this violated the GDPR and ePrivacy Directives’ rules on cookie usage and rated a fine of €60 million based on Facebook’s revenue.
How They Responded
Facebook has appealed the fine. The company argues that the CNIL is actually trying to enforce its national Guidelines and Recommendations instead of the ePrivacy Directive or the GDPR.
Facebook argues that the CNIL should only be able to fine Facebook France instead of Facebook Ireland, which would significantly reduce the fines the company would have to pay based on revenue.
6. Notebookbilliger.de — €10.4 Million ($11.5 Million)
German online electronics retailer Notebookbilliger.de received a fine of €10.4 million from the German state Lower Saxony’s data protection commissioner.
Why They Were Fined
The commissioner had ordered an investigation into Notebookbilliger.de’s data collection practices. The investigation found that Notebookbilliger.de had installed CCTV cameras in workplaces, sales areas, common areas, and warehouses throughout its business. This footage was retained for 60 days.
While CCTV surveillance is permitted under the GDPR, it has to be performed for a lawful reason and only after other crime prevention methods have not proved successful. Furthermore, video surveillance should be limited, which was not the case in the sales areas.
The commissioner determined that Notebookbilliger.de’s use of video surveillance was disproportionate and fined the company accordingly.
How They Responded
The company’s CEO argued that this fine was unjust, disproportionate, and poorly investigated. Notebookbilliger.de’s appeal of the fine is ongoing.
7. Austrian Post — €9.5 Million ($10.5 Million)
While Austria is not quite as aggressive with GDPR enforcement as France, it is still one of the most assertive countries regarding data protection. For example, the Austrian DPA fined the country’s own national post service €9.5 million for failing to comply with the GDPR.
Why They Were Fined
According to the Austrian DPA, the Austrian Post refused to let people inquire about their stored personal data by email. Although the agency permitted several other methods of inquiry, they specifically refused emails. The DPA determined that this put an undue burden on customers and violated the GDPR.
This fine comes after the Austrian Federal Administrative Court overturned a prior €18 million GDPR fine against the Post for processing customer data to determine the political affiliations of Austrian citizens.
How They Responded
The Post has stated it will appeal this fine just like it appealed the previous one.
8. Vodafone España — €8.15 Million ($9 Million)
The Spanish telecommunications provider Vodafone España faced an €8.15 million fine in 2021 for reported “multiple and repeated GDPR violations.”
Why They Were Fined
According to the Agencia Española Proteccion Datos (AEPD), Vodafone had violated three GDPR articles and multiple other Spanish data protection laws.
Vodafone used customer data to perform illegal telemarketing calls. Furthermore, customers who requested that these calls stop continued to receive telemarketing calls at an aggressive rate. It appears that this is due to Vodafone’s decision to use third-party marketing agencies with no access to do-not-call lists that the company is required to maintain.
How They Responded
Vodafone has argued that its actions are not in violation of the GDPR and that it will appeal the fine. The company has received more than 30 GDPR fines in the four years since the law went into effect.
9. Grindr — €6.3 Million ($7 Million)
US-based dating app Grindr received a €6.3 million fine from Norway’s DPA.
Why They Were Fined
The fine was based on charges that the company has been sending sensitive personal data to third-party advertisers without consent.
While Norway is not a member of the EU, the country has adopted and enforces the GDPR. As such, when Norway’s Consumer Council filed a complaint with the DPA that Grindr shared private data like GPS location, IP addresses, ages, and genders of users, the DPA used GDPR guidelines to investigate the company.
According to the DPA, Grindr requires users to accept the privacy policy in its entirety to use the app. The GDPR specifically bars services from requiring users to accept having non-essential data saved and processed to access the service.
Furthermore, the DPA found that users were not informed about how their data was being used and could not properly consent to the usage.
How They Responded
Grindr has announced that it plans to appeal the decision on the grounds that it has changed its practices and is now in compliance with GDPR requirements.
10. CaixaBank — €6 Million ($6.6 Million)
Another Spanish AEPD fine went to the Spanish bank CaixaBank.
Why They Were Fined
This €6 million fine was issued on the grounds that CaixaBank didn’t meet the GDPR’s requirements for valid consent and that the bank’s consent-acquisition methods were inadequate. The AEPD also found that CaixaBank performed “illicit transfers” of personal data to other companies with its banking ground.
Banks have access to significant sensitive user data, from financial details to identification numbers. Therefore, failing to inform users about how their data will be used and transferring it to other companies by definition violates multiple elements of the GDPR.
