2B Advice
TEL: +49 (228) 926165100
Privacy News

GDPR Fines & Penalties

What are the GDPR Fines For Noncompliance?

Since GDPR rolled out, there has been growing number of data breach notifications, a number of which are starting to result in significant GDPR fines.


Past GDPR Enforcement Actions 2018 – Mai 2022

We started to see a lot more momentum in 2019 around GDPR fines issued.

In January 2019, Google was fined 50 million euros by the French data regulator CNIL, for a breach of the EU’s data protection rules.

In March 2019, the Danish Data Protection Agency set a taxi company a fine of DKK 1.2 million and the Polish Supervisory Authority issued a fine of 220,000 euros for data scraping.

In April, Romania’s National Supervisory Authority fined Unicredit Bank S.A. $146,000 as a result of the failure to apply appropriate technical and organizational measures

In May 2019, the Lithuanian State Data Protection Inspectorate imposed an administrative fine on MisterTango UAB in the amount of EUR 61,500.

In June 2019, Spain issued a fine of 250,000 euros to La Liga soccer league for monitoring soccer games for piracy and France issued the real estate company Sergic a fine of 400,000 euros for allowing the access of their websites without user authentication.

July 2019 marked some of the largest GDPR fines to date.  

The U.K.’s Information Commissioner’s Office (ICO) fined British Airways £183.4 million (U.S. $230 million) and Marriott £99.2 million (U.S. $124 million) for data breach-related violations. The penalties were the two largest issued under the EU’s data protection regulation thus far.

Also in July, the Netherlands fined a Dutch hospital 460,000 euros over lax controls over patient records.  In addition, The French CNIL pronounced a sanction of 180 000 euros against the company ACTIVE INSURANCES for having insufficiently protected the data of the users of its website.

In August 2019, a Polish retailer gets a 645,000 euro fine under GDPR for “insufficient organizational and technical safeguards”. Also in August, a Swedish school board was fined for using facial recognition to take class roll call.

Just a few months after GDPR took effect, in July 17, 2018, the Portuguese Supervisory Authority (“CNPD”) imposed a fine of 400,000 euros on a hospital for infringement of the European Union General Data Protection Regulation (“GDPR”).

Demonstrating that even small businesses are impacted, in October 2018, the Austrian DSB issued a small business a 4,800 euro fine for installing a CCTV camera that also recorded the public space in front of his business.

In November 2018, a German social media platform called Knuddels.de was fined 20,000 euros following a breach that exposed the personal information of 330,000 users, including their passwords and email addresses

GDPR Fines Gain Momentum in Third Quarter

On October 16, 2019, the joint body of German data protection authorities, known as the Datenschutzkonferenz (DSK), published the model which it intends to use to calculate fines pursuant to Article 83 of the GDPR.

October also saw the first multi-million dollar fine in Germany, as the Berlin DPA said that Deutsche Wohnen had to pay a 14.5 million euros penalty for not having a proper data retention schedule in place.

On October 25, the Spanish Data Protection Authority levied a fine of 35,000 euros on Vodafone Espana for insufficient legal basis for data processing.

On October 31, The Netherlands levied a 900,000 euro fine against Dutch employee insurance services provider UWV for inadequate security of the online employee portal.

In October 2019, Facebook agreed to pay the fine announced by the ICO in July 2018 related to the Cambridge Analytica data protection violations in 2015. Since the action occurred before the implementation of GDPR, the maximum possible fine the ICO could levy was £500,000. If the offences had occurred after May 2018, the potential fine could have been much higher – up to 4% of Facebook’s annual turnover.

During November, the Romanian National Supervisory Authority for Personal Data Processing levied fines on 4 entities:

  • 2,500 euros against the Royal President for refusing a request for access to personal data pursuant to Article 15 of the GDPR and disclosed personal data without the consent of the data subjects.
  • 80,000 euros against ING Bank N.V. Bucharest for not taking appropriate technical and organisational measures for an automated data processing system during the settlement process of card transactions affecting 225,525 customers
  • 11,000 euros gain a courier services company for failure to take appropriate technical and organisational measures leading to the loss and unauthorised access to personal data of approximately 1,100 data subjects
  • 2,000 euros against BNP Paribas Personal Finance S.A. for failure to react to a request for erasure within the period set by the GDPR.

In November, the Spanish Data Protection Authority (aepd) levied fines on a number of different entities:

  • 1,500 euro fine to Cerrajero Online for collecting personal data with insufficient legal basis
  • 900 euro fine to TOTO TECNICOS24H S.L for collecting personal data with insufficient legal basis
  • 3,000 euro fine to General Confederation of Labour for revealing personal data in a mailing without consent
  • 30,000 euro fine again Telefonica SA for non-compliance with general data processing principles
  • Xfera Moviles SA was fined 60,000 euros for lack of technical and organizational measures (TOMs) to ensure information security
  • Corporación radiotelevisión espanola was fine 60,000 for lack of technical and organizational measures (TOMs) to ensure information security

The Belgian Data Protection Authority (APD) issued a 5,000 euro fine on a municipal alderman and same to a mayor for sending election mailings without sufficient legal basis.

In November France’s CNIL fined Futura Internationale the second largest fine, 500,000 euros, for cold calls after several complainants obtained cold calls, despite having declared directly to the caller and by post that this was not wanted, failing to implement proper data transfer mechicanisms, and failing to cooperate with CNIL.

