52 Biggest GDPR Fines and Penalties (2018 - 2024)

By now, you've already heard about the European Union's General Data Protection Regulation (GDPR). Since the data protection law was introduced on May 25, 2018, it has massively shaped how organizations collect, store, and process data.

Big Tech companies such as Google, Twitter, and Meta (formerly Facebook) have all received whopping fines for noncompliance. And any business that conducts online operations can be hit by these fines, not just the Big Tech companies. 

This post focuses on the biggest GDPR fines handed out so far for businesses only. We have a separate post for GDPR fines for individuals where we detail personal liabilities under the GDPR.

What is the Maximum Fine for GDPR Violations?

Article 83(5) of the GDPR outlines the framework for the maximum GDPR fine. It says that the fine can be up to 20 million euros or 4% of the firm's annual global revenue, whichever is higher. In some situations, the fine can be set at 10 million euros or 2% of the revenue — a provision highlighted in Article 83(4) of the GDPR. What's more, each European Union state is also able to establish its own penalty for infringements that are not already covered by Article 83. These penalties are covered in the flexibility clause of the GDPR.

The maximum fine given so far to a company is Meta in 2023, which was fined $1.3 billion for violating GDPR laws pertaining to data transfers.

1.  Meta - €1.2 billion ($1.3 billion)

Year Issued: 2023

The U.S. technology giant was fined an eye-watering $1.3 billion USD in May '23 after an Irish court ruled that it violated GDPR laws related to data transfers between the E.U. and the U.S.

This transfer was previously given legal cover under the E.U. - U.S. Privacy Shield Framework, which was struck down in 2020 after the presiding court determined that it lacked the necessary protections for EU citizens against government surveillance.

Meta's fine is now officially the biggest GDPR fine to date, replacing Amazon's in 2021.    

2. Amazon - €746 million ($781 million)

Year Issued: 2021

The second biggest GDPR fine to date was imposed on Amazon Europe by Luxembourg’s National Commission for Data Protection (CNPD). This was after establishing that the online retailer was not getting consent from its users before storing advertisement cookies. 

3. Instagram - €405 million ($427 million)

Year Issued: 2022

In September 2022, the Irish Data Protection Commission (DPC) fined Instagram for violating children's privacy online, including publishing kids' phone numbers and email addresses.

The EU regulator found that Instagram operated a user registration system which could lead to the accounts of child users being set to “public” by default, unless changed to “private.”

This went against the privacy by design guidelines of the GDPR as well as provisions aimed at enhancing the protection of children’s information  

4. TikTok - €345 million ($377 million)

Year Issued: 2023

The Irish Data Protection Commission fined streaming app TikTok for failing to shield underage users’ content from public view. TikTok had violated GDPR conventions by placing underage users’ accounts as public setting by default; users aged between 13 and 17 were steered through the sign-up process in a way that resulted in their accounts being set to public – meaning anyone can see an account’s content or comment on it.

5. Facebook - €265 million ($275 million)

Year Issued: 2022

The Irish DPC fined Facebook €265 million after personal data was found on an online hacking forum.

According to the reports, the data was found on a website for hackers and included names, Facebook IDs, phone numbers, locations, birthdates, and email addresses of people from more than 100 countries.

Investigators concluded that the data had been "scraped" from Facebook using tools designed to help people find their friends through phone numbers using search and contact import features.  

6. WhatsApp - €225 million ($247 million)

Year Issued: 2021

The Irish DPC fined Meta-owned WhatsApp for not properly explaining its data processing practices in its privacy notice.

The investigation into WhatsApp started in 2018, and focused on whether the company had done enough to specify how it handles customer data. Regulators eventually decided that the company had not been transparent enough about the mechanisms it uses to store and share data, imposing one of the largest GDPR fines to date.  

