The 10 biggest GDPR fines to date – and yes, we are talking hundreds of millions worth of fines

It’s been three years since the introduction of one of the toughest data protection laws – the European General Data Protection Regulation [GDPR]. Since the regulation took effect in May 2018, hundreds of millions of euros worth of fines have been issued across the European Economic Area and the U.K.

Any organisation, be it a micro-enterprise or a multinational company, that processes data of EU residents may face a significant liability if it does not comply with the regulation. The EU’s data protection authorities can impose fines of up to €20 million or 4 percent of the violator’s global turnover for the preceding financial year—whichever greater.

Over 800 fines have been imposed so far. For the purpose of this blog, we have created a list of the 10 biggest fines imposed to date. The purpose of this is to demonstrate what have caused the violations, which will help you avoid making similar violations in the future.

1.Amazon – €746 million

The fine is unprecedented – more than double the amount of every other GDPR fine combined. This tech giant was fined by the Luxembourg officials due to the fact that it was trying to collect as much personal data as possible – which violates the ground GDPR principles. The Luxembourg officials ruled that Amazon was forcing it’s users to agree to cookies – and not only that – they were make opting out of cookies difficult.

2. WhatsApp – €225 million

The Ireland data protection authority fined WhatsApp with €225 million after claiming that WhatsApp had failed to properly explain its data processing practices in its privacy notice – the messaging service failed to provide information in an easily accessible format using plain language its users could understand. Moreover, WhatsApp relied on legitimate interest for processing personal data, but failed to explain what those interests are.

3. Google – €50 million

One of the first fines imposed under GDPR. The French supervisory authority ruled that Google had failed to seek consent of its users to collect data for targeted advertising campaigns. Moreover, it failed to make its processing statements easily accessible to its users.

4. H&M – €35million

H&M violated the principle of data minimisation. The H&M managers were monitoring several hundred employees – after the employees took vacation or sick leave, they were required to attend a return-to-work meeting, where employees’ private lives were discussed. The senior staff has been gaining details of family issues, religious beliefs and other sensitive data of their employees personal lives. These meetings were recorded and accessible to H&M managers and used to evaluate employees’ performance and make decision about the future of their employment.

5. TIM – €27.8 million

TIM has been fined by the Italian data protection authority after receiving a hundreds complaints about unwanted promotional calls. TIM was bombarding millions of individuals with unsolicited communications, some of whom were on non-contact and exclusion lists.  The telecommunications provider should have managed lists of data subjects more carefully and created specific opt-ins for their marketing activities.

6. British Airways – €22 million

The ICO fined British Airways with a $26 million fine for a breach that could have been prevented, as the ICO ruled. The British Airways’ systems were compromised, because British Airways did not have sufficient security/cyber measures in place to protect the personal data. As a result, personal data of 400,000 customers have been affected, including log-in details, payment card information, addresses etc. The British Airways should have ensured they have strict policies, procedures and security measures in place.

7. Marriott – €20.4 million

ICO issued this fine to Marriot after the hotel’s chain guest reservation database was compromised. As a result, personal data of 383 million customers has been exposed including names, addresses, passports numbers and credit card information. The hack originated in Starwood Group’s reservation system. The ICO found that Marriott failed to perform adequate due diligence when acquiring Starword – they should have done more to ensure appropriate safeguards to personal data.

8. Wind – €17 million

The Italian regulator ruled that Wind did not establish a valid lawful basis before using people’s contact details for direct marketing purposes, as well as they did not offer an easy way for their users to unsubscribe. Moreover, the officials also found that Wind’s mobile apps forced users to agree to direct marketing and location tracking and that its business partners had undertaken illegal data-collection activities. 

9. Vodafone Italia – €12.3 million 

The company’s data processing issues included failing to properly secure customer data, sharing personal data with third-party call centers, and processing without a legal basis—all brought to light after complaints about the company’s telemarketing campaign.

10. Notebooksbilliger. de – €10.4 million

The German electronics retailer was fined due to the way it used CCTV cameras to monitor its employees and customers. Using CCTV per se isn’t prohibited under the GDPR, however it must be proportionate to the specific problem. The NBB’s CCTV system ran for two years, and the retailer reportedly kept recordings for up to 60 days. It said they recorded its staff and customers in order to prevent theft. However, the regulator ruled that the CCTV program was not limited to a specific person or period and therefore the monitoring was an intrusion on its employees’ and customers’ privacy.