Contact us: +45 32 67 26 26

The Biggest GDPR Fines From 2021 And 2020, And How To Avoid Them

Sarah Hofmann
By: Sarah Hofmann Cyber Security | 10 February

Although companies have been adapting to the GDPR for years now, the enforcement of GDPR violations is still relatively new to regulatory bodies. The novelty of the GDPR leaves regulators with little precedent to refer to and many supervisory authorities are still working out the best way to enforce the GDPR within their jurisdictions. In this post, we break down the rules you need to know about how fines are imposed for GDPR violations, so you know what an infringement could cost your organisation. We also spotlight some of the biggest GDPR fines from 2021 and 2020 with insights into how you can avoid receiving a fine and which infringements are being prioritized for enforcement. 

To learn more about how you can avoid breaching the GDPR, and train your team in the importance of  secure data handling, we offer a course in taking responsibility for personal data, that is free of charge for 30 days. 

Table of contents 

Rules for GDPR Fines

Fines for GDPR violations are administered by each country’s supervisory authority. Supervisory authorities are responsible for investigating GDPR compliance within their borders and they can also impose fines on companies for not complying with the GDPR. All supervisory authorities enforce the GDPR, but there is some variation in how different supervisory authorities prioritize infringements.  

Even though each supervisory authority determines how they enforce the GDPR, they all abide by the same rules governing fines. These rules state that less severe violations can cost an organisation up to €10 million or 2% of annual revenue and more severe infractions can cost an organisation up to €20 million or 4% of annual revenue.  

Interpretations vary among supervisory authorities

Though bound by the same principles in the GDPR, these supervisory authorities don’t always enforce the GDPR consistently. This is why it’s important that you get to know how your supervisory authority tends to implement fines – for example, the kind of fines they often administer and the type of business they are given to. Each supervisory authority has a limited number of resources to investigate compliance and administer fines. Some supervisory authorities may use these resources to compile large cases against big companies, resulting in fewer but higher fines. Other supervisory authorities may prioritize investigating violations at a smaller scale, resulting in more fines of lesser amounts that are usually directed at smaller companies.

For example, supervisory authorities in the UK, Ireland, and Luxembourg make the news by issuing large, high-profile fines. On the other hand, authorities in Italy and Spain impose a greater number of fines but for smaller amounts. A good starting place is to see how your supervisory authority acts.

The size of your business matters

All organisations are required to comply with the GDPR, but the size of the fine for GDPR violations will vary according to company size. Since the language in the GDPR only lists maximum fine amounts for severe and less severe violations, it allows a great amount of flexibility for fine amounts. In addition to the severity of the infringement, the supervisory authority will consider a company’s size and revenue when deciding the penalty for a violation.

With flexibility in fine amounts, many companies were able to negotiate reduced fines in 2020. The flexibility also helps ensure that a minor infraction won’t put a company out of business, but you should still avoid fines since a company’s history of violations can affect the severity of the fine.

CTA_e-book_blog-desktop

GDPR fines come in two tiers

So, how are fines determined? Now, we’ll cover the legal guidelines that supervisory authorities use when evaluating GDPR violations and administering fines.

The main guideline is all that GDPR violations are evaluated and fined in two different categories, depending on their severity. Of course, the more severe infringements come with a higher penalty. Fines for less severe violations are capped at €10 million or 2% of revenue, while fines for more severe violations cannot exceed €20 million or 4% of revenue.

Let’s get into each of these categories further with a few details about the kinds of violations that are associated with each tier.

Biggest GDPR fines 2021 - Infographic

Less severe infractions: up to €10 million or 2% of global annual revenue for the previous year – whichever is higher

Violations that the GDPR deems less severe include infringements that fall under these categories, primarily related to data processing and lawful basis:

  • Children’s consent (Article 8)

  • Processing that does not require identification (Article 11)

  • Obligations of data processors and controllers (Articles 25-39)

  • Responsibilities of monitoring bodies (Article 41) and certification bodies (Articles 42-43) to follow transparent and unbiased evaluation processes

For example, in 2020 the Hungarian data protection authority issued a €55,000 fine to a travel agency (Robinson-Tours) for failing to have appropriate measures in place to ensure data protection. The lack of appropriate protection measures resulted in their data subjects’ personal data being exposed online for several months. Robinson-Tours' data processor was partially at fault for the exposure of personal information and they also received fine, although of a smaller amount. This case exemplifies why it is important for data controllers to ensure that their data processors have sufficient security measures in place.

Knowing the legal expectations for processing personal data can help you in educating your staff so that they in their daily work life know how to safely process personal data and follow the lawful basis.

