The Largest GDPR Fines from 2022 and Previous Years - How to Avoid Them
Although companies have been adapting to the GDPR for years now, the enforcement of GDPR violations is still relatively new to regulatory bodies. The novelty of the GDPR leaves regulators with little precedent to refer to and many supervisory authorities are still working out the best way to enforce the GDPR. In this post, we break down the rules you need to know about how GDPR violations are fined. We also spotlight some of the biggest GDPR fines from 2022 back to 2020 with insights into how you can avoid receiving a fine and which GDPR violations are being prioritized for enforcement.
To learn more about how you can avoid GDPR violations, and train your team in the importance of secure data handling, we offer a course on taking responsibility for personal data, which is free of charge for 14 days.
Table of contents
- Rules for GDPR Fines
- GDPR penalties come in two tiers
- Maximum GDPR fine for minor breaches: up to €10 million or 2% of global annual revenue for the previous year – whichever is higher
- Maximum GDPR fine for severe violations: up to €20 million or 4% of global annual revenue for the previous year – whichever is higher
- Criteria that impact fines for GDPR breaches
- Other considerations for GDPR fines
- How GDPR compliance is enforced in practice
- Biggest GDPR fines from 2022
- Biggest GDPR fines from 2021
- Biggest GDPR fines from 2020
- Trends in GDPR penalties and compliance
- What GDPR violations are penalized the most?
- Expectations for GDPR penalties in 2023
- How to avoid receiving a GDPR fine
- Spotlight: Data breach notifications per day
- What does this mean for an average company?
Rules for GDPR Fines
Fines for GDPR violations are administered by each country’s supervisory authority. Supervisory authorities are responsible for investigating GDPR compliance within their borders and imposing fines for GDPR violations. All supervisory authorities enforce the GDPR, but there is some variation in how different supervisory authorities prioritize which GDPR violations to penalize.
Even though each supervisory authority determines how they enforce the GDPR, they all abide by the same rules governing fines. These rules state that less severe violations can cost an organization up to €10 million or 2% of annual revenue and the maximum GDPR fine for more severe breaches can cost up to €20 million or 4% of annual revenue.
Interpretations vary among supervisory authorities
Though bound by the same principles in the GDPR, these supervisory authorities don’t always enforce the GDPR consistently. This is why it’s important that you get to know how your supervisory authority tends to implement fines – for example, the GDPR breaches that are fined most often and the types of businesses penalized. Each supervisory authority has a limited number of resources to investigate compliance and administer fines. Some supervisory authorities may use these resources to compile large cases against big companies, resulting in fewer but higher fines. Other supervisory authorities may prioritize investigating violations on a smaller scale, resulting in more fines of lesser amounts that are usually directed at smaller companies.
For example, supervisory authorities in the UK, Ireland, and Luxembourg make the news by issuing large, high-profile fines. On the other hand, authorities in Italy and Spain impose a greater number of fines but for smaller amounts. A good starting place is to see how your supervisory authority acts.
The size of your business matters
All organizations are required to comply with the GDPR, but the size of fines for GDPR breaches varies according to company size. Since the language only lists maximum GDPR fines for severe and less severe violations, it allows a great amount of flexibility for fine amounts. In addition to the severity of the violation, the supervisory authority considers a company’s size and revenue when deciding the penalty.
The flexibility in fine amounts means that many companies can negotiate reduced GDPR penalties. This flexibility also helps ensure that a minor infraction won’t put a company out of business, but you should still avoid fines since a company’s history of GDPR violations can affect the severity of the fine. We have a guide on how you can make sure that your organization is GDPR compliant.
GDPR penalties come in two tiers
So, how are fines determined? Now, we’ll cover the legal guidelines that supervisory authorities use when evaluating GDPR violations and giving out fines.
