What Have Been The Biggest GDPR Fines So Far?

Like & Follow Us On Facebook!

Future CFO

According to a recent market survey, the number of GDPR violations increased by 19% as of January 2021. This means that there have been more than 330 GDPR violations every 24 hours for the past year.

Governments have increased their vigilance on GDPR data breaches. Unfortunately, the imposed fines are not commensurate with the rise in data breaches. Large technology corporations such as Google and Facebook have gotten lenient penalties for massive data breaches. For instance, Twitter received a €450,000 fine for a data breach that most people considered too grave. As a result, GDPR’s relevance and effectiveness have been brought into question.

Despite these hiccups, many organizations and privacy activists believe that 2021 will be the year of effective GDPR implementation.

Cumulative GDPR Fines

Violators of GDPR rules have parted with about €275 million as of January 2021. It has not been lost on observers that Google paid the most severe fine and most lenient fine.

Similarly, some fines have been shrouded in secrecy, especially those in Croatia, Germany, and Slovakia.

Within the European Union, Italy, Germany, and France have issued the highest fines for a single crime. Austria has also not been left behind, and the country is releasing record GDPR fines. So far, multi-million fines have been done in Europe. Germany recently fined Deutsche Wohnen SE more than €24 million. All in all, the highest penalty in Europe stands at €50 million. France issued the fine on Google.

How Countries Have Issued GDPR Fines

Italy was once reluctant to implement GDPR, but the country issued large GDPR fines in 2020. In that year alone, more than €70 million was paid as GDPR fines in Italy. This overshadows what the UK, France, and Germany have done in the past 12 months.

A close examination of European data protection records reveals that the Spanish Data Protection Authority has issued the most GDPR fines. Since GDPR came into force, the authority has fined more than 175 entities. These fines amount to more than €15 million. Nevertheless, no entity has paid more than €5 million as fines in Spain.

GDPR Fines Levels

Legal experts have noted that GDPR has two levels of fines. First, companies can pay fines that don’t exceed €10 million or more than 2% of their global annual revenue. The second one is double that amount and percentage.

Here are the top GDPR fines since GDPR came into force.

1. €50 Million Paid By Google

French authorities placed a €50 million fine on Google at the beginning of 2019. So far, no other fine has exceeded this amount. In their report, the French information authority accused Google of violating data collection rules.

They claimed that Google had collected and used personal data contrary to GDPR. In particular, Google violated Article 13, 14, 18, 5 of GDPR. Secrecy and lack of full disclosure were cited as the main violations.

2. H&M Paid €35,258,708

Authorities in Hamburg issued a more than €35 million fine on a retail company from Switzerland. The company had operated outside GDPR rules for a few minutes, but this was enough to issue the fine.

It all started when the company’s internal network accidentally went public. Any person with an internet connection was able to view the company’s protected data. Once the issue went viral, data authorities in the city of Hamburg swung into action.

Later investigations revealed that the company adopted an employee data collection model. Employees’ information was collected in a manner that was not consistent with the GDPR. Ostensibly, the company was using that information to improve its recruitment process. Unfortunately for them, this resulted in a massive fine.

3. TIM Paid a €27,800,000 Fine

TIM is an Italian telecommunication company that paid €27.8 million after it was found guilty of violating the GDPR. The main bone of contention was the company’s habit of contacting customers without their consent. Investigations by Italian authorities revealed that more than one million people were affected by its operations.

4. 22,046,000 Fine Paid by British Airways

British airways had allegedly operated without regard to Article 31 of GDPR. In the summer of 2019, British authorities began investigating the company’s data handling processes. The fine was initially set at more than 200 million euros, but it was reduced once the company started suffering losses due to COVID-19.

Although that violation took place in July 2018, it took more than two months to be brought to light. It is believed that hackers had infiltrated the British Airways website. The hackers were able to steal the information of more than 400,000 people.

5. Marriott International Paid 20,450,000

Marriott International had been under investigation since July 2019 for GDPR infringement. The fine was initially set at £99 million, but it was reduced after further investigations. It’s widely believed that the data belonging to more than 339 million people was not handled with care.


The number of GDPR fines keeps increasing as new firms flout GDPR. Fortunately, authorities have been setting up enforcement personnel for the last two years. As a result, there will be far more convictions and fines in 2021. Keep up to date on the latest news at AwesomeJelly.com!