The GDPR Report – Which businesses have been hit with the biggest GDPR fines?

Next story

The GDPR (General Data Protection Regulation) came into effect in 2018, and in that time, a large number of organisations have fallen foul of its rules.

In fact, over 650 fines have been issued relating to GDPR violations, totalling more than €280 million in just over three years.

So which have been the heftiest penalties paid out? What are the most common breaches? And which countries have been the worst offenders? ESET has dived into the data to find out!


The biggest GDPR fines so far



1. Amazon – €746 million

The most significant GDPR fine to date only came about fairly recently, but it blew all previous fines out of the water, with tech giant Amazon being fined €746 million. The fine is over twice as much as every previous GDPR fine combined and is the first truly major fine to be handed out. Amazon is currently appealing the decision (taken against them by Luxembourg), so the decision looks set to be a landmark in the early history of GDPR, whichever way it falls.



2. Google – €50 million

The second-highest GDPR fine was issued to one of the biggest organisations of all: Google. The search engine giant was fined €50 million by French data regulator CNIL. It was deemed that Google failed to sufficiently inform its users about how their data was being collected and how it was being used within targeted advertising. While the fine was appealed in 2020, the appeal was shot down by France’s Conseil d’État, the country’s highest court, who ordered that the fine should be upheld.



3. H&M – €35.3 million

The H&M Hennes & Mauritz Online Shop A.B. & Co. KG (better known as simply H&M) was hit with a fine of just under €35.3 million last year for the illegal surveillance of several hundred of their employees. It was found that the fashion retailer had kept an excessive level of records on employees at its Nuremberg service centre, including data on their families, religion and illnesses. Unlike Google and Amazon though, H&M took their fine on the chin, promising to compensate the employees involved.



The biggest GDPR fines to date


The most common reasons for GDPR fines


The majority of fines thus far fell under the bracket of "insufficient legal basis for data processing", and until the recent Amazon fine, it was also the rule responsible for both the highest average fine and the highest amount of total GDPR fines paid to date.

Essentially, an organisation must be able to prove that there is a lawful basis that makes their processing of your data 'necessary', rather than simply useful, something that over 270 companies have failed to do.


The second most common reason for fines was “insufficient technical and organisational measures to ensure information security”, with 155 violations since GDPR was introduced in 2018. Two of the biggest instances of this fine were levied within the UK, where British Airways and Marriott International were fined €22 million and €20.45 million respectively in October 2020.

This particular GDPR rule looks to safeguard the personal information of consumers: violations occur when it is deemed an organisation has failed to adequately ensure its consumers’ data is secure.


The third most common violation was a much more general one: “non-compliance with general data processing principles”, which covers less severe GDPR infringements.

The figures for the total and average fines for this offence are hugely affected by the major fine handed out to Amazon this year, with an average fine of €5.2 million and total amount fined of €782 million.



The most common reasons for GDPR fines


The countries with the most GDPR fines to date


While the average fine levied against Spanish organisations may be fairly low, at just over €118,000, Spain actually had by far the highest number of fines, at 273, the region claims just over a third of all GDPR violations thus far. That’s a huge number of fines for a single nation, even if the amounts being fined aren’t quite as high as for others on the continent.


Italy holds the dubious honours not just of being the country with the second-highest number of fines, but also as the nation with the second-highest total amount fined: over €84 million since 2018. Their highest-profile case was that of Gruppo TIM, who were fined €27.8 million, followed by WINDTRE (€16.7 million) and Vodafone Italy (€12.25 million).


Romania’s average GDPR fine stands at a very modest €11,659, which is actually one of the lowest in Europe, but the nation has still racked up a large number of fines, placing it third on our list. The most notable was that of Raiffeisen Bank at €150,000 which pales in comparison to the kinds of fines faced by major companies in other countries. Instead, the fines in Romania were often much lower, usually totalling just a couple of thousand Euros.



The countries with the most GDPR fines to date (ranked)



All figures sourced from GDPR Enforcement Tracker, tracked by CMS Law, as of 24th August 2021.