The Biggest GDPR Fines From 2021 And 2020, And How To Avoid Them
Although companies have been adapting to the GDPR for years now, the enforcement of GDPR violations is still relatively new to regulatory bodies. The novelty of the GDPR leaves regulators with little precedent to refer to and many supervisory authorities are still working out the best way to enforce the GDPR within their jurisdictions. In this post, we break down the rules you need to know about how fines are imposed for GDPR violations, so you know what an infringement could cost your organisation. We also spotlight some of the biggest GDPR fines from 2021 and 2020 with insights into how you can avoid receiving a fine and which infringements are being prioritized for enforcement.
Table of contents
- Rules for GDPR Fines
- GDPR fines come in two tiers
- Other considerations for financial penalties related to GDPR
- How GDPR violations are enforced
- Biggest GDPR fines from 2021
- Biggest GDPR fines from 2020
- Trends in GDPR fines and compliance
- Expectations for enforcement in 2022
- How to avoid receiving a GDPR fine
- Spotlight: Data breach notifications per day
- What does this mean for an average company?
- Denmark’s first GDPR fine: Danish furniture chain ILVA
- Final words
Rules for GDPR Fines
Fines for GDPR violations are administered by each country’s supervisory authority. Supervisory authorities are responsible for investigating GDPR compliance within their borders and they can also impose fines on companies for not complying with the GDPR. All supervisory authorities enforce the GDPR, but there is some variation in how different supervisory authorities prioritize infringements.
Even though each supervisory authority determines how they enforce the GDPR, they all abide by the same rules governing fines. These rules state that less severe violations can cost an organisation up to €10 million or 2% of annual revenue and more severe infractions can cost an organisation up to €20 million or 4% of annual revenue.
Interpretations vary among supervisory authorities
Though bound by the same principles in the GDPR, these supervisory authorities don’t always enforce the GDPR consistently. This is why it’s important that you get to know how your supervisory authority tends to implement fines – for example, the kind of fines they often administer and the type of business they are given to. Each supervisory authority has a limited number of resources to investigate compliance and administer fines. Some supervisory authorities may use these resources to compile large cases against big companies, resulting in fewer but higher fines. Other supervisory authorities may prioritize investigating violations at a smaller scale, resulting in more fines of lesser amounts that are usually directed at smaller companies.
For example, supervisory authorities in the UK, Ireland, and Luxembourg make the news by issuing large, high-profile fines. On the other hand, authorities in Italy and Spain impose a greater number of fines but for smaller amounts. A good starting place is to see how your supervisory authority acts.
The size of your business matters
All organisations are required to comply with the GDPR, but the size of the fine for GDPR violations will vary according to company size. Since the language in the GDPR only lists maximum fine amounts for severe and less severe violations, it allows a great amount of flexibility for fine amounts. In addition to the severity of the infringement, the supervisory authority will consider a company’s size and revenue when deciding the penalty for a violation.
With flexibility in fine amounts, many companies were able to negotiate reduced fines in 2020. The flexibility also helps ensure that a minor infraction won’t put a company out of business, but you should still avoid fines since a company’s history of violations can affect the severity of the fine.
GDPR fines come in two tiers
So, how are fines determined? Now, we’ll cover the legal guidelines that supervisory authorities use when evaluating GDPR violations and administering fines.
The main guideline is all that GDPR violations are evaluated and fined in two different categories, depending on their severity. Of course, the more severe infringements come with a higher penalty. Fines for less severe violations are capped at €10 million or 2% of revenue, while fines for more severe violations cannot exceed €20 million or 4% of revenue.
Let’s get into each of these categories further with a few details about the kinds of violations that are associated with each tier.
Less severe infractions: up to €10 million or 2% of global annual revenue for the previous year – whichever is higher
Violations that the GDPR deems less severe include infringements that fall under these categories, primarily related to data processing and lawful basis:
Children’s consent (Article 8)
Processing that does not require identification (Article 11)
Obligations of data processors and controllers (Articles 25-39)
For example, in 2020 the Hungarian data protection authority issued a €55,000 fine to a travel agency (Robinson-Tours) for failing to have appropriate measures in place to ensure data protection. The lack of appropriate protection measures resulted in their data subjects’ personal data being exposed online for several months. Robinson-Tours' data processor was partially at fault for the exposure of personal information and they also received fine, although of a smaller amount. This case exemplifies why it is important for data controllers to ensure that their data processors have sufficient security measures in place.
