51 Biggest GDPR Fines and Penalties So Far (Updated!)

By now, you've already heard about the European Union's General Data Protection Regulation (GDPR). Since the data protection law was introduced on May 25, 2018, it has massively shaped how organizations collect, store, and process data.

Big Tech companies such as Google, Twitter, and Meta (formerly Facebook) have all received whopping fines for noncompliance. And any business that conducts online operations can be hit by these fines, not just the Big Tech companies. 

This post focuses on the biggest GDPR fines handed out so far for businesses only. We have a separate post for GDPR fines for individuals where we detail personal liabilities under the GDPR.

What is the Maximum Fine for GDPR Violations?

Article 83(5) of the GDPR outlines the framework for the maximum GDPR fine. It says that the fine can be up to 20 million euros or 4% of the firm's annual global revenue, whichever is higher. In some situations, the fine can be set at 10 million euros or 2% of the revenue — a provision highlighted in Article 83(4) of the GDPR. What's more, each European Union state is also able to establish its own penalty for infringements that are not already covered by Article 83. These penalties are covered in the flexibility clause of the GDPR.

The maximum fine given so far to a company is Meta in 2023, which was fined $1.3 billion for violating GDPR laws pertaining to data transfers.

Biggest GDPR Fines  

Let's now take you through the biggest GDPR fines so far. 

1.  Meta - €1.2 billion ($1.3 billion)

Year Issued: 2023

The U.S. technology giant was fined an eye-watering $1.3 billion USD in May '23 after an Irish court ruled that it violated GDPR laws related to data transfers between the E.U. and the U.S.

This transfer was previously given legal cover under the E.U. - U.S. Privacy Shield Framework, which was struck down in 2020 after the presiding court determined that it lacked the necessary protections for EU citizens against government surveillance.

Meta's fine is now officially the biggest GDPR fine to date, replacing Amazon's in 2021.    

2. Amazon - €746 million ($781 million)

Year Issued: 2021

The second biggest GDPR fine to date was imposed on Amazon Europe by Luxembourg’s National Commission for Data Protection (CNPD). This was after establishing that the online retailer was not getting consent from its users before storing advertisement cookies. 

3. Instagram - €405 million ($427 million)

Year Issued: 2022

In September 2022, the Irish Data Protection Commission (DPC) fined Instagram for violating children's privacy online, including publishing kids' phone numbers and email addresses. 

4. Facebook - €265 million ($275 million)

Year Issued: 2022

The Irish DPC fined Facebook owner Meta €265 million after Facebook's personal data was found on an online hacking forum. 

5. WhatsApp - €225 million ($247 million)

Year Issued: 2021

The Irish DPC fined Meta-owned WhatsApp for not properly explaining its data processing practices in its privacy notice. 

6. Google LLC - €90 million ($99 million)

Year Issued: 2021

France’s data regulator, CNIL, issued a €90 million fine on Google LLC for using noncompliant cookie consent mechanisms, making it difficult for users to refuse cookies on Google and YouTube.

7. Google Ireland - €60 million ($66 million) 

Year Issued: 2021

On the same day Google LLC was fined €90 million, Google Ireland was fined €60 million for the same reasons. However, this fine was imposed concerning the google.fr domain.  

8. Facebook - €60 million ($66 million)

Year Issued: 2021

A CNIL fine in 2021 was imposed on Facebook for not obtaining proper cookie consent from users. 

9. Google - €50 million ($55 million)

Year Issued: 2019

In the biggest GDPR breach fine in 2019, CNIL fined Google €50 million for not being transparent with its users about how data was being collected and used for targeted advertising. 

10. H&M - €35 million ($41 million)

Year Issued: 2020

The Data Protection Authority in Hamburg, Germany, fined H&M €35 million for illegal monitoring of its employees. 

11. TIM - €27.8 million ($31.5 million)

Year Issued: 2020

Italian telecommunications operator TIM was fined by the Italian data protection regulator, Garante, for various violations regarding customer data. 

12. Enel Energia - €26.5 million ($29.3 million)

Year Issued: 2022

On January 19, 2022, Garante fined electric and gas supplier Enel Energia for the unlawful use of user data for telemarketing purposes. 

13. British Airways - €22 million ($26 million)

Year Issued: 2020

The ICO fined British Airways for not protecting the personal data of more than 400,000 customers. 

14. Marriott International - €20.4 million ($23.8 million)

Year Issued: 2020

The British ICO issued a €20.4 million fine to Marriott International for failing to secure customers' personal data. 

