Skip to content

51 Biggest GDPR Fines and Penalties So Far (Updated!)

Osman Husain 7/27/23 12:00 PM
biggest gdpr fines

Table of Contents

By now, you've already heard about the European Union's General Data Protection Regulation (GDPR). Since the data protection law was introduced on May 25, 2018, it has massively shaped how organizations collect, store, and process data.

Big Tech companies such as Google, Twitter, and Meta (formerly Facebook) have all received whopping fines for noncompliance. And any business that conducts online operations can be hit by these fines, not just the Big Tech companies. 

This post focuses on the biggest GDPR fines handed out so far for businesses only. We have a separate post for GDPR fines for individuals where we detail personal liabilities under the GDPR.

 

What is the Maximum Fine for GDPR Violations?

Article 83(5) of the GDPR outlines the framework for the maximum GDPR fine. It says that the fine can be up to 20 million euros or 4% of the firm's annual global revenue, whichever is higher. In some situations, the fine can be set at 10 million euros or 2% of the revenue — a provision highlighted in Article 83(4) of the GDPR. What's more, each European Union state is also able to establish its own penalty for infringements that are not already covered by Article 83. These penalties are covered in the flexibility clause of the GDPR.

The maximum fine given so far to a company is Meta in 2023, which was fined $1.3 billion for violating GDPR laws pertaining to data transfers.

 

Biggest GDPR Fines  

Let's now take you through the biggest GDPR fines so far. 

 

1.  Meta - €1.2 billion ($1.3 billion)

Year Issued: 2023

The U.S. technology giant was fined an eye-watering $1.3 billion USD in May '23 after an Irish court ruled that it violated GDPR laws related to data transfers between the E.U. and the U.S.

This transfer was previously given legal cover under the E.U. - U.S. Privacy Shield Framework, which was struck down in 2020 after the presiding court determined that it lacked the necessary protections for EU citizens against government surveillance.

Meta's fine is now officially the biggest GDPR fine to date, replacing Amazon's in 2021.    

 

2. Amazon - €746 million ($781 million)

Year Issued: 2021

The second biggest GDPR fine to date was imposed on Amazon Europe by Luxembourg’s National Commission for Data Protection (CNPD). This was after establishing that the online retailer was not getting consent from its users before storing advertisement cookies. 

 

3. Instagram - €405 million ($427 million)

Year Issued: 2022

In September 2022, the Irish Data Protection Commission (DPC) fined Instagram for violating children's privacy online, including publishing kids' phone numbers and email addresses. 

 

4. Facebook - €265 million ($275 million)

Year Issued: 2022

The Irish DPC fined Facebook owner Meta €265 million after Facebook's personal data was found on an online hacking forum. 

 

5. WhatsApp - €225 million ($247 million)

Year Issued: 2021

The Irish DPC fined Meta-owned WhatsApp for not properly explaining its data processing practices in its privacy notice. 

 

6. Google LLC - €90 million ($99 million)

Year Issued: 2021

France’s data regulator, CNIL, issued a €90 million fine on Google LLC for using noncompliant cookie consent mechanisms, making it difficult for users to refuse cookies on Google and YouTube.

 

7. Google Ireland - €60 million ($66 million) 

Year Issued: 2021

On the same day Google LLC was fined €90 million, Google Ireland was fined €60 million for the same reasons. However, this fine was imposed concerning the google.fr domain.  

 

8. Facebook - €60 million ($66 million)

Year Issued: 2021

A CNIL fine in 2021 was imposed on Facebook for not obtaining proper cookie consent from users. 

 

9. Google - €50 million ($55 million)

Year Issued: 2019

In the biggest GDPR breach fine in 2019, CNIL fined Google €50 million for not being transparent with its users about how data was being collected and used for targeted advertising. 

 

10. H&M - €35 million ($41 million)

Year Issued: 2020

The Data Protection Authority in Hamburg, Germany, fined H&M €35 million for illegal monitoring of its employees

 

11. TIM - €27.8 million ($31.5 million)

Year Issued: 2020

Italian telecommunications operator TIM was fined by the Italian data protection regulator, Garante, for various violations regarding customer data

 

12. Enel Energia - €26.5 million ($29.3 million)

Year Issued: 2022

On January 19, 2022, Garante fined electric and gas supplier Enel Energia for the unlawful use of user data for telemarketing purposes

 

13. British Airways - €22 million ($26 million)

Year Issued: 2020

The ICO fined British Airways for not protecting the personal data of more than 400,000 customers. 

 

14. Marriott International - €20.4 million ($23.8 million)

Year Issued: 2020

The British ICO issued a €20.4 million fine to Marriott International for failing to secure customers' personal data

 

15. Clearview AI - €20 million ($20.5 million)

Year Issued: 2022

Italy’s data protection agency fined this facial recognition firm €20 million for breaches of EU law

 

16. Facebook Ireland Ltd - €17 million ($18.2 million)

Year Issued: 2022

The Irish DPC fined Meta Platforms Ireland after the company could not readily demonstrate the security measures it had established to protect EU users’ data. 

