GDPR Fines for Individuals: 10 Times People Were Fined

One of the most common mistakes people make about the European Union’s General Data Protection Regulation (GDPR) is that it only applies to large corporations. In truth, the vast majority of penalties imposed for GDPR violations fall upon both small businesses and individuals. In 2023 alone, 13 individuals have already been publicly penalized for GDPR violations according to the GDPR Enforcement Tracker.

While GDPR enforcement is meant to encourage better practices of handling data, individuals and small businesses aren't exempt. The law expects individuals and small businesses to limit consumer data collection, restrict who they share data with, and protect consumer data from theft.

In this article, we talk about GDPR fines for individuals — specifically what the law says about it. We also detail 10 instances when individuals received GDPR fines. 

Please note that this article is exclusively about GDPR fines for individuals — we have a separate article that details the biggest GDPR fines for businesses. 

Can individuals be fined for GDPR breaches?

Yes, individuals can be fined for GDPR violations. According to GDPR Chapter 1 Article 4, “any natural or legal person, public authority, agency or body” can be charged for GDPR violations. Hence, GDPR regulations make almost no distinctions between individuals and corporations when it comes to non-compliance.

Even if individuals are rarely guilty of the same scale of data mishandling as large companies, a small newsletter or blog can lead to a GDPR breach. However, the EU rarely goes after individuals unless they have committed a serious breach. GDPR investigations and fines can occur if the individual:

• Obstructs government bodies during investigations
• Provides false statements during GDPR violation investigations
• Destroys, falsifies, or conceals relevant documents during the investigation
• Repeatedly ignores suggestions and warnings from GDPR advisors
• Unlawfully obtains consumer data
• Repeatedly refuses to delete or change consumer data upon request
• Doesn’t have proper security to protect consumer data
• Publishes or sells consumer data without consent

What is the maximum fine for individuals under the GDPR?

Many individuals commit GDPR violations out of ignorance or because they lack the proper resources to protect consumer data. As a result, many organizational bodies show mercy and may not even issue a financial penalty for a GDPR violation. The GDPR takes the following factors into consideration according to Chapter 8, Article 83 when they consider whether to impose a fine:

• The impact of the violation had on victims
• The type of data that was mishandled
• The intent of the accused
• The practices and negligence of the accused
• The steps the accused took to prevent or resolve data mishandling
• The time it took the accused to reach out to the GDPR for assistance
• Prior history of data mishandling
• Other factors such as the financial gain that came from mishandling data

There is no minimum fine for GDPR violations, but there is a maximum. According to Article 83, the maximum fine for anyone, including individuals, who are found in violation is “20 million Euros, or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.” It is also important to note that non-EU based individuals and companies can be penalized for GDPR violations as well.

However, as explained above, fines are administered based on a large number of factors, and if a business works with government authorities, financial penalties imposed for GDPR violations are usually smaller. Even so, the European Commision won’t hesitate to impose significant penalties on individuals who act in a grossly negligent or illicit manner, with some individuals fined as much as 10,000 euros for their GDPR violations. 

Can an individual be jailed for violating GDPR?

This is a slightly more complicated question to answer. As the text of the GDPR is currently written, the European Commission can impose financial penalties only for GDPR violations. However, Chapter 8, Article 84 also states that member states of the EU can impose rules and penalties beyond administrative fines as long as they are “not subject to administrative fines pursuant to Article 83” and are  “effective, proportionate and dissuasive.”  

This means that for serious GDPR violations, especially those that involve illegal activity, EU countries can jail individuals for GDPR violations.

List of individuals fined under GDPR

While the news may not report individual fines very often, they actually represent a large portion of the penalties imposed for GDPR violations. In fact, nearly as many individuals have been fined for GDPR violations as companies for the first two months of 2023 according to the GDPR Enforcement Tracker. 

In many cases, the exact details of the complaint, including both the affected individuals and even the parties who are deemed guilty, are censored from the public record. This protects both the accused and accusing parties. And some countries are more active in their pursuit of individual GDPR violations than others.

With that in mind, here are five different European countries that have fined individuals for GDPR violations:

• Spain
• Italy
• Romania
• Greece
• Austria

10 GDPR Fines for Individuals

Let's now dive into ten specific instances when individuals received fines for GDPR violations.

1. 2021 Cyber Bullies Get Schooled — €10,000

We all know that cyberbullying is terrible. But one perpetrator got a very serious lesson in Spain. In 2021, an individual was caught disseminating a video montage of underaged youth while specifically making fun of their race and immigration status. The video was shared on both Instagram and WhatsApp. 

Along with being in violation of GDPR laws regarding usage rights for a person’s image, the offender also found themselves at the center of a criminal investigation for their racist behavior. For failing to receive approval before using the images of three minors, the violator was required to pay €10,000. 

2. 2021 An Unredacted Viral Video — €6,000

Even if you’re sharing content with the intent of helping others, you need to be careful. One such well-meaning do-gooder found themselves on the wrong side of the GDPR in Spain when they shared a viral video on social media to highlight the epidemic of violence against women. The video showed a mother and her child being attacked by an unknown man. 

Unfortunately, the original poster failed to pixelate the woman or child’s faces — meaning that they were easily identifiable. Meanwhile, no prior consent had been given by the woman to have the video shared. However, while the individual could have been fined up to €10,000, the Spanish authority offered them two reductions upon taking a plea of responsibility, reducing their liability to €6,000. 

