Skip to content

50 Biggest GDPR Fines and Penalties So Far (2023 version)

Osman Husain 12/15/22 10:20 PM

Table of Contents

By now, you've already heard about the European Union's General Data Protection Regulation (GDPR). Since the data protection law was introduced on May 25, 2018, it has massively shaped how organizations collect, store, and process data.

It can be tempting to ignore this law. But the stakes for noncompliance are high. In just the last four years, companies have faced up to nine-digit fines for failing to comply with GDPR. Big Tech companies such as Google, Twitter, and Meta (formerly Facebook) have all received whopping fines for noncompliance. And any business that conducts online operations can be hit by these fines, not just the Big Tech companies. 

This post focuses on the biggest GDPR fines handed out so far. Read on. 

 

1. Amazon - €746 million ($781 million)

Year Issued: 2021

The biggest GDPR fine to date was imposed on Amazon Europe by Luxembourg’s National Commission for Data Protection (CNPD). This was after establishing that the online retailer was not getting consent from its users before storing advertisement cookies. 

 

2. Instagram - €405 million ($427 million)

Year Issued: 2022

In September 2022, the Irish Data Protection Commission (DPC) fined Instagram for violating children's privacy online, including publishing kids' phone numbers and email addresses. 

 

3. Facebook - €265 million ($275 million)

Year Issued: 2022

The Irish DPC fined Facebook owner Meta €265 million after Facebook's personal data was found on an online hacking forum. 

 

4. WhatsApp - €225 million ($247 million)

Year Issued: 2021

The Irish DPC fined Meta-owned WhatsApp for not properly explaining its data processing practices in its privacy notice. 

 

5. Google LLC - €90 million ($99 million)

Year Issued: 2021

France’s data regulator, CNIL, issued a €90 million fine on Google LLC for using noncompliant cookie consent mechanisms, making it difficult for users to refuse cookies on Google and YouTube.

 

6. Google Ireland - €60 million ($66 million) 

Year Issued: 2021

On the same day Google LLC was fined €90 million, Google Ireland was fined €60 million for the same reasons. However, this fine was imposed concerning the google.fr domain.  

 

7. Facebook - €60 million ($66 million)

Year Issued: 2021

A CNIL fine in 2021 was imposed on Facebook for not obtaining proper cookie consent from users. 

 

8. Google - €50 million ($55 million)

Year Issued: 2019

In the biggest GDPR breach fine in 2019, CNIL fined Google €50 million for not being transparent with its users about how data was being collected and used for targeted advertising. 

 

9. H&M - €35 million ($41 million)

Year Issued: 2020

The Data Protection Authority in Hamburg, Germany, fined H&M €35 million for illegal monitoring of its employees

 

10. TIM - €27.8 million ($31.5 million)

Year Issued: 2020

Italian telecommunications operator TIM was fined by the Italian data protection regulator, Garante, for various violations regarding customer data

 

11. Enel Energia - €26.5 million ($29.3 million)

Year Issued: 2022

On January 19, 2022, Garante fined electric and gas supplier Enel Energia for the unlawful use of user data for telemarketing purposes

 

12. British Airways - €22 million ($26 million)

Year Issued: 2020

The ICO fined British Airways for not protecting the personal data of more than 400,000 customers. 

 

13. Marriott International - €20.4 million ($23.8 million)

Year Issued: 2020

The British ICO issued a €20.4 million fine to Marriott International for failing to secure customers' personal data

 

14. Clearview AI - €20 million ($20.5 million)

Year Issued: 2022

Italy’s data protection agency fined this facial recognition firm €20 million for breaches of EU law

 

15. Facebook Ireland Ltd - €17 million ($18.2 million)

Year Issued: 2022

The Irish DPC fined Meta Platforms Ireland after the company could not readily demonstrate the security measures it had established to protect EU users’ data. 

 

16. Wind Tre - €16.7 million ($18.4 million)

Year Issued: 2020

Garante imposed a €16.7 million fine on telecoms company Wind Tre for several unlawful direct marketing activities.