The main guideline is that all GDPR violations are evaluated and fined in two different categories, depending on their severity. Of course, the more severe infringements come with a higher penalty. The maximum GDPR fine for less severe violations is €10 million or 2% of revenue, while fines for more severe violations cannot exceed €20 million or 4% of revenue.
Let’s get into these categories further with a few details about the kinds of GDPR violations associated with each tier.
Maximum GDPR fine for minor breaches: up to €10 million or 2% of global annual revenue for the previous year – whichever is higher
Less severe GDPR violations fall under these categories, which are primarily related to data processing and lawful basis:
Children’s consent (Article 8).
Processing that does not require identification (Article 11).
Obligations of data processors and controllers (Articles 25-39).
For example, in 2020 the Hungarian data protection authority issued a €55,000 fine to a travel agency (Robinson-Tours) for failing to have appropriate measures in place to ensure data protection. The lack of appropriate protection measures resulted in their data subjects’ personal data being exposed online for several months. Robinson-Tours' data processor was partially at fault for the exposure of personal information and they also received a fine, although in a smaller amount. This case exemplifies why it is important for data controllers to ensure that their data processors have sufficient security measures in place.
Knowing the legal requirements for processing personal data can help you educate your staff on how to safely and legally process personal data.
Maximum GDPR fine for severe violations: up to €20 million or 4% of global annual revenue for the previous year – whichever is higher
Severe violations are a result of actions that go against the right to privacy that is central to the GDPR. Infringements that can result in these higher fines are related to violations of:
Conditions for consent (Article 7).
Data subjects’ rights (Articles 12-22).
Transfer of data to an international organization or a recipient in a third country (Articles 44-49).
Violation of individual member state data protection laws.
Failure to comply with orders issued by a supervisory authority.
For example, a violation that falls into the more severe category is WhatsApp’s lack of transparency in data processing. WhatsApp was issued a fine of €225 million in 2021 for making their handling of user data unclear and difficult to understand. Since this violation goes against one of the seven principles of the GDPR, it qualifies as a severe breach and resulted in a massive fine.
Criteria that impact fines for GDPR breaches
As mentioned already, the GDPR leaves a lot of room for flexibility by only listing the maximum fines that can be administered. Once supervisory authorities have determined which tier the breach falls into, they have to decide how big the fine should be. But the fine could be anywhere between €0-10 million or €0-20 million (or between 0% to 4% of a company’s annual revenue). It’s quite a wide range! So, how do they decide how big a fine should be?
To guide supervisory authorities, the GDPR lists the following criteria to consider when determining penalties for GDPR violations:
Gravity and nature: What happened and how? How many people were impacted and how much damage did they suffer? How long did it take to resolve?
Intention: Was it intentional or the result of negligence?
Mitigation: Attempts by the firm to reduce the harm done to the data subjects.
Precautionary measures: Security measures the firm had in place.
History: Previous breaches of the GDPR and Data Protection Directive.
Cooperation: Degree of cooperation with the supervisory authority to identify and rectify the violation.
Data category: Type of personal data impacted.
Notification: Did the firm proactively notify the supervisory authority of the violation?
Certification: Was the firm certified or abiding by codes of conduct?
Aggravating/mitigatory factors: Further issues that arose from the infringement, e.g., if the firm experienced financial benefit from the violation.
If an organization has several related GDPR violations, the company will be penalized for the most severe of those breaches. However, if the violations are not related to the same processing activity, they could be fined separately.
When evaluating these criteria, the supervisory authority will favor a larger fine if the company shows poor results in several of the categories. On the other hand, if the company made a strong effort to comply with the GDPR, a lesser fine will be favored.
Looking at IBM’s 2022 Cost of a Data Breach report makes it possible to estimate the cost of some common data breaches while considering factors such as company size
Other considerations for GDPR fines
As you’ve now read, there are a lot of things that affect how big a GDPR fine could be. Here are some other things to consider.