3. 2020 Peeping Tom Mall Shopper — € 5,000

Spy cams are violating, often leading to laws around the world to limit their use. One such individual found himself on the wrong side of the law in Germany for such an offense. In the summer of 2020, a man was fined €5,000 after being caught in a shopping mall recording images of minors and women with a hidden digital camera and eight memory cards in his backpack. 

4. 2019 Unredacted Email Attachment — €5,000

Technically this falls under a settlement rather than an actual fine. However, an offending individual in Austria sent an unredacted court document to a third party via email regarding a person who he had been in litigation with for some time. The document mentioned intimate and personal health information. More importantly, the individual mentioned in the document never gave consent for it to be shared. For his misdeeds, he was ordered to pay a total of €5,000 over two separate payments of €1,500 and €3,500. 

5. 2019 Spying Cameras in Public Spaces — €4,000 

The Spanish government takes spying seriously. The Data Protection Agency takes particular objection to improperly positioned surveillance cameras. In 2019, a defendant found themselves on the wrong side of the law with a single camera that was positioned to capture street footage that bordered their home. Without a good reason for why they were only screening street footage, the department found them in violation and handed down a hefty €4,000 fine.

6. 2020 Surveillance Cameras without Notices — €3,000

Once again, Spain makes the list. This time, an individual living in a shared community was found to be in violation in 2020 for installing surveillance cameras on several floors within an apartment community. The offense? They failed to post proper notice that not only was the building entrance under surveillance, but that each of the building’s three floors also had cameras. Additionally, the individual never received consent from the other homeowners in the building. Regulators gave the individual a total of €3,000 in penalties between a €2,000 and a €1,000 fine. 

7. 2020 Unlawful Surveillance — €1,500

While Spain has the most GDPR-related litigation on record for citizen offenses over video surveillance, the nation isn’t alone. In 2020, a Belgian citizen was found liable for illegally recording a public highway and private residences near their home with video surveillance equipment and fined €1,500. 

8. 2022 Public Camera Surveillance Encroachment - €1,200

In early 2022, The Data Protection Agency in Spain fined an individual for illegal use of video surveillance cameras. The sanction and ensuing fine referred to a failure to comply with required data processing principles. 

The violator was found to have two improperly positioned cameras that not only captured footage within their private property, but also in a public zone. The ruling noted that the defendant had been notified several times to correct the cameras’ positioning. After failing to do so, they were fined €1,200.

9. 2022 Unauthorized Publications — €1,000

In 2022, an individual ran afoul of GDPR rules in Italy after they were found to have published a missive to their website without receiving previous authorization by the named parties. The posted information wasn’t redacted, and was so specific as to make it obvious who it was about by naming dates and specific events. For the web owner’s misdeeds, they were handed a €1,000 fine by the Italian authorities. 

10. 2022 The Data Violating Webmaster - €150

Even though most GDPR fines for website violations are directed at companies, individuals associated with those firms are also fair game for investigations and fines. In 2022, the National Supervisory Authority in Romania found a website operated by a company in violation of the GDPR for ignoring a consumer’s request for their account to be deleted. However, additional investigation found that one individual at the offending company was personally responsible for mishandling consumer data without consent. While the company was fined €2000, the individual was slapped with a lesser €150 fine. 

Avoid GDPR fines with Enzuzo

Whether you operate a business by yourself or with just a few associates, you must comply with GDPR regulations and with other data privacy laws around the world. Fines are increasing each year, and the government bodies that enforce regulations like the GDPR are becoming more reluctant to accept ignorance as an excuse for data privacy non-compliance.

Fortunately, we make GDPR and other global data privacy law compliance easy. Our all-in-one data privacy platform has everything you need to protect yourself and your business. This includes key GDPR solutions like cookie consent banners, DSAR management, terms of service generators, and more.

Want to see if the Enzuzo data privacy platform is right for you? You can contact us today with questions or schedule an appointment to book a demo. Enzuzo wants to protect you and your business.

GDPR fines for individuals FAQs

Can individuals be fined under GDPR?

Yes, individuals can be fined for GDPR violations. According to GDPR Chapter 1 Article 4, “any natural or legal person, public authority, agency or body” can be charged for GDPR violations. Hence, GDPR regulations make almost no distinctions between individuals and corporations when it comes to non-compliance.

If someone files a GDPR complaint about me, will I be forced to pay a fine?

In the vast majority of investigations, the EU commission and other regulatory bodies that enforce GDPR do their best to avoid financial penalties. In general, fines are imposed only for companies and individuals who knowingly and repeatedly break GDPR rules despite previous warnings. However, refusing to comply with regulatory bodies during investigation is a surefire way to get fined for GDPR violations.

Is there anything else I should worry about other than financial penalties?

One thing that we didn’t mention above is that the biggest penalty for a GDPR violation actually comes from the public. Now more than ever, consumers around the world are greatly concerned with how companies handle their private information. Organizations and individuals who are found guilty of violating GDPR rules lose consumer trust, which, in turn, can lead to a dramatic decrease in business. Even if the financial penalty imposed by EU regulatory bodies is small, the loss of business can devastate a company or individual.

How can I best protect myself and make sure I stay compliant under GDPR?

If you run a business with an online presence, chances are that you’ll eventually obtain the consumer information from a citizen of a EU member territory. Make sure you follow proper data handling protocols and common practices. Also, consider partnering with a data compliance platform like one available here at Enzuzo. These are easy to integrate into your website, eCommerce and other platforms and provide the proper protocols and security you need to stay compliant with global data privacy laws like GDPR.