 

17. Deutsche Wohnen - €14.5 million ($15.3 million)

Year Issued: 2019

The Data Protection Authority of Berlin issued a €14.5 million fine on German real estate company Deutsche Wohnen for not complying with general data processing principles

 

18. Vodafone Italia - €12.3 million ($14.5 million)

Year Issued: 2020

Garante fined Vodafone Italia for using customer data for its marketing activities without consent. 

 

19. Eni Gas e Luce - €11.5 million ($12.7 million)

Year Issued: 2020

The Italian Supervisory Authority (ISA) issued two separate fines totaling €11.5 million on Eni Gas e Luce, an Italian electricity and gas supplier. 

The first fine (€8.5 million) was issued because Eni was illegally processing personal data for telemarketing purposes, while the second fine (€3 million) was imposed for using unsolicited contracts. 

 

20. Notebookbilliger.de - €10.4 million (11.5 million)

Year Issued: 2021

The Lower Saxony data protection authority fined German electronics retailer Notebooksbilliger for video monitoring its employees illegally

 

21. Google LLC (again) - € 10 million ($10.5 million)

Year Issued: 2022

The Spanish Data Protection Agency (AEPD) fined Google LLC for transferring personal data unlawfully and hindering the right to erasure. 

 

22. Austrian Post - €9.5 million ($10.2 million)

Year Issued: 2021

The Austrian Data Protection Authority (DPA) imposed a €9.5 million fine on Austrian Post for not fulfilling data subject rights properly. 

 

23. Vodafone Spain - €8.15 million ($9.72 million)

Year Issued: 2021

The AEPD fined Vodafone Spain, a mobile telephone network operator, for violating the GDPR and Spanish laws on telecommunications and cookies

 

24. REWE International - €8 million ($8.8 million)

Year Issued: 2022

REWE International, an Austrian food retailer, was fined by the Austrian DPA for mishandling the data of users in its loyalty program

 

25. Grindr - €6.3 million ($7 million)

Year Issued: 2021

Norway’s DPA fined US-based dating app Grindr for sending personal data to third parties without consent. 

 

Other Notable GDPR Fines and Penalties Include: 

  1. Caixabank - €6 million (2021)

  2. Cosmote Mobile Telecommunications - €6 million (2022)

  3. Banco Bilbao Vizcaya Argentaria, SA (BBVA) - €5 million (2020)

  4. Interserve Group Limited - €5 million (2022)

  5. Fastweb - €4.5 million (2021)

  6. Uber B.V. and Uber Technologies, Inc. - €4.24 million (2022)

  7. Vodafone España - €3.94 million (2022)

  8. Dutch Tax and Customs Administration - €3.7 million (2022)

  9. Sky Italia - €3.3 million (2021)

  10. OTE Group - €3.25 million (2022)

  11. Carrefour Group - €3.05 million (2020)

  12. Caixabank Payments & Consumer - €3 million (2021)

  13. Capio St. Göran AB - €2.9 million (2020)

  14. Iren Mercato - €2.85 million (2021)

  15. Dutch Minister of Finance - €2.75 million (2021)

  16. Foodinho - €2.6 million (2021)

  17. National Revenue Agency (Bulgaria) - €2.6 million (2019)

  18. Amazon Road Transport - €2 million (2022)

  19. Easylife Limited - €1.53 million (2022)

  20. Dedalus Biologie - €1.5 million (2022)

  21. Futura Internationale - €500,000 (2019)

  22. Sergic - €400,000 (2019)

  23. Barreiro Montijo Hospital - €400,000 (2018)

  24. IDdesign A/S - €200,850 (2019)

  25. Knuddels.de - €20,000 (2018)

 

Remain Compliant To Avoid GDPR Fines and Penalties

As more consumers become aware of privacy laws and their rights, maintaining GDPR compliance will continue to be a key area of focus for most organizations. As shown in this guide, 2021 and 2022 witnessed a couple of record-breaking fines, so it’s going to be interesting to see how things evolve in 2023. 

That said, you don’t have to wait until your organization receives an eight-digit fine to take action. With Enzuzo, you can keep your company up to date with changing laws and maintain compliance in just a few simple clicks. 

 

CTA General Privacy Graphic (1)