The Biggest GDPR Fines

Michael Nyhuis
10 min read
The General Data Protection Regulation (GDPR) applies to all organizations that are based within the EU or have customers within its boundaries. This means a huge array of global and local companies must follow the regulation and are at risk of fines if they are non-compliant.

GDPR is European legislation designed to protect digital privacy. It sets clear terms to ensure personal data is stored, gathered, and processed securely and legally. It makes data security a legal obligation for organizations, making companies liable for security incidents or data breaches that could have been avoided.

Fines are the main way that GDPR compliance is enforced, and regulators have already issued eye-watering GDPR penalties. Since GDPR launched in 2018, non-compliant companies have faced millions of euros in fines and GDPR penalties.

Fines for severe breaches can be up to 'Ǩ20 million, or four percent of a company's global turnover in the previous financial year. The upper limit is the higher of the two. Previously, similar privacy regulations in the UK were capped at around ''500,000 in fines.

Because GDPR impacts so many organizations, it's important to understand the risk and scale of GDPR fines. This guide explores GDPR fines, who issues them, and how they are calculated. It also highlights the biggest GDPR fines to date, and why the companies were at fault.

Who issues GDPR fines?

All members of the EU will have a 'Supervisory Authority' in charge of monitoring and enforcing GDPR compliance. This will usually be the independent body or authority which monitors data protection in the country. GDPR gives these Data Protection Authorities the powers to issue GDPR fines when organizations breach the regulation.

Supervisory authorities are required to be independent of the relevant government so that rulings and enforcement are non-political. Usually, countries will have one main Data Protection Authority, like the Information Commissioner's Office (ICO) in the UK.

In some cases, countries might have multiple Data Protection Authorities representing different regions. For example, in Germany, there are 16 different Data Protection Authorities representing each state.

Some examples of Data Protection Authorities include:

  • CNIL, the French Data Protection Authority.
  • The Information Commissioner's Office (ICO) in the UK.
  • Garante, the Italian Data Protection Authority.
  • DSB, the Austrian Data Protection Authority.
  • AP, the Dutch Supervisory Authority for Data Protection.

Often, an incident may affect customers across borders. One of the Data Protection Authorities will be designated as the lead Supervisory Authority during the investigation, with other relevant authorities approving the GDPR penalties. GDPR fines are issued in the form of penalty notices.

The different regulators across the EU work together as a network, to make sure GDPR fines and compliance are consistent across the bloc. The European Data Protection Board consists of representatives from the different regulators. It provides guidelines and procedures which help to unify the application of GDPR fines.

How are GDPR fines decided?

GDPR comes into play when an organization suffers a data breach or cybersecurity incident which puts personal data at risk. The organization must report the breach to their country's Data Protection Authority. The breach must be reported within three days (72 hours) of the organization discovering the incident.

Organizations processing data on behalf of other companies should also notify them of the breach. Likewise, if it's highly sensitive data, the affected customers should be notified to limit the potential impact. Because of the fast pace of data breaches, it's important that organizations have a response plan and risk assessment documents in place.

The Data Protection Authority will investigate the breach to determine whether a penalty fine is justified. When deciding on a GDPR fine, the Data Protection Authority will consider a range of issues including:

  • The gravity, scale, and timeframe of the infringement.
  • The number of people affected and the amount of damage from the incident.
  • Whether the breach was intentional.
  • Any history of previous breaches of GDPR by the organization.
  • If the organization has cooperated with the authority and notified the affected individuals.
  • Whether or not the organization benefited financially from the breach.

How much are GDPR fines?

Maximum GDPR fines can be up to 'Ǩ20 million, or four percent of the organization's global turnover. However, fines are relative to the severity of GDPR infringement, and have to be both 'proportionate and dissuasive'. There are two levels of GDPR fines, connecting varying degrees of non-compliance with specific articles of the regulations.

A single incident might trigger fines from different aspects of GDPR. In that case, the fine will be limited to the worst infringement as its maximum.

High level GDPR fines

For the most severe breaches of GDPR, companies can be fined up to four percent of their turnover. This is generally a result of breaking the baseline rules and principles outlined in GDPR.

Severe GDPR fines can result from:

  • Non-compliance with core principles of GDPR.
  • Violations in gathering consent for data processing.
  • Not recognizing the rights of individuals to know the data held about them.
  • Not complying with direction from the Data Protection Authority.

For example, Article 5 of GDPR outlines six principles which are the integral part of the regulation. These principles ensure data storage and processing is transparent, fair, and lawful, so are integral to GDPR. Failure to comply with these principles can lead to the highest GDPR fines.

Low level GDPR fines

For 'lesser' breaches of GDPR, organizations may 'only' face fines up to 'Ǩ10 million or two percent of turnover. Certain violations are deemed less severe than others. These are the more general obligations required by the regulations.

For example, Article 32 of GDPR focuses on the security of personal data, whenever organizations store or process it. This includes proper cybersecurity procedures and measures being in place to protect against data breaches or cyber incidents. Failure to comply with articles like this may result in fines, albeit at a lower level than the most severe GDPR penalties.