7. Google LLC - €150 million ($169 million)

Year Issued: 2021

France’s data regulator, CNIL, issued a €150 million fine on Google for using noncompliant cookie consent mechanisms, making it difficult for users to refuse cookies on Google and YouTube.

The government body found that refusing cookies was a cumbersome process compared to accepting them, thereby violating GDPR laws.   

8. Facebook - €60 million ($66 million)

Year Issued: 2021

The French data regulator CNIL also imposed a €60 million fine on Facebook for the same noncompliant cookie consent practices as Google. Facebook's parent company, Meta, was deemed to have made it difficult for customers to refuse cookie consent, thereby violating GDPR law.  

9. Google - €50 million ($57 million)

Year Issued: 2019

The French data privacy regulator CNIL fined Google €50 million for not being transparent with its users about how data was being collected and used for targeted advertising. 

Google was determined to be ambiguous about how it used consented data — users had no way of knowing what the company was doing with their information and how the data would be used for ad personalization.

10. Criteo - €40 million ($44 million)

Year Issued: 2023

French advertising technology company Criteo was hit with a revised fine of €40 million ($44 million) over failings to collect and store adequate consent records.

The case first started in 2018 when a formal complaint landed in the office of the Commission Nationale de l’informatique et des libertés (CNIL), France’s data privacy watchdog, citing a violation of GDPR regulations. None of Your Business (NOYB), an Austria-based nonprofit co-founded by lawyer and privacy activist Max Schrems, and Privacy International were the two parties that filed the compliant. 

In August 2022, CNIL found Criteo guilty of using tracking and data-processing techniques to profile internet users for granular ad targeting, such as predicting which products an online shopper might want to buy — or “behavioural modelling.”

Criteo was fined €60 million, which the company said was "vastly disproportionate" and vowed to contest the ruling. Roughly a year later, the fine was reduced by a third to €40 million with CNIL saying it found five GDPR infringements involving Criteo’s ad-tracking activities.

11. H&M - €35 million ($41 million)

Year Issued: 2020

The German Data Protection Authority fined H&M €35 million for illegal monitoring of its employees. 

The company kept "excessive" records on the families, religions and illnesses of its workforce at its Nuremberg service centre, including extensive staff surveys, details of holidays, medical symptoms and diagnoses for illnesses.

Some managers also sought further details about family issues or religious beliefs, which were then used to evaluate work performance and make employment decisions.

12. TIM - €27.8 million ($31.5 million)

Year Issued: 2020

Italian telecommunications operator TIM was fined by the Italian data protection regulator, Garante, for various violations regarding customer data. Specifically, the operator was cited to have made excessive advertising phone calls without having obtained the required consent.  

13. Enel Energia - €26.5 million ($29.3 million)

Year Issued: 2022

The Italian data protection authority fined electric and gas supplier Enel Energia for the unlawful use of user data for telemarketing purposes. Specifically, the authority found that the company had not respected data subject rights, and continued to use personal data for marketing purposes despite clear instructions not to. 

14. British Airways - €22 million ($26 million)

Year Issued: 2020

The ICO fined British Airways for a failure to implement data privacy controls, leading to a cybersecurity breach that affected 400,000 customers.

The breach took place in 2018 and affected both personal and credit card data. Investigators concluded that the company did not have sufficient security measures, such as multi-factor authentication, thereby violating GDPR guidelines. 

15. Marriott International - €20.4 million ($23.8 million)

Year Issued: 2020

The British ICO issued a €20.4 million fine to Marriott International for failing to secure customers' personal data.

The data breach in question compromised nearly 339 million guest records, including seven million records of U.K. residents.

The breach accessed personal data, including guests’ names, email addresses, phone numbers, passport numbers, arrival/departure information, VIP status, and loyalty programme membership number.  

16. Clearview AI - €20 million ($20.5 million)

Year Issued: 2022

Italy’s data protection agency fined this facial recognition firm €20 million for breaches of EU law. Specifically, it found that the personal data held by the company, including biometric and geolocation information, were processed unlawfully without an appropriate legal basis.  