More severe infractions: up to €20 million or 4% of global annual revenue for the previous year – whichever is higher
What differentiates these infractions from the less severe ones is that these violations are a result of actions that go against the right to privacy that is central to the GDPR. Infringements that can result in these higher fines are related to violations of:
Conditions for consent (Article 7)
Data subjects’ rights (Articles 12-22), for example:
Transfer of data to an international organisation or a recipient in a third country (Articles 44-49)
Violation of individual member state data protection laws
Failure to comply with orders issued by a supervisory authority
For example, a violation that falls into the more severe category is WhatsApp’s lack of transparency in data processing. WhatsApp was issued a fine of €225 million in 2021 for making their handling of user data unclear and difficult to understand. Since this violation goes against one of the seven principles of the GDPR, it qualifies as a severe breach and resulted in a massive fine.
Criteria that determine the penalty amount
As mentioned already, the GDPR leaves a lot of room for flexibility in financial penalty amounts by only listing the maximum fines that can be administered. Once supervisory authorities have determined which tier the breach falls into, they have to decide how big the fine should be. But, the fine could be anywhere between €0-10 million or €0-20 million (or between 0% to 4% of a company’s annual revenue). So, how do the authorities determine how big a fine should be?
To guide supervisory authorities, the GDPR lists the following criteria that should be considered when determining the penalty an organisation should receive for a GDPR violation:
Gravity and nature: What happened and how? How many people were impacted and how much damage did they suffer? How long did it take to resolve?
Intention: Was it intentional or the result of negligence?
Mitigation: Attempts by the firm to mitigate the damage caused to the data subjects
Precautionary measures: Security measures that the firm had in place
History: Previous infringements of the GDPR and Data Protection Directive
Cooperation: Degree of cooperation with the supervisory authority to identify and rectify the violation
Data category: Type of personal data impacted
Notification: Did the firm proactively notify the supervisory authority of the infringement?
Certification: Was the firm certified or abiding by codes of conduct?
Aggravating/mitigatory factors: Further issues that arose from the infringement, e.g., if the firm experienced financial benefit from the violation
If an organisation has several related GDPR violations, the company will be penalized for the most severe of those infringements. However, if the violations are not related to the same processing activity, they could be fined separately.
When evaluating these criteria, the supervisory authority will favor a larger fine if the company shows poor results in several of the categories. On the other hand, if the company made a strong effort to comply with the GDPR, a lesser fine will be favored.
Other considerations for financial penalties related to GDPR
Data controllers are responsible for ensuring that their data processors are compliant
It’s important to note that data controllers are responsible for the data processors that they use. You should always work with data processors that have strong security measures and comply with the GDPR, since data controllers can be penalized for violations caused by their processors. Verifying the compliance of your data processors can save your company a lot of money in fines, especially in cases where a data breach may occur.
Data subjects can request compensation
In addition to the administrative fines that can be levied by the data supervisory authorities, the GDPR allows data subjects to seek compensation from organisations when they have experienced harm as a result of that organisation’s GDPR violation. This condition is outlined in Article 82 of the GDPR. This means that in some cases, the financial impact of a GDPR infraction on a company could be larger than the fine imposed if data subjects request compensation as well. Compensation requests from many data subjects can add to the resource and financial burden of GDPR violations, since it takes time to review and potentially appeal the compensation requests.
How GDPR violations are enforced
Now that we’ve gone through all the rules for how GDPR violations are fined, we’ll cover how the enforcement of these fines is going in practice. We’ll start with an overview of the biggest GDPR fines that have been administered over the past two years and how they could have been avoided. Then, we’ll cover trends in GDPR fines and what that means for an average company.
The largest GDPR fine to date was issued in 2021 by the Luxembourg National Commission for Data Protection, who fined the U.S. online retailer Amazon €746 million.
|1. place - Amazon|
|Supervisory Authority||Luxembourg’s data protection supervisory agency, the CNPD|
|Reason||Amazon was fined for noncompliance related to cookie consent. The fine is in the appeals process and is not available to the public|
|How the violation and fine could have been avoided||Don’t force users to agree to cookies or make it difficult to opt-out of cookies|
|2. place - Whatsapp Ireland
|Supervisory Authority||Irish Data Protection Commission (DPC)|
|Fine (penalty)||225 mio. €|
|Reason||WhatsApp Ireland Limited was fined for failing to comply with transparency requirements. WhatsApp has appealed|
|How the violation and fine could have been avoided||
Provide privacy information in a format that is easy to access and in the right language.
