The General Data Protection Regulation (GDPR) is one of the biggest developments in data laws ever. Since it became effective on May 25, 2018, it has given people more power over their personal data. The law has had a massive impact on the way organizations collect, store and handle data. Other than its robust framework and wide applicability, the GDPR is also known for its eye-watering fines for violating organizations.
It does not differentiate between the size of the liable organizations if they have breached the law. Many big companies, such as Meta (formerly Facebook), Twitter and even Google have come under the GDPR scanner and have been sanctioned with whopping fines for violating its rules. Ever since the GDPR came into effect, many more organizations could not escape its radar. Some of them are relatively smaller organizations. In 2021, Amazon was hit with the largest GDPR fine to date. The year closed with the total sum of fines crossing €1 billion for the first time.
In this post, we will discuss the ramifications of failing to comply with GDPR and the severity of GDPR fines. We will also list down the biggest five GDPR fines imposed so far.
What are the fines and penalties under GDPR?
Under the General Data Protection Regulation (GDPR) [Art. 83], there is a tiered system of fines depending on the nature and severity of the violation.
For tier 1 violations, up to 2% of annual revenue or €10 million, whichever is greater.
For tier 2 violations, up to 4% of annual revenue or €20 million, whichever is greater.
The tier 1 fines are applicable for violations related to:
- Collecting personal data of children without parental consent.
- Collecting, storing, or processing additional information of a user.
- Following privacy by design protocols.
- Sharing personal data with other joint organizations (controllers).
- Usage of third-party involvement in privacy policies.
- Records of personal information collected from the users.
- Notifying the supervisory authority and the users about a data breach.
- Performing a data protection impact assessment.
- Appointing and tasks of a data protection officer.
- Establishing certification mechanisms.
The tier 2 fines are applicable for violations related to:
- Lawful bases of processing personal data, including conditions of consent.
- GDPR rights of EU individuals.
- Cross-border personal data transfer.
- Law adopted by the Member States.
- Adhering to an order authorized by a GDPR superior authority.
Not all GDPR infringements will result in financial penalties. Depending on the nature of the violation, the GDPR authorities may also decide the course of action against the liable organization. These actions may include a ban on processing activities, an order to delete data and restrictions on cross-border data transfers.
These fines are set to put pressure on businesses to ensure their systems are secure and robust. They are also to encourage organizations not to take risks with the user’s personal data because it could seriously damage their reputation and affect their business.
Individuals’ right to compensation:
According to Art. 82 of GDPR, the affected individuals can claim compensation for the damage suffered from the violation. They can approach the Courts to exercise their right to compensation. The organizations are liable to pay the compensation unless they prove that they are not responsible for the violation.
What are the criteria for imposing GDPR fines?
The GDPR fines are decided on a case-by-case basis and can vary depending upon the circumstances. The GDPR is flexible in that it allows the Member States to decide the level of fine they feel is appropriate for a particular offense.
To decide whether to impose an administrative fine and the amount of the fine on each individual, the following criteria are considered:
- The nature of the violation, the severity of the damage and the number of people affected;
- if the violation was negligent or intentional;
- preventive action or damage control by the organization;
- technical and organizational measures implemented to secure people’s data;
- previous cases of violations by the organization;
- the degree of cooperation with the supervisory authority to deal with the situation;
- the type of personal data affected;
- whether the organization notified the supervisory authority, and to what extent;
- whether the supervisory authority has taken any action against the organization for the violation;
- the organization follows code and conducts and other certified mechanisms; and
- financial benefits gained by the violating organization from the violation.
The maximum fine for the gravest of violations should not exceed the upper-tier administrative fine limit. The Member States have the right to lay down rules for penalties for violations that are not listed in the GDPR, and they should take all necessary actions to ensure its implementation.
How to avoid GDPR fines and penalties?
GDPR is a regulatory framework applying to the processing of the personal data of EU citizens and residents. It is designed to give privacy rights to individuals and enforceable rights to organizations, such as privacy by design and protection by default. Under this regulation, organizations that collect and process the personal data of EU citizens must comply with the provisions.
You need to be GDPR compliant if you would like your company not to be fined or suffer other sanctions for violating GDPR requirements.
The key points an organization must follow to avoid GDPR fines and penalties are:
- Understand the personal data you require. This is an important step to prepare the kind of protection and security you should provide depending on the sensitiveness of the data, how much you require them, how will you use it, where will you store it and for how long, where and whom you will share the data with and what happens after you utilize the data for your intended purpose.
- Assess the purpose and the lawful basis for collecting the personal data. You cannot collect or process personal data without one of the lawful bases: explicit consent, legal obligation, contractual obligation, in the public interest, vital interests, or legitimate interest.
- Adopt and maintain Privacy by Design and by Default standards.