17. Facebook Ireland Ltd - €17 million ($18.2 million)

Year Issued: 2022

The Irish DPC fined Meta Platforms Ireland after the company could not readily demonstrate the security measures it had established to protect EU users’ data. 

The DPC investigated a series of data breaches between 7 June 2018 and 4 December 2018 to see whether the company achieved compliance with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1). 

Meta was eventually found to be in violation of Articles 5(2) and 24(1) GDPR, thereby triggering the fine. 

18. Wind Tre - €16.7 million ($18.4 million)

Year Issued: 2020

The Italian data regulator Garante imposed a €16.7 million fine on telecoms company Wind Tre for several unlawful direct marketing activities.

The fine was imposed following complaints of unsolicited marketing communications. Users said they were inundated by texts, emails, faxes, and automated phone calls despite never giving consent for marketing puposes.

In some other cases, users’ personal data had been included in public phone listings despite objections made by those users. 

19. Deutsche Wohnen - €14.5 million ($15.3 million)

Year Issued: 2019

The Data Protection Authority of Germany issued a €14.5 million fine on German real estate company Deutsche Wohnen for not complying with general data processing principles.

An inspection of the company’s data archiving systems revealed that it did not allow the company to delete obsolete personal data. The company was also retaining data relating to the tenants’ personal life and creditworthiness considerably longer than necessary to fulfil the purpose for which the data was initially collected.  

20. Vodafone Italia - €12.3 million ($14.5 million)

Year Issued: 2020

The Italian data regulator fined Vodafone Italia for using customer data for marketing activities without consent. 

It found that Vodafone unlawfully processed the personal data of millions of users for telemarketing purposes, after receiving a deluge of complaints from users expressing annoyance with unsolicited phone calls. 

21. Eni Gas e Luce - €11.5 million ($12.7 million)

Year Issued: 2020

The Italian Supervisory Authority (ISA) issued two separate fines totalling €11.5 million on Eni Gas e Luce, an Italian electricity and gas supplier. 

The first fine (€8.5 million) was issued because Eni was illegally processing personal data for telemarketing purposes, while the second fine (€3 million) was imposed for using unsolicited contracts as well as forged information on those contracts.

22. Notebookbilliger.de - €10.4 million (11.5 million)

Year Issued: 2021

The Lower Saxony data protection authority fined German electronics retailer Notebooksbilliger for monitoring its employees illegally. 

The retailer violated the tenets of the GDPR by conducting video surveillance of its employees; cameras were installed in the employees’ common areas, workplaces, warehouses, and sales points. 

It was done without a proper lawful basis and kept for significantly longer than necessary, for at least two years.

23. Google LLC (again) - €10 million ($10.5 million)

Year Issued: 2022

The Spanish Data Protection Agency (AEPD) fined Google LLC for transferring personal data unlawfully and hindering the right to erasure.

Google acted against GDPR tenets by sharing personally identifiable data with a third-party contractor, including names, email addresses, the type of removal request, and the reported URL. The AEPD found that Google also did not anonymize the user's personal data, either.  

24. Austrian Post - €9.5 million ($10.2 million)

Year Issued: 2021

The Austrian Data Protection Authority (DPA) imposed a €9.5 million fine on the Austrian Post for not fulfilling data subject rights properly. The agency determined that customers were not given enough options to request a copy of their data or have enough contact options on the Austrian Post website.    

25. Vodafone Spain - €8.15 million ($9.72 million)

Year Issued: 2021

The Spanish Agency for Data Protection (AEPD) fined Vodafone Spain, a mobile telephone network operator, for violating GDPR and Spanish laws on telecommunications and cookies.

The agency opened an investigation in 2018 after receiving 191 complaints about calls and messages on behalf of Vodafone without any prior authorization or consent. The outcome of that investigation slapped a large fine on Vodafone.  