How They Responded
CaixaBank will be appealing the decision.
11. Fastweb S.p.A — €4.5 Million ($5 Million)
The Garante, Italy’s DPA, has fined the Italian internet service provider Fastweb €4.5 million for violating the GDPR after receiving hundreds of customer complaints.
Why They Were Fined
According to the Garante, Fastweb used customer data to perform promotional telemarketing calls without their consent. Fastweb has been fined for similar violations in the past.
The fine comes with other requirements, too. Fastweb will also need to prove that all future telemarketing calls are performed through registered numbers. Furthermore, the company will no longer be allowed to use customer data lists from other providers without proof that users consented to have their data used for marketing purposes.
How They Responded
Fastweb has cooperated with the investigation and has not argued with the fine.
12. Sky Italia — €3.3 Million ($3.6 Million)
The Garante issued another major telecom fine against the Italian television platform Sky Italia.
Why They Were Fined
Like the case against Fastweb, the €3.3 million fine was issued because Sky Italia improperly processed and used customer data for promotional purposes. As a result, sky Italia customers received unsolicited telemarketing calls that did not stop when they requested the company to no longer contact them.
Also, like Fastweb, Sky Italia is no longer permitted to make any marketing calls through unregistered numbers and may no longer use third-party contact lists without proof of consent.
How They Responded
Sky Italia is not appealing the fine.
13. Caixabank Payments & Consumer — €3 Million ($3.3 Million)
Yes, CaixaBank received two separate GDPR fines in 2021. This case was unrelated to the €6 million fine also issued by Spain’s AEPD.
Why They Were Fined
In this case, the investigation found that the CaixaBank subsidiary Caixabank Payments & Consumer EFC was processing personal data for unlawful reasons and fined the bank €3 million.
According to the AEPD, CaixaBank requested individual information from solvency files despite not having active contracts with those individuals. Furthermore, the bank used this data to support marketing campaigns without the individuals’ consent.
How They Responded
CaixaBank argues that its data usage was permitted and is appealing the AEPD’s fine.
14. Iren Mercato — €2.9 Million ($3.2 Million)
The Garante was busy in 2021. The agency also fined Iren Mercato, an Italian energy company, €2.9 million for failing to follow the GDPR’s data processing requirements.
Why They Were Fined
The Garante determined that Iren Mercato had accepted and processed private data from various other sources without receiving consent from those individuals to use that data for telemarketing purposes.
The GDPR requires all organizations to process the minimum amount of data relevant to perform their services. Furthermore, the regulation mandates that all users have the opportunity to consent before an organization processes their data, which Iren Mercato did not do, thus the fine.
How They Responded
Iren Mercato has not made a public statement on whether they are appealing the decision.
15. Dutch Minister of Finance — €2.75 Million ($3 Million)
Even governments and government employees aren’t immune to the GDPR. For example, the Dutch Minister of Finance was forced to pay a €2.75 million fine after the Dutch national data protection authority determined the tax authority had recorded and processed people’s nationalities illegally.
Why They Were Fined
Under the GDPR, no organization can track personal information like nationality except for a “lawful reason.” Neither can organizations track this data without consent. The Dutch tax authority had used individual nationality information to perform discriminatory and unlawful childcare benefit refunds and perform frivolous fraud investigations against parents.
How They Responded
The Dutch Minister of Finance has not successfully appealed the fine.
16. Foodinho — €2.6 Million ($2.9 Million)
The Italian food delivery company Foodinho was the target of yet another multimillion-euro fine leveled by the Garante.
The agency investigated Foodinho’s rider rating system and privacy notices and found both wanting, leading to a €2.6 million fine.
Why They Were Fined
In particular, Foodinho’s rider rating system was found to possibly encourage discrimination based on a rider’s personal information. Their automated system may have prevented riders from getting work with unconscious biases connected to the rider’s personal data.
Meanwhile, the Garante determined that Foodinho was not clear enough for customers to grant valid consent to how their data was being used.
How They Responded
Foodinho has announced that they are considering appealing the decision. The company has also declared that complying with the GDPR is one of its top priorities.
Biggest GDPR Fines in 2020
In 2020, there were still a large number of high-value fines. However, fines in this year didn’t quite reach the same nine-digit peak they would hit later. 2020 was a year when many companies that aren’t obviously in the data industry found out that they would be held to the GDPR’s standards just like any other business. The top GDPR fines for 2020 included:
1. H&M — €35.3 Million ($39 Million)
While the clothing retailer H&M doesn’t immediately spring to mind as a data collector, the company actually processes significant customer data daily.