More severe infractions: up to €20 million or 4% of global annual revenue for the previous year – whichever is higher

What differentiates these infractions from the less severe ones is that these violations are a result of actions that go against the right to privacy that is central to the GDPR. Infringements that can result in these higher fines are related to violations of:

  • GDPR’s basic processing principles – processing personal data, lawfulness, and special categories of personal data (Articles 5, 6, and 9)

  • Conditions for consent (Article 7)

  • Data subjects’ rights (Articles 12-22), for example:

  • Transfer of data to an international organisation or a recipient in a third country (Articles 44-49)

  • Violation of individual member state data protection laws

  • Failure to comply with orders issued by a supervisory authority

For example, a violation that falls into the more severe category is WhatsApp’s lack of transparency in data processing. WhatsApp was issued a fine of €225 million in 2021 for making their handling of user data unclear and difficult to understand. Since this violation goes against one of the seven principles of the GDPR, it qualifies as a severe breach and resulted in a massive fine.

Criteria that determine the penalty amount

As mentioned already, the GDPR leaves a lot of room for flexibility in financial penalty amounts by only listing the maximum fines that can be administered. Once supervisory authorities have determined which tier the breach falls into, they have to decide how big the fine should be. But, the fine could be anywhere between €0-10 million or €0-20 million (or between 0% to 4% of a company’s annual revenue). So, how do the authorities determine how big a fine should be?

To guide supervisory authorities, the GDPR lists the following criteria that should be considered when determining the penalty an organisation should receive for a GDPR violation:

  • Gravity and nature: What happened and how? How many people were impacted and how much damage did they suffer? How long did it take to resolve?

  • Intention: Was it intentional or the result of negligence?

  • Mitigation: Attempts by the firm to mitigate the damage caused to the data subjects

  • Precautionary measures: Security measures that the firm had in place

  • History: Previous infringements of the GDPR and Data Protection Directive

  • Cooperation: Degree of cooperation with the supervisory authority to identify and rectify the violation

  • Data category: Type of personal data impacted

  • Notification: Did the firm proactively notify the supervisory authority of the infringement?

  • Certification: Was the firm certified or abiding by codes of conduct?

  • Aggravating/mitigatory factors: Further issues that arose from the infringement, e.g., if the firm experienced financial benefit from the violation

Looking at the IBM report from 2021, makes it possible to estimate the cost of some common data breaches while taking into account factors such as company size.

If an organisation has several related GDPR violations, the company will be penalized for the most severe of those infringements. However, if the violations are not related to the same processing activity, they could be fined separately.

When evaluating these criteria, the supervisory authority will favor a larger fine if the company shows poor results in several of the categories. On the other hand, if the company made a strong effort to comply with the GDPR, a lesser fine will be favored.

Other considerations for financial penalties related to GDPR

Data controllers are responsible for ensuring that their data processors are compliant

It’s important to note that data controllers are responsible for the data processors that they use. You should always work with data processors that have strong security measures and comply with the GDPR, since data controllers can be penalized for violations caused by their processors. Verifying the compliance of your data processors can save your company a lot of money in fines, especially in cases where a data breach may occur.

Data subjects can request compensation  

In addition to the administrative fines that can be levied by the data supervisory authorities, the GDPR allows data subjects to seek compensation from organisations when they have experienced harm as a result of that organisation’s GDPR violation. This condition is outlined in Article 82 of the GDPR. This means that in some cases, the financial impact of a GDPR infraction on a company could be larger than the fine imposed if data subjects request compensation as well. Compensation requests from many data subjects can add to the resource and financial burden of GDPR violations, since it takes time to review and potentially appeal the compensation requests.

How GDPR violations are enforced

Now that we’ve gone through all the rules for how GDPR violations are fined, we’ll cover how the enforcement of these fines is going in practice. We’ll start with an overview of the biggest GDPR fines that have been administered over the past two years and how they could have been avoided. Then, we’ll cover trends in GDPR fines and what that means for an average company.

Biggest GDPR fines from 2021

The largest GDPR fine to date was issued in 2021 by the Luxembourg National Commission for Data Protection, who fined the U.S. online retailer Amazon €746 million.

1. place - Amazon
Supervisory Authority Luxembourg’s data protection supervisory agency, the CNPD
Fine (penalty) 225m   
Reason Amazon was fined for noncompliance related to cookie consent. The fine is in the appeals process and is not available to the public
How the violation and fine could have been avoided Don’t force users to agree to cookies or make it difficult to opt-out of cookies 
2. place - Whatsapp Ireland
Supervisory Authority Irish Data Protection Commission (DPC) 
Fine (penalty) 225 mio.  
Reason

WhatsApp Ireland Limited was fined for failing to comply with transparency requirements. WhatsApp has appealed 

Read the full story to learn why the fine against WhatsApp got quadrupled and what your organisation can do to avoid making the same mistakes.