26. REWE International - €8 million ($8.8 million)

Year Issued: 2022

REWE International, an Austrian food retailer, was fined by the Austrian DPA for mishandling the data of users in its loyalty program. 

The loyalty program, known as jö Bonus Club, had been collecting users’ data without their consent and using it for marketing purposes. 

27. Grindr - €6.5 million ($7 million)

Year Issued: 2021

Norway’s Data Protection Authority fined Grindr, a US-based dating app, for sending personal data to third parties without consent. The DPA said Grindr willingly sold personal data and that the transactions broke GDPR rules.

28. CaixaBank - €6 million ($6.4 million)

Year Issued: 2021

The AEDP fined CaixaBank €6 million for violations related to the mishandling of personal data, failure to obtain valid consent, and failure to provide sufficient information about data processing. CaixaBank was given six months to rectify these issues and bring processes back into compliance, earning the distinction of receiving the highest-ever fine imposed by the Spanish DPA.

29. Cosmote Mobile Telecommunications - €6 million ($6.4 million)

Year Issued: 2022

An investigation by Greece’s Hellenic Data Protection Authority (HDPA) ended with fines for telecommunications companies COSMOTE (€6 million) and OTE (€3.25 million) related to privacy compliance violations. COSMOTE was penalized for unclear information to subscribers, inadequate security, and poor data protection measures, while OTE failed to implement proper security for their infrastructure. As a result, the companies were ordered to cease improper processing and destroy the affected data as part of their ongoing efforts to improve compliance. 

30. Banco Bilbao Vizcaya Argentaria (BBVA) - €5 million ($5.3 million)

Year Issued: 2020

In an eyebrow-raising turn of events, the AEDP slapped BBVA with a whopping €5 million fine for GDPR slip-ups. The bank got dinged €2 million for its murky privacy policies and another €3 million for sneaky data processing without proper consent. BBVA’s privacy policy was called out for being too vague and not giving enough details about how they used customer data.

31. Fastweb - €4.5 million ($4.8 million)

Year Issued: 2021

In a hefty fine, Italy's Garante levied €4.5 million against the company Fastweb for aggressive telemarketing practices, including making unsolicited calls without proper consent. The substantial investigation also revealed problems related to non-compliant data processing methods. As a result, Fastweb must revise its data handling procedures alongside paying restitution.

32. Interserve Group Limited - €4.4 million ($4.7 million)

Year Issued: 2022

In 2022, the UK Information Commissioner's Office fined Berkshire construction company Interserve £4.4 million for failing to secure employee data. The ICO criticized Interserve for outdated systems and inadequate staff training that allowed a malware attack to compromise 283 systems and expose the sensitive data of 113,000 employees. This breach underscored the role of complacency in cybersecurity and the need to monitor regularly for suspicious activity. 
 

33. Uber B.V. and Uber Technologies, Inc. - €4.24 million ($4.5 million)

Year Issued: 2022

In another move by the Italian Data Protection Authority, Uber B.V. and Uber Technologies Inc. were fined a total of €4.24 million for having an unclear privacy policy. The fine stemmed from a 2016 data breach affecting 57 million users, including 295,000 in Italy. The DPA found Uber's privacy policy vague, incomplete, and confusing, failing to specify data processing purposes and the roles of data controllers. Despite Uber's defense citing prior DPA communications, the fine was upheld.

34. Vodafone España - €3.94 million ($4.2 million)

Year Issued: 2022

Spain's AEPD fined Vodafone €3.94 million for data confidentiality and integrity issues and Google €10 million for transferring data to third parties without legal basis and obstructing data erasure requests. Google must also improve its data processing practices with respect to what information is sent to its partners. 
 

35. Dutch Tax and Customs Administration - €3.7 million ($3.9 million)

Year Issued: 2022

The Dutch Tax Administration faced a €3.7 million fine from the Dutch Supervisory Authority (SA) for mismanagement of data in their fraud identification facility. The issues included unauthorized data processing, retaining outdated and incorrect data, and poor data protection practices. This resulted in a multitude of errors, including situations where citizens were incorrectly registered as possible tax frauds.