Why They Were Fined
German regulators found that H&M was violating the GDPR’s requirements by keeping excessive records on its workforce, including details like employees’ families, religions, and illnesses. This led to the German DPA issuing a €35.3 million fine, which was, at the time, the second-highest GDPR enforcement fine ever.
This action violates the GDPR’s requirement that organizations only retain data for lawful purposes. Since family and religious beliefs don’t affect a worker’s abilities, a business has no reason to track this data. However, H&M disregarded this rule and performed invasive staff surveys on these issues, and retained the data for long periods.
How They Responded
After the fine was issued, H&M accepted full responsibility for the violation and set up a compensation plan for employees in addition to complying with regulators’ requirements.
2. TIM (Telecom Italia) — €27.8 Million ($30.7 Million)
The Garante has spent a lot of time investigating Italian telecoms.
In 2020, the Garante fined TIM (formerly known as Telecom Italia) €27.8 million for using private user data to perform telemarketing calls.
Why They Were Fined
Investigations also determined that TIM improperly required the consent to use sensitive data for customers to enter prize drawings.
Furthermore, Garante asserted that TIM was processing private data improperly and not protecting it appropriately. TIM did not show users useful privacy policies, and they kept the collected data in ways that did not protect it from data breaches.
How They Responded
TIM attempted to appeal the fine, but the appeal has not succeeded. As a result, the company was required to pay the fine and heavily rework its data collection, processing, and storage methods to comply with the GDPR.
3. British Airways — £20 Million ($26.4 Million)
While the UK has since left the EU, in 2020, the country was still held to the GDPR. As a result, the UK Information Commissioner’s Office (ICO) followed the GDPR’s rules to fine British Airways £20 million.
Why They Were Fined
The fine was issued because of British Airway’s handling of a significant data breach that exposed the private information of more than 400,000 customers over the course of three months.
Initially, the ICO intended to level a fine of £183 million for the breach because of the dramatic impact and the revenue earned by British Airways. However, the agency adjusted the final amount due to the financial impact of the COVID-19 pandemic.
The original breach occurred in 2018, and the investigation continued into 2019.
How They Responded
British Airways immediately appealed the decision when the ICO issued its original fine amount. As a result, the ultimate fine wasn’t officially issued until 2020.
Despite the best efforts from British Airways, though, it was still hit with a dramatic fine intended to send a message about how seriously GDPR enforcement agencies will take data breaches of any size.
4. Marriott — £18.4 Million ($24.3 Million)
The GDPR also applies to data breaches that occurred before it went into effect.
That’s what happened when the British ICO issued an £18.4 million fine to Marriott for a significant breach that potentially affected as many as a third of a billion guests.
Why They Were Fined
The company suffered a breach in 2014 that leaked customer names, contact information, and passport details of as many as 339 million guests. Unfortunately, this breach remained unnoticed and unaddressed until 2018, when the GDPR was in effect, giving the hacker continued access for four years.
As such, the ICO initially intended to level a fine of £99 million, which the agency stated was intended to be a deterrent to other companies failing in a similar way.
How They Responded
Marriott appealed the fine because it had acted quickly once the issue was brought to its attention.
In the final decision, the ICO acknowledged this and the fact that Marriott had significantly improved its systems in the meantime and lowered the fine to just £18.4 million.
5. Wind Tre — €16.7 Million ($18.4 Million)
Yet another Italian telecom GDPR fine was issued to Wind Tre.
Why They Were Fined
The Garante investigated Wind based on more than a hundred complaints about how the company performed telemarketing calls, text messages, and even faxes. Customers also complained that Wind didn’t provide them with ways to opt out of data collection or prevent their contact information from being made public.
This behavior led to the Garante issuing a fine of €16.7 million for the company’s many GDPR violations.
How They Responded
While Wind Tre tried to appeal the decision, the appeal didn’t succeed. As a result, the Garante’s fine stood.
Additionally, the company was forced to stop collecting certain data and stop using customer information to perform marketing activities without direct, proven consent.
6. Vodafone Italia — €12.25 Million ($13.5 Million)
Continuing the trend of Italian telecom GDPR enforcement actions, the Garante also hit Vodafone Italia with a €12.25 million fine for misusing customer data.
Why They Were Fined
Like other telecoms on this list, the Garante found that Vodafone Italia had been using customer data for marketing activities without consent. As a result, Vodafone customers filed hundreds of complaints against the company’s constant calls that continued after requests to stop.