- Get valid consent from users to collect their personal data, and parental consent in case of minors (under all circumstances). Valid consent must be freely given, informed, specific, unambiguous, revocable and provable.
- Do not collect data more than what is required and use it for anything else other purposes other than the intended purpose.
- Allow users to exercise their rights and respond to such requests in due time.
- Delete or remove personal data as soon as you have fulfilled its purpose.
- Ensure third parties you share data with are GDPR compliant.
- Ensure proper data protection protocols in cross-border data transfers. The recipient country must have a data protection regime that is equivalent to GDPR.
- Ensure adequate data protection and security measures to protect against data breaches and other threats. You must notify affected parties within 72 hours of becoming aware in case of a data breach. The breach notification must include all details about the type of personal data affected, the risks involved, the likely consequences and the remedial measures you have taken and the measures that affected individuals can take to avoid further damage or risks.
- Document the data processing procedures for further assessment and improvement.
- Train your team or employees about GDPR and its requirements.
- Appoint a data protection officer (DPO) if your organization processes sensitive personal data or a large volume of personal data.
GDPR fines and penalties can be pretty demanding. The best way to avoid facing any kind of penalty is to thoroughly educate yourself about the Regulation and then execute it.
What happens when GDPR is breached?
When an organization violates GDPR, the data protection authority (DPA) of the concerned Member State issues an investigation. The investigations are either based on user complaints, self-referrals, allegations made in the press, or reports by other EU DPAs. The data protection authority sets the priority of the case and conducts an online or offline (or both) investigation. The hearings ensue and requisite documents are collected.
The DPAs assess the matter based on the criteria we’ve discussed earlier to decide whether the violation is of lower-tier or upper-tier. Some violations may not result in monetary sanctions, In such cases, the DPA sends out warning letters and a deadline for the violating organization to fix its mistake. Some cases are graver and may result in monetary penalties. The DPA along with the concerned committee decides the fine and whether to make it public or not, based on the severity of the infringement.
CNIL, the France data protection authority processes the infringement and imposes its sanctions as shown:
Biggest GDPR Fines to date (2018 – 2021)
A company’s GDPR violation can be brought to light by inspections conducted by the DPAs, complaints by an employee, a whistleblower or by affected customers, through the company’s self-denunciation, or by the press.
The Enforcement Tracker documents all the reported fines and penalties imposed on violating organizations or companies so far.
Here are the biggest GDPR fines (2018-2021) imposed on companies by the EU DPAs.
#1 Amazon — €746 million
On July 16, 2021, the Luxembourg data protection authority, CNPD hit Amazon with a massive €746 million GDPR fine, the largest to date. The CNDP conducted its investigation following accusations about Amazon’s targeted advertisements. Amazon failed to get “freely given” consent from its users to store advertisement cookies. In 2020, France’s data protection authority, CNIL fined Amazon €35 million for the same reason under the ePrivacy Directive framework.
Amazon responded that it will appeal the fine as it has not breached GDPR and that no user data has been shared with third parties.
Let us take care of cookie compliance, so you can focus on your business
Sign up on CookieYes and avoid GDPR fines.Try it free
*no credit card required
#2 WhatsApp — €225 million
On September 2, 2021, the Irish DPA announced that it has fined the messaging service the second largest GDPR fine of €225 million for not meeting the GDPR requirements in its privacy policies. The investigation revealed that WhatsApp failed to properly explain its data processing activities and provide specific information about its legal basis and purpose for processing personal data in a concise and transparent form in its privacy notice.
*no credit card required
#3 Google — €50 million
On January 21, 2019, France’s CNIL fined the search giant €50 million (highest at that time) for targeted advertisements without valid consent. The data regulator also found fault with the lack of transparency in informing users about data processing and concluded that the company failed to properly specify the lawful basis for data processing.
Google continues to find trouble with the French DPA. On January 6, 2022, CNIL imposed Google €150 million for breaching French laws, along with Facebook (€60 million). They were fined under the ePrivacy Directive. The penalty came after the tech giants were found to be using misleading cookie consent dark patterns. The CNIL in its press release said that the tech giants’ websites (facebook.com, google.fr and youtube.com) failed to make rejecting non-essential cookies as easy it is to accept them.
#4 H&M — €35 million
On October 1, 2020, the DPA of Hamburg, Germany sanctioned H&M €35 million for violating the data privacy rights of its employees.
The Swedish clothing company recorded and stored details about their private lives through one-on-one conversations with employees. The details were accessible to multiple managers and were used for profiling for employment-related decision-making.
#5 TIM — €27.8 million
On February 1, 2020, the Italian telecom company was struck with a €27.8 million fine by the Italy DPA for violating GDPR requirements for its marketing activities.
Read how to comply with Italy DPA’s cookie guidelines.