36. Sky Italia - €3.3 million ($3.5 million)

Year Issued: 2021

In 2021, Sky Italia Srl was given a €3.3 million fine from Italy's Garante for unlawful data processing. The company was accused of conducting telemarketing campaigns without proper consent, using outdated contact lists, and failure to inform users about data usage. These actions violated GDPR regulations and highlighted the need for strict compliance with consent management best practices. 
 

37. OTE Group - €3.25 million ($3.4 million)

Year Issued: 2022

Greece’s Hellenic Data Protection Authority fined the OTE Group €3.2 million for insufficient security measures that led to a significant data breach. Investigators found that OTE failed to implement adequate technical and organizational measures to protect personal data, resulting in unauthorized access and exposure of sensitive information that violated Article 32 of GDPR.

38. Carrefour Group - €3.05 million ($3.2 million)

Year Issued: 2020

CNIL fined two companies of the Carrefour Group a total of €3.05 million for GDPR and cookie violations with respect to its obligations as a data controller. Carrefour France was fined €2.25 million and Carrefour Banque €800,000. Specifically, the fines were due to failures in complying with data access and erasure requests, sending direct marketing without consent, and setting non-essential cookies without user approval. Both companies were found to have poor data processing practices, inadequate notices, and excessive data retention periods; poor compliance practices that often earn attention from regulators.

39. CaixaBank Payments & Consumer - €3 million ($3.2 million)

Year Issued: 2021

In 2021, AEPD fined Caixabank €3 million for conducting customer profiling for marketing purposes without obtaining valid consent, citing GDPR Articles 4, 6, and 22. Personal data collected included ID numbers, birth dates, financial details, and socio-demographic information, yet Caixabank failed to provide clear information on data processing and did not offer granular consent options. This rendered the consents collected by the company invalid.
 

40. Iren Mercato - €3 million ($3.2 million)

Year Issued: 2021

In another strike against non-consensual telemarketing, Italy's Garante fined Iren Mercato SpA €3 million in 2021. Iren's practices included making unsolicited marketing calls to individuals who hadn’t given proper consent. In particular, Garante emphasized that consent given to a data controller for promotional activities cannot be extended to subsequent transfers to other data controllers without obtaining new, specific, and informed consent from the individual.

41. Dutch Minister of Finance - €2.75 million ($2.9 million)

Year Issued: 2021

The Dutch government was fined €2.75 million for discriminatory practices in a childcare benefits scandal that came to light in 2018. The tax authority used nationality data unlawfully to target families, often leading to unjust financial ruin for those with foreign backgrounds. Since, the government has admitted its wrongdoing, deleted the discriminatory database, and promised compensation to the affected families.

42. Capio St. Göran AB - €2.6 million ($2.7 million)

Year Issued: 2020

Sweden's data protection authority (Datainspektionen) fined Capio St. Göran's Hospital SEK 30 million (around €2.6 million) for failing to protect patient data adequately. Investigators found that insufficient organizational security measures contributed to poor access management, leading to possible exposure to unauthorized individuals.

43. Foodinho - €2.6 million ($2.7 million)

Year Issued: 2021

Scrutiny of automated decision-making is increasingly coming to the forefront, with companies like Foodinho fined €2.6 million for unlawful use of employee management algorithms. Garante’s investigation revealed that Foodinho used algorithms to manage and evaluate its riders without proper transparency, violating GDPR regulations on automated decision-making and data consent. Moving forward, companies will need to refine their compliance processes as they pertain to this type of automated business logic.