Explain what your legitimate interests are for each data processing operation
|3. place - Notebooksbilliger.de (NBB)|
|Supervisory Authority||State Commissioner for Data Protection in Lower Saxony|
|Reason||A German electronics retailer, notebooksbilliger.de (NBB), was fined for its use of CCTV video surveillance to monitor employees and customers|
|How the violation and fine could have been avoided||If you use CCTV, make sure that you use it for a legitimate reason with proportionality to a specific problem
Prior to 2021, the largest GDPR fine to date was the France’s €50 mllion fine issued to Google. We covered these fines in more detail last year.
|1. place - Google Inc|
|Supervisory Authority||France’s Data protection authority, CNIL|
|Reason||Google Inc, was fined for failing to adequately explain how they process data and failing to have legal grounds to process data regarding personalised advertising.|
|How the violation and fine could have been avoided||Provide adequate information in your consent policy and give users sufficient control over how their data is processed|
|2. place - H&M|
|Supervisory Authority||The Hamburg Data protection Supervisory Authority|
|Reason||A global retailer, H&M, was fined for failing to have enough legal support for processing data.|
|How the violation and fine could have been avoided||
Practice data minimisation. Don’t process personal data unless you need to, especially sensitive data about health or religious beliefs. If you collect this information, you need to have strict access controls and regulations of use
|3. place - Telecom|
|Supervisory Authority||Italy’s Data Protection Supervisory Authority, the Garante|
|Reason||A telecommunications operator was fined for failing to adequately explain how they process data, failing to have legal grounds to process data and more.|
|How the violation and fine could have been avoided||Carefully manage lists of data subjects. Create and abide by marketing opt-ins or opt-outs|
Trends in GDPR fines and compliance
Overall, there has been an increase in the value of fines administered for GDPR breaches. According to DLA Piper’s survey of data protection supervisory authorities, GDPR fines amounted to nearly €1.1 billion in 2021 - a number that is almost seven times the 2020 figure. This is likely due to the rise in value of the biggest fines imposed, but is also related to the rise in daily data breach notifications that supervisory authorities receive. With more breaches, supervisory authorities have even more to investigate and issue fines for.
What fines are enforced the most?
The largest fines that are levied for GDPR violations are typically related to marketing, failing to remove personal data at a subject’s request, and requiring employees to submit biometric data. But what about the most common reasons for fines?
The most common causes for GDPR fines in 2021 and 2020 were:
Failure to communicate clearly and openly about the processing of data
Failure to have or demonstrate a legal basis for processing personal data
Failure to implement appropriate security measures
Failure to provide proper notification in the event of a personal data breach
Failure to comply with data minimisation and retention requirements
All this information about fines and enforcement can be overwhelming. But the good news is that the most common causes of GDPR fines are pretty simple to manage for an average company. With planning and a review of the GDPR’s requirements, avoiding fines for these common reasons shouldn’t be too hard.
Expectations for enforcement in 2022
In addition to another year of precedent to inform GDPR enforcement, DLA Piper also expects that 2022 will bring some new trends in the kinds of fines that supervisory authorities impose. The fines that DLA Piper expects to see more of in 2022 include:
Fines related to improper data transfers to third countries and international organisations
Fines related to compliance with regulations on cookies and other tracking technologies
Fines directed towards the AdTech sector
Fines related to improper data transfers to third countries and international organisations will be something to watch closely this year, since the Schrems II ruling recently laid out guidelines for these transfers. The extent to which supervisory authorities issue fines for these data transfers in the coming year will give us insight into how companies should prioritize compliance in this area.
As GDPR enforcement evolves, we will have to wait and see how supervisory authorities in each country prioritize violations in the years to come. However, trends in past fines and expectations for 2022 can provide some insight into what we might expect this year.
How to avoid receiving a GDPR fine
Well, put simply, the easiest way to avoid receiving a GDPR fine is to be compliant. Of course, this is easier said than done and we know that achieving GDPR compliance is no simple task. When your organisation experiences a data breach and reports it to the supervisory authority, this triggers an investigation into your company’s data security and compliance, which can result in your company receiving a fine.
So, one way to avoid receiving a GDPR fine is to protect your organisation from data breaches and the investigation that follows. In other words, don’t subject yourself to unnecessary investigations.
Another way to avoid a GDPR fine is to ensure that your data transfers are compliant, since transfers are gaining priority among supervisory authorities. Our recommendations on adapting to the Schrems II ruling can provide some guidance.