The DPA, Garante started investigating following the complaints from users about unwanted marketing calls, despite obtaining consent or opting out. The Garante found that TIM violated several clauses of the GDPR by mismanaging of call centers hired to make marketing calls, failing to update the list of users who had opted out of marketing communications, and allowing discounts and participation in sweepstakes only on condition of consent to marketing communications.
In addition to the fine, the Garante also penalized TIM with several corrective measures including objecting to the use of data collected via their apps.
#6 British Airways — €20 million
The UK’s data protection authority ICO found out that the personal data of more than 400,00 British Airways customers and staff were breached in 2018. The BA’s website was diverted to a fraudulent website that stole the details such as names, addresses, CVV numbers, banking and booking details, employee usernames, and passwords.
Despite reporting the incident to the ICO, the BA was fined due to inadequate security measures that led to the cyber attack. They were initially fined €183 million in 2019 which was reduced to €20 million in 2020 considering the economic impact of COVID-19. The reduction in the fine amount was also due to BA’s active cooperation with the ICO and adequate measures it took to mitigate the damages suffered due to the breach.
#7 Marriott International — €18.4 million
In 2014, Starwood Hotel (acquired by Marriot in 2016) was cyber-attacked exposing over 330 million guest records like names, payments, passport numbers, etc.
The ICO’s investigation revealed that Marriot discovered the hack was detected only in 2018 and they failed to notify about it within 72 hours. They failed to take enough measures to ensure safety when they bought Starwood.
The hospitality company was struck with a fine of €18.4 million.
#8 Wind — €17 million
On July 9, 2020, the Italian DPA fined the telecom company Wind Tre SpA €17 million for unsolicited marketing communications made without user consent and for other violations.
The complaints also stated that the users were unable to withdraw their consent or object to data processing due to incorrect contact details provided in the Wind infirmation notices. Also, the personal data of users were made publicly available despite their objections. The Wind app also forced users to consent to receive marketing communications and the users had to wait 24 hours to withdraw such consent.
#9 Vodafone Italia — €12.25 million
In November 2020, the Garante issued a fine of over €12.25 million to Vodafone for unlawfully processing data for telemarketing purposes.
The investigations revealed that they used fake telephone numbers or numbers that were not registered with the National Consolidated Registry of Communication Operators, for the marketing calls. They also purchased contact lists from third particles without ensuring the users had consented to such a purpose.
In addition to the fine. Vodafone was also ordered to implement several measures to comply with the national and EY data protection laws.
#10 Notebooksbilliger.de — €10.4 million
The German electronic retailer was under investigation conducted by the State Commissioner for Data Protection in Lower Saxony for illegal use of video surveillance to monitor its employees and customers. The surveillance went for at least two years without any legal basis.
In January 202, the DPA fined Notebooksbilliger €10.4 million for the intrusion of customer and employee privacy.
Frequently asked questions
What are the maximum fines for a GDPR breach?
The maximum fine for violating GDPR is 20 million euros or 4% of the annual global turnover of the organization, whichever is greater. This level of fine is imposed for infringements that cause serious harm to the affected individual’s rights and freedom by violations caused by reasons stated for the upper tier.
What fines can be imposed under GDPR?
Under the GDPR, there are two levels of fines depending on the nature and severity of the infringements:
- Up to 2% of annual revenue or €10 million, whichever is greater.
- Up to 4% of annual revenue or €20 million, whichever is greater.
Can individuals be fined for GDPR breaches?
An individual acting in the capacity of personal or household purpose will not be fined. However, if the individual is acting as a business entity or they violate adopted laws under the Member State, they will be fined.
Read more about it here.
Where do GDPR fines go?
The EU Member States are allowed to write GDPR into their national laws. Therefore, the GDPR fines are most likely to go to the respective local government or regulators and are used for public funding.
In the case of UK GDPR, the country’s data protection watchdog ICO does not keep the fines with them. It goes to the central government.
How do I report GDPR violations?
If you think an organization has violated your data protection rights under GDPR, you can officially lodge a complaint and claim compensations. There are two ways to go about it:
- Lodge a complaint against the violating organization with your national DPA.
- File a legal case against them in court (you can do it in addition to filing the complaint with the DPA).
The DPA is liable to investigate and update you about its progress or result within 3 months.
In case your national DPA mishandles the case by not informing about the progress or outcome of the case or you are unsatisfied with the outcome with its response to your complaint; you can take legal action against the DPA in court.
Is breach of GDPR a criminal offense?
GDPR violation is treated as a criminal offense based on the Member State law. Some violations may be charged as criminal offenses such as failing to register as a data controller.
E.g., France’s CNIL treats “collecting personal data by fraudulent, unfair or unlawful means” as a criminal offense. One of the criminal offenses in German law is “unlawful transfer / making accessible of non-publicly accessible personal data of a large number of individuals for commercial purposes”.