44. National Revenue Agency (Bulgaria) - €2.6 million ($2.7 million)

Year Issued: 2019

The Bulgarian National Revenue Agency (NRA) was fined €2.6 million in 2019 in the wake of a significant data leak affecting over five million citizens. The Chairman of the Commission for Personal Data Protection, Ventsislav Karadzhov, noted that this fine was sufficient to hold the organization accountable for the security breach.
 

45. Amazon Road Transport - €2 million ($2.1 million)

Year Issued: 2022

In another win for Spain’s regulators, the AEPD fined Amazon Road Transport Spain €2 million for requiring delivery driver candidates to provide certificates of good conduct. This involved processing criminal records data without a legal basis. The AEPD found that the consent obtained was not valid since it was mandatory for application, and no Spanish law required such certificates. This practice was deemed a violation of GDPR regulations for data processing regarding criminal convictions.

46. Dedalus Biologie - €1.5 million ($1.6 million)

Year Issued: 2022

CNIL fined Dedalus Biologie €1.5 million for a major health data breach in 2022. The breach exposed personal and medical information of nearly 500,000 individuals online, including names, social security numbers, and medical histories. Investigators found multiple GDPR violations under the company’s hood: processing more data than necessary, inadequate security measures, and non-compliant data processing contracts.

47. Easylife Limited - €1.48 million ($1.58 million)

Year Issued: 2022

The UK Information Commissioner’s Office fined catalog retailer Easylife £1.48 million for misusing personal data to sell health products without consent. Easylife used purchase history to infer medical conditions and target customers with related products, as well as making over 1.3 million predatory marketing calls. The ICO highlighted Easylife’s lack of transparency and aggressive tactics as serious breaches of GDPR, not to mention the numerous consumer complaints triggered by the company’s actions.
 

48. Futura Internationale - €500,000 ($534,945)

Year Issued: 2019

CNIL fined Futura Internationale €500,000 for GDPR violations related to their cold-calling marketing campaigns. The company failed to provide adequate information to individuals, disregarded opt-out requests, and recorded excessive comments about clients. Additionally, Futura Internationale did not implement sufficient safeguards for international data transfers to call centers outside the EEA.

49. Sergic - €400,000 ($427,956)

Year Issued: 2019

French regulators at CNIL charged Sergic with several GDPR violations, including failing to secure personal data and improperly retaining data for longer than necessary. These missteps earned the company a €400,000 fine.

50. Barreiro Montijo Hospital - €400,000 ($427,956)

Year Issued: 2018

Portugal's data supervisory authority, Comissão Nacional de Protecção de Dados, issued its first GDPR fine against a hospital, Centro Hospitalar Barreiro Montijo, in 2018. Three violations were noted: inadequate access control, excessive access to patient data by non-medical staff, and insufficient data protection measures. The hospital was fined €400,000 for failing to implement necessary security protocols related to these measures.

51. IDdesign A/S - €200,850 ($215,458)

Year Issued: 2019

The Danish Data Protection Authority (Datatilsynet) proposed a fine of DKK 1.5 million against IDdesign for failing to delete personal data and poor security implementation. The investigation showed that IDdesign retained personal data of former customers for longer than necessary and did not protect it properly, leading to potential unauthorized access.
 

52. Knuddels.de - €20,000 ($21,397)

Year Issued: 2018

The German chat app Knuddels was fined €20,000 for a breach after a security lapse in 2018 exposed the personal data of 300,000 users, including passwords stored in plain text. However, the breach was reported quickly, and the company was granted some measure of leniency by regulators for its effective data breach response.

Remain Compliant To Avoid GDPR Fines and Penalties

As more consumers become aware of privacy laws and their rights, maintaining GDPR compliance will continue to be a key area of focus for most organizations. 

That said, you don’t have to wait until your organization receives an eight-digit fine to take action. With Enzuzo, you can keep your company up to date with changing laws and maintain compliance.

Book a free, no-obligation consultation to learn more about how Enzuzo can help you manage GDPR compliance all the way from consent notices to vendor risk management and more 👇