 

17. Wind Tre - €16.7 million ($18.4 million)

Year Issued: 2020

Garante imposed a €16.7 million fine on telecoms company Wind Tre for several unlawful direct marketing activities.

 

18. Deutsche Wohnen - €14.5 million ($15.3 million)

Year Issued: 2019

The Data Protection Authority of Berlin issued a €14.5 million fine on German real estate company Deutsche Wohnen for not complying with general data processing principles

 

19. Vodafone Italia - €12.3 million ($14.5 million)

Year Issued: 2020

Garante fined Vodafone Italia for using customer data for its marketing activities without consent. 

 

20. Eni Gas e Luce - €11.5 million ($12.7 million)

Year Issued: 2020

The Italian Supervisory Authority (ISA) issued two separate fines totaling €11.5 million on Eni Gas e Luce, an Italian electricity and gas supplier. 

The first fine (€8.5 million) was issued because Eni was illegally processing personal data for telemarketing purposes, while the second fine (€3 million) was imposed for using unsolicited contracts. 

 

21. Notebookbilliger.de - €10.4 million (11.5 million)

Year Issued: 2021

The Lower Saxony data protection authority fined German electronics retailer Notebooksbilliger for video monitoring its employees illegally

 

22. Google LLC (again) - € 10 million ($10.5 million)

Year Issued: 2022

The Spanish Data Protection Agency (AEPD) fined Google LLC for transferring personal data unlawfully and hindering the right to erasure. 

 

23. Austrian Post - €9.5 million ($10.2 million)

Year Issued: 2021

The Austrian Data Protection Authority (DPA) imposed a €9.5 million fine on Austrian Post for not fulfilling data subject rights properly. 

 

24. Vodafone Spain - €8.15 million ($9.72 million)

Year Issued: 2021

The AEPD fined Vodafone Spain, a mobile telephone network operator, for violating the GDPR and Spanish laws on telecommunications and cookies

 

25. REWE International - €8 million ($8.8 million)

Year Issued: 2022

REWE International, an Austrian food retailer, was fined by the Austrian DPA for mishandling the data of users in its loyalty program

 

26. Grindr - €6.3 million ($7 million)

Year Issued: 2021

Norway’s DPA fined US-based dating app Grindr for sending personal data to third parties without consent. 

 

Other Notable GDPR Fines and Penalties Include: 

  1. Caixabank - €6 million (2021)

  2. Cosmote Mobile Telecommunications - €6 million (2022)

  3. Banco Bilbao Vizcaya Argentaria, SA (BBVA) - €5 million (2020)

  4. Interserve Group Limited - €5 million (2022)

  5. Fastweb - €4.5 million (2021)

  6. Uber B.V. and Uber Technologies, Inc. - €4.24 million (2022)

  7. Vodafone España - €3.94 million (2022)

  8. Dutch Tax and Customs Administration - €3.7 million (2022)

  9. Sky Italia - €3.3 million (2021)

  10. OTE Group - €3.25 million (2022)

  11. Carrefour Group - €3.05 million (2020)

  12. Caixabank Payments & Consumer - €3 million (2021)

  13. Capio St. Göran AB - €2.9 million (2020)

  14. Iren Mercato - €2.85 million (2021)

  15. Dutch Minister of Finance - €2.75 million (2021)

  16. Foodinho - €2.6 million (2021)

  17. National Revenue Agency (Bulgaria) - €2.6 million (2019)

  18. Amazon Road Transport - €2 million (2022)

  19. Easylife Limited - €1.53 million (2022)

  20. Dedalus Biologie - €1.5 million (2022)

  21. Futura Internationale - €500,000 (2019)

  22. Sergic - €400,000 (2019)

  23. Barreiro Montijo Hospital - €400,000 (2018)

  24. IDdesign A/S - €200,850 (2019)

  25. Knuddels.de - €20,000 (2018)

 

Remain Compliant To Avoid GDPR Fines and Penalties

As more consumers become aware of privacy laws and their rights, maintaining GDPR compliance will continue to be a key area of focus for most organizations. As shown in this guide, 2021 and 2022 witnessed a couple of record-breaking fines, so it’s going to be interesting to see how things evolve in 2023. 

That said, you don’t have to wait until your organization receives an eight-digit fine to take action. With Enzuzo, you can keep your company up to date with changing laws and maintain compliance in just a few simple clicks. 

 

Mprgin_New Requests_800x300_MH_23-Feb-2023 (CTA Banners) Post 2-jpg-2

 

Osman Husain

Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.