How the violation and fine could have been avoided

Provide privacy information in a format that is easy to access and in the right language. 

Explain what your legitimate interests are for each data processing operation

3. place - Notebooksbilliger.de (NBB)
Supervisory Authority State Commissioner for Data Protection in Lower Saxony
Fine (penalty) 10.4m 
Reason A German electronics retailer, notebooksbilliger.de (NBB), was fined for its use of CCTV video surveillance to monitor employees and customers
How the violation and fine could have been avoided If you use CCTV, make sure that you use it for a legitimate reason with proportionality to a specific problem 

Biggest GDPR fines from 2020 

Prior to 2021, the largest GDPR fine to date was the France’s €50 mllion fine issued to Google. 

1. place - Google Inc
Supervisory Authority France’s Data protection authority, CNIL 
Fine (penalty) €50m
Reason Google Inc, was fined for failing to adequately explain how they process data and failing to have legal grounds to process data regarding personalised advertising.
How the violation and fine could have been avoided Provide adequate information in your consent policy and give users sufficient control over how their data is processed 
2. place - H&M
Supervisory Authority The Hamburg Data protection Supervisory Authority
Fine (penalty) €35,26m
Reason A global retailer, H&M, was fined for failing to have enough legal support for processing data.
How the violation and fine could have been avoided

Practice data minimisation. Don’t process personal data unless you need to, especially sensitive data about health or religious beliefs. If you collect this information, you need to have strict access controls and regulations of use 

3. place - Telecom
Supervisory Authority Italy’s Data Protection Supervisory Authority, the Garante
Fine (penalty) €27,8m
Reason A telecommunications operator was fined for failing to adequately explain how they process data, failing to have legal grounds to process data and more.
How the violation and fine could have been avoided Carefully manage lists of data subjects. Create and abide by marketing opt-ins or opt-outs 

Trends in GDPR fines and compliance 

Overall, there has been an increase in the value of fines administered for GDPR breaches. According to DLA Piper’s survey of data protection supervisory authorities, GDPR fines amounted to nearly €1.1 billion in 2021 - a number that is almost seven times the 2020 figure. This is likely due to the rise in value of the biggest fines imposed, but is also related to the rise in daily data breach notifications that supervisory authorities receive. With more breaches, supervisory authorities have even more to investigate and issue fines for.

What fines are enforced the most? 

The largest fines that are levied for GDPR violations are typically related to marketing, failing to remove personal data at a subject’s request, and requiring employees to submit biometric data. But what about the most common reasons for fines?

  • The most common causes for GDPR fines in 2021 and 2020 were:

  • Failure to communicate clearly and openly about the processing of data

  • Failure to have or demonstrate a legal basis for processing personal data

  • Failure to implement appropriate security measures

  • Failure to provide proper notification in the event of a personal data breach

  • Failure to comply with data minimisation and retention requirements

All this information about fines and enforcement can be overwhelming. But the good news is that the most common causes of GDPR fines are pretty simple to manage for an average company. With planning and a review of the GDPR’s requirements, avoiding fines for these common reasons shouldn’t be too hard.

Expectations for enforcement in 2022

In addition to another year of precedent to inform GDPR enforcement, DLA Piper also expects that 2022 will bring some new trends in the kinds of fines that supervisory authorities impose. The fines that DLA Piper expects to see more of in 2022 include:

  • Fines related to improper data transfers to third countries and international organisations

  • Fines related to compliance with regulations on cookies and other tracking technologies

  • Fines directed towards the AdTech sector

Fines related to improper data transfers to third countries and international organisations will be something to watch closely this year, since the Schrems II ruling recently laid out guidelines for these transfers. The extent to which supervisory authorities issue fines for these data transfers in the coming year will give us insight into how companies should prioritize compliance in this area.

As GDPR enforcement evolves, we will have to wait and see how supervisory authorities in each country prioritize violations in the years to come. However, trends in past fines and expectations for 2022 can provide some insight into what we might expect this year.

How to avoid receiving a GDPR fine

Well, put simply, the easiest way to avoid receiving a GDPR fine is to be compliant. Of course, this is easier said than done and we know that achieving GDPR compliance is no simple task. When your organisation experiences a data breach and reports it to the supervisory authority, this triggers an investigation into your company’s data security and compliance, which can result in your company receiving a fine.

So, one way to avoid receiving a GDPR fine is to protect your organisation from data breaches and the investigation that follows. In other words, don’t subject yourself to unnecessary investigations.

We have written a guide with everything you need to know in order to comply with the GDPR, to make sure that you are meeting all the requirements. 

Another way to avoid a GDPR fine is to ensure that your data transfers are compliant, since transfers are gaining priority among supervisory authorities. Our recommendations on adapting to the Schrems II ruling can provide some guidance.