Protect your organisation from a data breach
As mentioned, preventing data breaches is the best way to avoid GDPR fines. Data breaches are most often caused by human error – for example, when an employee accidentally clicks on a malicious email. For this reason, one of the best strategies to prevent a data breach within your organisation is to train your team. And, since training is a requirement for GDPR compliance, training is a win-win. You can strengthen your training efforts by introducing different kinds of training, such as phishing testing, and by focusing on creating a strong security culture within your company.
Spotlight: Data breach notifications per day
One way to predict GDPR fines for the coming year is to look at the number of data breach notifications supervisory authorities receive daily. The number of daily breaches reported has increased every year since the adoption of the GDPR, and likewise so has the number of GDPR penalties.
Here, you can see a table that shows the number of per capita breach notifications received by supervisory authorities in a few countries. For easy comparison, the breach notifications are shown per 100,000 population.
Per capita breach notifications (between 28 January 2021 and 27 January 2022)
*Per capital values sourced from DLA Piper. Breach statistics were not available for Germany and the UK, so they were extrapolated in this report.
As breach notifications are increasing, we can also expect to see an increase in the number of fines administered in 2022. The types of fines that are given in the year ahead will only increase our preparedness as we all navigate how GDPR violations are penalized.
What does this mean for an average company?
Although the biggest fines for GDPR infringements are what make the news, small and mid-sized companies are also held accountable to the GDPR. While a smaller company is unlikely to receive a massive fine, any fine will undoubtedly affect a company’s profitability and reputation.
Smaller companies should prioritize compliance in the areas that were prominent causes of fines in 2020 and 2021. For example, an average company should maintain adequate security measures, abide by the principles of transparency and legal basis, notify the appropriate parties in the event of a breach, and practice data minimisation. Special attention should be paid to employee training, which reduces the likelihood of a breach, and to international data transfers.
Even though fines for GDPR violations are increasing, there is no need to panic about GDPR fines. We are all still learning how fines are prioritized, and the supervisory authorities are still establishing their own processes. As long as you keep an eye on fines within your country and avoid the same kind of mistakes, your company should be safe.
It can sometimes pay off to challenge a fine
Many of the largest fines that have been imposed for GDPR violations are in the appeals process, and some companies have been successful in appealing or reducing their fines. In 2020, companies were successful in reducing the fines they received due in part to the financial hardships incurred by the COVID-19 pandemic. Even in 2022 though, GDPR regulation is still relatively new which brings with it a good amount of legal uncertainty. If you have a reasonable argument about a fine you receive, it could benefit you to challenge it. However, you should always weigh the cost of an appeal with the potential benefit you would receive if the fine were reduced or eliminated.
Denmark’s first GDPR fine: Danish furniture chain ILVA
Now that we’ve gone over the legal basis for determining GDPR fines and trends for enforcement, let’s highlight an interesting case: Denmark’s first GDPR fine issued to ILVA.
In February 2021, the Danish furniture chain ILVA received the first court verdict in Denmark requiring an organisation to pay a GDPR fine. ILVA was fined approximately €13,500 for unnecessarily storing near 350,000 records of personal data. The Danish Data Protection Agency originally proposed a larger fine, but the court agreed on a reduced fine because it was the company’s first violation and characteristics of the data involved made the infringement less severe.
The case of ILVA is a good example of how certain criteria are evaluated when determining the value of a financial penalty for a GDPR violation. Several factors worked in ILVA’s favour, which resulted in a lower fine than what was originally proposed. These factors include no prior violation history and the fact that the data involved was not sensitive, nor was it accessible to broad ranges of ILVA employees. There was also no documented damage to the impacted data subjects. Even though ILVA was still held liable for their breach of the GDPR, their fate was improved because the violation did not have a significant impact on the data subjects involved.
We hope this post serves as a useful guide for GDPR rules and fines. When it comes to avoiding fines, one of the most important things you can do is look at how your supervisory authority acts. By checking what violations your supervisory authority prioritizes for fines, you can avoid similar mistakes. Remember that we’re all still learning about GDPR enforcement and there is a lot of flexibility in how penalties are decided.
Please do not hesitate to reach out to us if CyberPilot’s awareness and phishing training can supplement your GDPR compliance efforts.
Learn what concrete steps you can take to measure the effect of cyber security awareness training in your organisation.
What'sAppening with WhatsApp? Read why WhatsApp have been fined and what you can learn from it to avoid making the same mistakes.
You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.