How They Responded
Vodafone attempted to appeal the decision but got denied.
Unfortunately, Vodafone would not learn its lesson either, with other branches of the international corporation having faced dozens of fines since 2018.
7. Google Sweden — 75 Million Swedish Kronor ($7.9 Million)
Google appears on this list yet again for violations in Sweden.
The Swedish DPA investigated the local branch of Google after complaints that the company might be violating the GDPR’s “right to be forgotten.”
Why They Were Fined
Under the GDPR, everyone has the right to have their work delisted from search engines or to essentially “be forgotten.”
The Swedish DPA determined that Google was permitting site owners to republish content that had been delisted by other sites and people, undermining the right to delist entirely. This discovery led the agency to issue a fine of SEK 75 million, or about $7.9 million.
How They Responded
While Google appealed the decision, the fine was upheld in Swedish courts. The company was also banned from informing site owners about delisting requests.
8. BBVA — €5 Million ($5.5 Million)
The Spanish AEPD issued two fines to the Banco Bilbao Vizcaya Argentaria (BBVA), one of €2 million and one of €3 million, for two separate GDPR violations.
Why They Were Fined
One fine was because the bank used customer information to perform marketing activities over SMS without acquiring customer consent. The other was because the organization didn’t include all relevant information in its privacy notice.
How They Responded
The BBVA attempted to appeal both fines, arguing that its actions were not actually in violation of the GDPR. However, Spanish courts upheld the AEPD’s decision, and BBVA was forced to pay both fines.
9. Carrefour Group — €3.05 Million ($3.5 Million)
The French CNIL hit two subsidiaries of the retail conglomerate Carrefour Group with fines totaling €3.05 million.
Why They Were Fined
The CNIL began investigating Carrefour Group after receiving customer complaints that the business failed to comply with data erasure requests, sent them unsolicited telemarketing communications, and did not permit people to unsubscribe from marketing emails.
The CNIL found that these complaints were accurate and determined that Carrefour Group violated the GDPR.
According to the CNIL, Carrefour Group violated the GDPR by failing to give users the ability to have their data deleted or opt out of cookie usage.
How They Responded
The company’s attempt to appeal these decisions failed.
10. Capio St. Göran AB — 30 Million Swedish Kroner ($3.2 Million)
The Swedish healthcare provider Capio St. Göran AB received a fine of SEK 30 million, or about €2.9 million, for failing to protect patient data adequately.
Why They Were Fined
The Swedish DPA investigated the hospital and determined that the organization had not performed any risk analysis regarding patient data storage, so they had no idea what dangers they faced.
The DPA also found that Capio St. Göran’s information systems were not properly configured to provide minimum necessary access. As a result, employees with no need to see certain sensitive data could access important private patient information.
Both of these flaws are in direct violation of the principles of the GDPR.
How They Responded
While Capio St. Göran attempted an appeal, it did not succeed. The healthcare provider was required to pay the total fine and rework its entire data processing and storage systems to protect confidential patient information more effectively.
Biggest GDPR Fines in 2019
Things started to ramp up in the second year of the GDPR’s existence. 2019 was the first year that GDPR fines broke the €10 million mark.
It was also the year that companies outside the EU started to realize how critical it would be to follow the GDPR’s guidelines.
The largest GDPR fine for 2019 was actually against Google’s US-based headquarters.
Here’s what the highest GDPR fines of 2019 looked like:
1. Google — €50 Million ($56.8 Million)
Yes, Google has made it onto the list yet again.
Why They Were Fined
In 2019, Google Ireland was fined €50 million for two different failures by the CNIL.
First, the CNIL found that Google did not make its disclosures easily accessible to users and that the information in the disclosures was split between several documents — which included various links that users had to click on to view the disclosures.
Furthermore, the privacy policy’s explanation of the types of data processed and the reason for the processing was too vague.
Secondly, because the disclosures were split over several documents, CNIL found that Google violated users’ consent to ad personalization. The structure of the consent document made it difficult for users to understand what they were actually agreeing to.
How They Responded
Google appealed this case before France’s highest administrative court, the Conseil d’État. Google claimed that because Ireland is its main location in the EU, the Irish Data Protection Commissioner should have overseen Google’s data protection issues.
Google also claimed that the CNIL did not apply the GDPR’s laws correctly.
The Conseil d’État rejected Google’s arguments and upheld the decision, finalizing the largest ever GDPR fine at the time.