Besides practicing safe data transfers, organisations must have a process for safely deleting data they no longer need or have the right for processing, in order to comply with the GDPR rules and thus also avoid fines. 

Protect your organisation from a data breach

As mentioned, preventing data breaches is the best way to avoid GDPR fines. Data breaches are most often caused by human error – for example, when an employee accidentally clicks on a malicious email. For this reason, one of the best strategies to prevent a data breach within your organisation is to train your team. And, since training is a requirement for GDPR compliance, training is a win-win. You can strengthen your training efforts by introducing different kinds of training, such as phishing testing, and by focusing on creating a strong security culture within your company.

We at CyberPilot, offer awareness training to help organisations stay compliant with the GDPR and create a stronger resilience against IT-threats. We currently have a free trial of our Awarness training program

Spotlight: Data breach notifications per day

One way to predict GDPR fines for the coming year is to look at the number of data breach notifications supervisory authorities receive daily. The number of daily breaches reported has increased every year since the adoption of the GDPR, and likewise so has the number of GDPR penalties.

Here, you can see a table that shows the number of per capita breach notifications received by supervisory authorities in a few countries. For easy comparison, the breach notifications are shown per 100,000 population.

 

Country

Per capita breach notifications (between 28 January 2021 and 27 January 2022) 

Netherlands

150.71 

Denmark

130.60 

Germany* 

79.42 

Sweden

54.83 

Norway

44.12 

UK* 

14.14 

*Per capital values sourced from DLA Piper. Breach statistics were not available for Germany and the UK, so they were extrapolated in this report.  

As breach notifications are increasing, we can also expect to see an increase in the number of fines administered in 2022. The types of fines that are given in the year ahead will only increase our preparedness as we all navigate how GDPR violations are penalized. 

What does this mean for an average company? 

Although the biggest fines for GDPR infringements are what make the news, small and mid-sized companies are also held accountable to the GDPR. While a smaller company is unlikely to receive a massive fine, any fine will undoubtedly affect a company’s profitability and reputation.  

Smaller companies should prioritize compliance in the areas that were prominent causes of fines in 2020 and 2021. For example, an average company should maintain adequate security measures, abide by the principles of transparency and legal basis, notify the appropriate parties in the event of a breach, and practice secure  data minimisation. Special attention should be paid to employee training, which reduces the likelihood of a breach, and to international data transfers.  

Even though fines for GDPR violations are increasing, there is no need to panic about GDPR fines. We are all still learning how fines are prioritized, and the supervisory authorities are still establishing their own processes. As long as you keep an eye on fines within your country and avoid the same kind of mistakes, your company should be safe. 

It can sometimes pay off to challenge a fine 

Many of the largest fines that have been imposed for GDPR violations are in the appeals process, and some companies have been successful in appealing or reducing their fines. In 2020, companies were successful in reducing the fines they received due in part to the financial hardships incurred by the COVID-19 pandemic. Even in 2022 though, GDPR regulation is still relatively new which brings with it a good amount of legal uncertainty. If you have a reasonable argument about a fine you receive, it could benefit you to challenge it. However, you should always weigh the cost of an appeal with the potential benefit you would receive if the fine were reduced or eliminated. 

Denmark’s first GDPR fine: Danish furniture chain ILVA

Now that we’ve gone over the legal basis for determining GDPR fines and trends for enforcement, let’s highlight an interesting case: Denmark’s first GDPR fine issued to ILVA.

In February 2021, the Danish furniture chain ILVA received the first court verdict in Denmark requiring an organisation to pay a GDPR fine. ILVA was fined approximately €13,500 for unnecessarily storing near 350,000 records of personal data. The Danish Data Protection Agency originally proposed a larger fine, but the court agreed on a reduced fine because it was the company’s first violation and characteristics of the data involved made the infringement less severe.

The case of ILVA is a good example of how certain criteria are evaluated when determining the value of a financial penalty for a GDPR violation. Several factors worked in ILVA’s favour, which resulted in a lower fine than what was originally proposed. These factors include no prior violation history and the fact that the data involved was not sensitive, nor was it accessible to broad ranges of ILVA employees. There was also no documented damage to the impacted data subjects. Even though ILVA was still held liable for their breach of the GDPR, their fate was improved because the violation did not have a significant impact on the data subjects involved.

Final words 

We hope this post serves as a useful guide for GDPR rules and fines. When it comes to avoiding fines, one of the most important things you can do is look at how your supervisory authority acts. By checking what violations your supervisory authority prioritizes for fines, you can avoid similar mistakes. Remember that we’re all still learning about GDPR enforcement and there is a lot of flexibility in how penalties are decided.

Please do not hesitate to reach out to us if CyberPilot’s awareness and phishing training can supplement your GDPR compliance efforts.