December saw a number of fines and penalties leveraged, including The Spanish Data Protection authority gave Ikea Iberica a 10,000 euro fine for installed cookies on an end users terminal device without prior consent of the data subject.

On December 3, the German data protection authority imposed a fine of 105,000 euros on a hospital for several breaches of the GDPR in connection with a patient mix-up at the admission of the patient. This revealed structural technical and organisational deficits in the hospital’s patient management.

On December 4, the Romanian data protection authority imposed a sanction of 20,000 euros on an airline because it has not taken appropriate measures to ensure that any natural person acting under its supervision processes personal data in accordance with its instructions the GDPR.

On December 9th the Federal Commissioner for Data Protection and Freedom of Information (BfDI), Ulrich Kelber, imposed a fine of €9.5 million on the telecommunications service provider 1&1 Telecom GmbH (1&1) for allegedly failing to adequately protect its customer data.

Delayed Decisions

Ireland’s privacy supervisory authority, the Data Protection Commission (DPC) was due to announce in December whether WhatsApp had broken the General Data Protection Regulation (GDPR) by not giving people enough clear information about how it uses their personal data. The new draft decision will now likely be in January 202 (Fox, 2019).

In summary, looking back at GDPR fines so far, we are seeing momentum building up this year.  With thousands of complaints issued in recent months, next year promises to be very interesting with regards to GDPR fines.

Worried about GDPR compliance? It’s not too late.  Contact us today to discuss how you can be compliant.


What You Should Know About GDPR Fines


What is the penalty for GDPR violation?

Lower-level violations can add up to $10 million or 2 percent of the offender’s international revenue. A higher breach can cost double. Like organizations, individuals can also receive fines if a party’s data is used for non-personal motives. If penalty notices were given, fines could range from $1 million to $17million.


What happens if there is a breach of GDPR?

A breach and its nature must be reported within 72 hours to the authorities (ex. Data protection commissioner) and the individuals whose personal data may have been compromised, depending on the severity of the breach.


How are GDPR fines calculated?

GDPR Article 83 describes how fines are calculated. In summary, ten criteria determine the price of the fine. If the offender met data protection certification standards, cooperation, the type of personal data, violation history, negligence or intention, nature and extent of the damage, report and notification timeframe, preventative measures, and mitigation circumstances of the offender. Fines increase if penalty notices have been received but ignored.


What is a GDPR violation?

A GDPR violation is a non-compliance with the GDPR. For example, a violation of processing data, negligence, or intentional violations.


Who enforces GDPR fines?

GDPR fines are enforced by each European country’s respective data protection authorities. For example, in France, the CNIL is responsible for fining GDPR violations and in Italy it is the Garante.


Where do GDPR fines go?

Every country has its system of processing GDPR fine money. Germany, for example, has a system with multiple regulators in each state, whereas Denmark and Estonia submit recommendations to the courts on where they should send the collected fines.


What is considered personal data?

Personal data is any information that relates to or identifies an individual. There are only a few exceptions to personal data: data about deceased, public, and anonymous information.


What data is protected by GDPR?

Examples of personal data protected by the GDPR include name, address, phone number, I.D., social security number, email address, etc.


What is protected under GDPR?

The GDPR protects the rights and data of individuals. A few of these rights include the right to access, delete, correct, object, and share the person’s data.


Are there any financial penalties for a breach of GDPR?

Yes, fines serve as penalties for non-compliance with the GDPR. The GDPR states explicitly that some violations are more severe than others. The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.


What is the highest fine that has been given out for GDPR non-compliance?

Since the GDPR was implemented in 2018, more than 160,000 data breach notifications have been noted. The highest fines given out were to Equifax for a minimum of $575M for negligence and intentional infringement, British Airways $200M, and Marriott for $124M. Some of these have ultimately been settled for less. There have been numerous fines in the millions or tens of millions of dollars. One example is the fine of $16M imposed on Wind Tre by the Italian Garante or the $35M fine on H&M by Germany’s data supervisory authority.



  • C. Fox (2019): Google hit with £44m GDPR fine over ads (found at: bbc.com/news/technology-46944696)
  • computerworld.dk/art/246918/datatilsynet-melder-foerste-danske-selskab-til-politiet-for-brud-paa-gdpr-kraever-boede-paa-1-2-millioner-kroner
  • complianceweek.com/gdpr/what-we-can-learn-from-the-biggest-gdpr-fines-so-far/27431.article
  • dig.watch/updates/french-cnil-fines-company-eur-500000-fine-gdpr-breach
  • datenschutzkonferenz-online.de/media/ah/20191016_bu%C3%9Fgeldkonzept.pdf
  • dataprotection.ie/
  • fortune.com/2019/11/19/gdpr-irish-dpc-whatsapp-case-delay/amp/
  • natlawreview.com/article/dutch-supervisory-authority-imposes-gdpr-security-standard-processing-broadly

Similar Blog Posts

Information Needed For Companies for the Whistleblower Directive Information Needed For Companies for the Whistleblower Directive

Initially, the EU Whistleblower Directive was supposed to be effective by December 17, 2021. However, the legislative process failed.

Right of Access by the Data Subject Right of Access by the Data Subject

The right of access, enshrined in Art. 15 of the GDPR, gives data subjects the right to obtain from the controller.

Subject Access Request Automation Subject Access Request Automation

Individuals have the right to access their personal data, commonly referred to as subject access. But can this process be automated?


Blog Categories