In addition, organizations can be fined for not declaring a data breach to the Data Protection Authority. Breaches need to be declared within 72 hours of an organization discovering the incident. If they fail to notify the authority, the organization can be fined up to 'Ǩ10 million or two percent of global turnover.

The top three biggest GDPR fines to date

Since GDPR launched in mid 2018, millions of euros have been collected from organizations who have breached the personal data regulations. Well over 'Ǩ200 million in GDPR fines have been issued since its inception.

Technology has become an integral part of life for both customers and business. As a result, modern organizations or all sizes manage and process huge amounts of personal data. Financial GDPR penalties are relative to the scale of the infringement and the organization. For instance, there have been fines of a few hundred pounds for smaller companies and individuals.

But for the most severe breaches of GDPR, companies have been fined tens of millions of pounds. A major portion of the total GDPR fines have come from a handful of series data breaches.

Here's the top three largest GDPR fines since launch:

1. Google fined 'Ǩ50 million by CNIL

In 2019 Google was fined 'Ǩ50 million by the French Data Protection Authority CNIL for breaching GDPR. At the time of writing, this is currently the largest GDPR fine on record. Although there had been previous GDPR fines issued to companies from other authorities, this was the first fine issued by CNIL.

The complaint focused on the process of setting up a mobile phone with the Android operating system. The fine was for lack of transparency and for not ensuring valid consent for collecting data for personalization of ads. This means there wasn't a legal basis for the data being collected and processed.

2. H&M fined 'Ǩ35 million by the Data Protection Authority of Hamburg

H&M was fined 'Ǩ35 million in October 2020 for breaching GDPR. This is the second largest GDPR fine on record at the time of writing. The fine was for the collection and storage of sensitive employee data with no legal basis. Although based in Hamburg, the breach of GDPR happened in a Nuremberg H&M service center.

The center was found to have recorded sensitive data about the private life of employees. This was used alongside work-based metrics to create employee profiles. The notes were stored in a network drive, which was accessible by a range of managers.

3. TIM fined 'Ǩ27.8 million by Garante

In January 2020, telecommunications operator TIM was fined 'Ǩ27.8 million by Garante, the Italian Data Protection Authority. The GDPR violations included a lack of consent for commercial communications such as cold calling campaigns. Data was found to be used for different purposes beyond the originally recorded consent. Data was found to be retained for long periods of time.

The Italian Data Protection Authority had received numerous complaints between 2017 and 2019. Alongside the fine, TIM faced 20 corrective measures to ensure future GDPR compliance.

The biggest GDPR fines in the UK

As of writing, British Airways holds the record for biggest GDPR fine in the UK. In October 2020, British Airways was issued a fine of ''20 million as a result of a customer data breach in 2018. Around 500,000 customers had personal data leaked in the serious data breach.

This places it as the fourth largest GDPR fine on record. However, this could have been much higher. Originally, the Information Commissioner's Office (ICO) announced plans to fine British Airways ''183 million, which was 1.5% of the company's global turnover.

The fine would have made it the largest GDPR fine on record by far. However, subsequent mitigating factors including the effect of coronavirus on the air industry helped to lower the fine to ''20 million.

In the breach, cyber attackers gathered personal data like payment cards, address details, names and travel itineraries. The incident was not detected by British Airways for more than two months. The Information Commissioner's Office (ICO) investigation found a lack of security measures in processing personal data. Such measures may have prevented the cybersecurity incident in the first place.

How to avoid GDPR fines

The best way to avoid GDPR fines is to avoid breaching GDPR in the first place. Developing a secure system to process and handle customer data limits the risk of data breaches and cyber attacks.

The aim is to introduce IT policies to lower the risk of data misuse. Steps to strengthen data security include:

  • Provide employees and key stakeholders with security training.
  • Perform regular internal audits of systems, settings, and configurations.
  • Grant access to personal data only on a 'need to know' basis.
  • Update default configuration of third-party software and hardware.
  • Embed clear procedures in case of potential data breaches.

If the worst scenario happens and a data breach occurs, organizations can lower the scale of a potential fine by working with any investigating regulators. This means collecting and documenting records around the breach and sharing it in a timely fashion with the Data Protection Authority.

There are many mitigating factors to GDPR fines, but fully complying with the investigation is a key element. Organizations should also have policies in place to deal with data breaches. Clear internal guidelines help organizations react decisively to data breaches, in some cases limiting the impact.

Managing GDPR compliance

GDPR impacts companies that are based in the EU, or that provide services within the bloc. This means a huge range of global companies should pay close attention to GDPR compliance. Tools like Diligent Compliance software making tracking GDPR compliance easy.

Data breaches damage reputation and business, and any resulting GDPR penalties adds another layer of financial burden. By utilizing compliance software, companies can proactively make the changes to prepare for serious incidents. Diligent Compliance software can keep track of documentation and evidence all in one place.

Book a demo with Diligent today to understand how compliance software can change your approach to GDPR.
Related Insights
This is where Author Role goes
Michael Nyhuis
Michael Nyhuis is the former Director of Audit & Compliance at Diligent and a modern governance expert with over 25 years of experience.