2. Eni Gas e Luce — €11.5 Million ($12.7 Million)
Returning to Italy, the Italian gas and oil provider Eni Gas e Luce was fined €11.5 million for improper use of customer data.
Why They Were Fined
The company was storing customer information without an appropriate legal basis and using that information to perform telemarketing calls, leading to individual fines of €8.5 million and €3 million.
How They Responded
While the company attempted an appeal, it did not succeed. As a result, Eni was also required to stop performing telemarketing calls or offering unsolicited contracts using customer data.
3. 1&1 Telecom GmbH — €9.55 Million ($10.55 Million)
Italian telecoms aren’t the only ones to face hefty GDPR fines in 2019. The German telecom giant 1&1 was fined €9.55 million by the Federal Commissioner for Data Protection and Freedom of Information (BfDI).
Why They Were Fined
The organization collected significantly more data than was necessary for each customer. Furthermore, the BfDI’s investigation found that this data was accessible to a broader range of 1&1 employees than needed.
How They Responded
Unlike other telecoms on this list, 1&1 did not appeal the fine. Instead, the provider worked closely with BfDI during the investigation to provide clear and accessible information about its processes. As such, the BfDI didn’t feel the need to issue the highest possible fine.
Keeping good records and working closely with regulators can help companies reduce the amount they need to pay if they get investigated for GDPR noncompliance.
4. Bulgarian National Revenue Agency — 5.1 Million Bulgarian Lev ($2.9 Million)
Bulgaria’s National Revenue Agency was fined BGN 5.1 million by the country’s own Commission for Personal Data Protection.
Why They Were Fined
According to the Commission, the National Revenue Agency suffered a data breach that exposed the private data of more than five million Bulgarian citizens. The Commission found that the National Revenue Agency had not adequately protected this information and, therefore, had violated the GDPR.
How They Responded
The Agency did not appeal the decision and paid the fine out of its own budget. This case is likely the first case in which a government had to pay a fine for violating the data protection rights of its citizens.
Biggest GDPR Fines in 2018
In the first year of the GDPR’s existence, fines were relatively rare. That doesn’t mean they weren’t issued, though.
Even while many businesses did their best to comply with the laws, the EU issued multiple fines against organizations that were clearly not following the GDPR’s requirements.
The two biggest GDPR fines of 2018 were:
1. Barreiro Montijo Hospital — €400,000 ($441,000)
While fines did not get excessively high in 2018, they did hit six figures.
The first hospital GDPR fine was also the highest penalty of 2018. The Portuguese data protection authority, Comissão Nacional de Proteção de Dados (CNPD), leveled a €400,000 fine against the Barreiro Montijo Hospital just outside of Lisbon.
Why They Were Fined
The CNPD issued the fine after investigating the hospital’s control over patient data. It found that Barreiro Montijo did not appropriately restrict access to the information stored in its patient management system.
According to the agency, 985 hospital employees had full access to sensitive patient health information, despite just 296 physicians with the appropriate medical clearance working for the hospital. Furthermore, nine social workers and a test profile had similar full, unrestricted access to patient data.
How They Responded
The hospital appealed the ruling, claiming that the CNPD did not have the authority to issue the fine. However, the decision was upheld.
2. Knuddels.de — €20,000 ($22,000)
The other significant GDPR fine of 2018 was issued to Knuddels.de, a German chat service.
Why They Were Fined
The Baden-Württemberg data protection authority (LfDI) issued a €20,000 fine after the service suffered a data breach that allowed cybercriminals access to unencrypted user information.
The service ultimately failed to encrypt critical information such as usernames and passwords. As a result, between 300,000 and 1.8 million sets of login credentials got compromised in the breach.
How They Responded
The LfDI considered issuing a higher fine, but Knuddels.de took swift action to resolve the breach.
As a result, the LfDI was relatively lenient and only required the €20,000 fine. For this reason, Knuddels.de did not appeal the decision.
GDPR Compliance Is Essential
Very few organizations are exempt from the GDPR nowadays. Any business with a website that targets EU citizens needs to comply with the GDPR or face dramatic fines.
Organizations as diverse as government agencies, hospitals, and massive corporations have all had their violations identified and penalized to the tune of thousands, millions, or tens of millions of euros.
That’s why your organization must comply with the GDPR. You can begin complying today by getting in touch with Termly.
Whether you need a privacy policy, a cookie consent manager, or a complete compliance solution, Termly can help.