Since rolling out in May 2018, there have been 340 GDPR fines issued by European data protection authorities. Every one of the 28 EU nations, plus the United Kingdom, has issued at least one GDPR fine, Privacy Affairs finds.
Whilst GDPR sets out the regulatory framework that all EU countries must follow, each member state legislates independently and is permitted to interpret the regulations differently and impose their own penalties to organizations that break the law.
Nations with the highest fines
- France: €51,100,000
- Italy: €39,452,000
- Germany: €26,492,925
- Austria: €18,070,100
- Sweden: €7,085,430
- Spain: €3,306,771
- Bulgaria: €3,238,850
- Netherlands: €3,490,000
- Poland: €1,162,648
- Norway: €985,400
Nations with the most fines
- Spain: 99
- Hungary: 32
- Romania: 29
- Germany: 28
- Bulgaria: 21
- Czech Republic: 13
- Belgium: 12
- Italy: 11
- Norway: 9
- Cyprus: 8
The second-highest number of fines comes from Hungary. The National Authority for Data Protection and Freedom of Information has issued 32 fines to date. The largest being €288,000 issued to an ISP for improper and non-secure storage of customers’ personal data.
UK organizations have been issued just seven fines, totalling over €640,000, by the Information Commissioner. The average penalty within the UK is €160,000. This does not include the potentially massive fines for Marriott International and British Airways that are still under review.
British Airways could face a fine of €204,600,000 for a data breach in 2019 that resulted in the loss of personal data of 500,000 customers.
Similarly, Marriott International suffered a breach that exposed 339 million people’s data. The hotel group faces a fine of €110,390,200.
The largest and highest GDPR fines
The largest GDPR fine to date was issued by French authorities to Google in January 2019. The €50 million was issued on the basis of “lack of transparency, inadequate information and lack of valid consent regarding ads personalization.”
Highest fines issued to private individuals:
- €20,000 issued to an individual in Spain for unlawful video surveillance of employees.
- €11,000 issued to a soccer coach in Austria who was found to be secretly filming female players while they were taking showers.
- €9,000 issued to another individual in Spain for unlawful video surveillance of employees.
- €2,500 issued to a person in Germany who sent emails to several recipients, where each could see the other recipients’ email addresses. Over 130 email addresses were visible.
- €2,200 issued to a person in Austria for having unlawfully filmed public areas using a private CCTV system. The system filmed parking lots, sidewalks, a garden area of a nearby property, and it also filmed the neighbors going in and out of their homes.