15. Clearview AI - €20 million ($20.5 million)

Year Issued: 2022

Italy’s data protection agency fined this facial recognition firm €20 million for breaches of EU law. 

16. Facebook Ireland Ltd - €17 million ($18.2 million)

Year Issued: 2022

The Irish DPC fined Meta Platforms Ireland after the company could not readily demonstrate the security measures it had established to protect EU users’ data. 

17. Wind Tre - €16.7 million ($18.4 million)

Year Issued: 2020

Garante imposed a €16.7 million fine on telecoms company Wind Tre for several unlawful direct marketing activities.

18. Deutsche Wohnen - €14.5 million ($15.3 million)

Year Issued: 2019

The Data Protection Authority of Berlin issued a €14.5 million fine on German real estate company Deutsche Wohnen for not complying with general data processing principles. 

19. Vodafone Italia - €12.3 million ($14.5 million)

Year Issued: 2020

Garante fined Vodafone Italia for using customer data for its marketing activities without consent. 

20. Eni Gas e Luce - €11.5 million ($12.7 million)

Year Issued: 2020

The Italian Supervisory Authority (ISA) issued two separate fines totaling €11.5 million on Eni Gas e Luce, an Italian electricity and gas supplier. 

The first fine (€8.5 million) was issued because Eni was illegally processing personal data for telemarketing purposes, while the second fine (€3 million) was imposed for using unsolicited contracts. 

21. Notebookbilliger.de - €10.4 million (11.5 million)

Year Issued: 2021

The Lower Saxony data protection authority fined German electronics retailer Notebooksbilliger for video monitoring its employees illegally. 

22. Google LLC (again) - € 10 million ($10.5 million)

Year Issued: 2022

The Spanish Data Protection Agency (AEPD) fined Google LLC for transferring personal data unlawfully and hindering the right to erasure. 

23. Austrian Post - €9.5 million ($10.2 million)

Year Issued: 2021

The Austrian Data Protection Authority (DPA) imposed a €9.5 million fine on Austrian Post for not fulfilling data subject rights properly. 

24. Vodafone Spain - €8.15 million ($9.72 million)

Year Issued: 2021

The AEPD fined Vodafone Spain, a mobile telephone network operator, for violating the GDPR and Spanish laws on telecommunications and cookies. 

25. REWE International - €8 million ($8.8 million)

Year Issued: 2022

REWE International, an Austrian food retailer, was fined by the Austrian DPA for mishandling the data of users in its loyalty program. 

26. Grindr - €6.3 million ($7 million)

Year Issued: 2021

Norway’s DPA fined US-based dating app Grindr for sending personal data to third parties without consent. 

27. Caixabank - €6 million (2021)

28. Cosmote Mobile Telecommunications - €6 million (2022)

29. Banco Bilbao Vizcaya Argentaria, SA (BBVA) - €5 million (2020)

30. Interserve Group Limited - €5 million (2022)

31. Fastweb - €4.5 million (2021)

32. Uber B.V. and Uber Technologies, Inc. - €4.24 million (2022)

33. Vodafone España - €3.94 million (2022)

34. Dutch Tax and Customs Administration - €3.7 million (2022)

35. Sky Italia - €3.3 million (2021)

36. OTE Group - €3.25 million (2022)

37. Carrefour Group - €3.05 million (2020)

38. Caixabank Payments & Consumer - €3 million (2021)

39. Capio St. Göran AB - €2.9 million (2020)

40. Iren Mercato - €2.85 million (2021)

41. Dutch Minister of Finance - €2.75 million (2021)

42. Foodinho - €2.6 million (2021)

43. National Revenue Agency (Bulgaria) - €2.6 million (2019)

44. Amazon Road Transport - €2 million (2022)

45. Easylife Limited - €1.53 million (2022)

46. Dedalus Biologie - €1.5 million (2022)

47. Futura Internationale - €500,000 (2019)

48. Sergic - €400,000 (2019)

49. Barreiro Montijo Hospital - €400,000 (2018)

50. IDdesign A/S - €200,850 (2019)

51. Knuddels.de - €20,000 (2018)

Remain Compliant To Avoid GDPR Fines and Penalties

As more consumers become aware of privacy laws and their rights, maintaining GDPR compliance will continue to be a key area of focus for most organizations. As shown in this guide, 2021 and 2022 witnessed a couple of record-breaking fines, so it’s going to be interesting to see how things evolve in 2023. 

That said, you don’t have to wait until your organization receives an eight-digit fine to take action. With Enzuzo, you can keep your company up to date with changing laws and maintain compliance in just a few simple clicks.