Data controllers are responsible for ensuring that their data processors are compliant
It’s important to note that data controllers are responsible for the data processors that they use. You should always work with data processors that have strong security measures and comply with the GDPR, since data controllers can be penalized for violations caused by their processors. Verifying the compliance of your data processors can save your company a lot of money in fines, especially in cases where a data breach may occur. Having a data processing agreement is one of the first steps in this relationship.
Data subjects can request compensation
In addition to the fines that can be levied by data supervisory authorities, the GDPR allows data subjects to seek compensation from organizations when they have experienced harm as a result of that organization's GDPR violation. This condition is outlined in Article 82 of the GDPR. This means that in some cases, the financial impact of a GDPR violation could be larger than the fine imposed if data subjects request compensation as well. Compensation requests from many data subjects can add to the resource and financial burden of GDPR violations, since it takes time to review and potentially appeal the compensation requests.
How GDPR compliance is enforced in practice
Now that we’ve gone through all the rules for how GDPR violations are fined, we’ll cover how the enforcement of these fines is going in practice. We’ll start with an overview of the largest GDPR fines from the past three years and how they could have been avoided. Then, we’ll cover trends in GDPR penalties and what that means for an average company.
Biggest GDPR fines from 2022
The largest GDPR fines from 2022 show us that the Irish Data Protection Commission has been heavy-handed in giving out penalties. All three of the biggest GDPR fines were given out by the Irish data protection authority, and they were all directed at one company – Meta. Meta was fined more than €880 million in 2022 for GDPR breaches within Facebook and Instagram. So, the GDPR penalties from 2022 tell us that big companies like Meta are being used to set an example for other companies that process large amounts of personal data.
|1st Place - Meta|
|Supervisory Authority||Irish Data Protection Commission (DPC)|
|Fine (penalty)||€405 million|
|Reason||Meta was fined for mishandling child users’ data on Instagram.|
|How the violation and fine could have been avoided||Keep the accounts and data of young users private by default.|
|2nd Place - Meta
|Supervisory Authority||Irish Data Protection Commission (DPC)|
|Fine (penalty)||$265 million|
|Reason||A data breach resulted in the personal data of over 500 million Facebook users being published online.|
|How the violation and fine could have been avoided||Protect systems from unauthorized data scraping.|
|3rd Place - Meta|
|Supervisory Authority||Irish Data Protection Commission (DPC)|
|Fine (penalty)||€210 million|
|Reason||Meta used forced consent to gain Facebook users’ approval to use their data for the purpose of targeted ads.
The 4th highest fine (€180 million) was also given to Meta for the same GDPR violation on Instagram.
|How the violation and fine could have been avoided||Provide sufficient clarity about data processing for behavioral ads and have a legal basis.|
Biggest GDPR fines from 2021
The largest GDPR fine to date was issued in 2021 by the Luxembourg National Commission for Data Protection, which fined the U.S. online retailer Amazon €746 million.
|1st Place - Amazon|
|Supervisory Authority||Luxembourg’s data protection supervisory agency, the CNPD|
|Fine (penalty)||€746 million|
|Reason||Amazon was fined for noncompliance related to cookie consent.|
|How the violation and fine could have been avoided||Don’t force users to agree to cookies or make it difficult to opt-out of cookies.|
|2nd Place - WhatsApp Ireland
|Supervisory Authority||Irish Data Protection Commission (DPC)|
|Fine (penalty)||€225 million|
|Reason||WhatsApp Ireland Limited was fined for failing to comply with transparency requirements. WhatsApp has appealed
Read the full story to learn why the fine against WhatsApp got quadrupled and what your organization can do to avoid making the same mistakes.
|How the violation and fine could have been avoided||Provide privacy information in a format that is easy to access and in the right language.
Explain what your legitimate interests are for each data processing operation.
|3rd Place - Notebooksbilliger.de (NBB)|
|Supervisory Authority||State Commissioner for Data Protection in Lower Saxony|
|Fine (penalty)||€10.4 million|
|Reason||A German electronics retailer, notebooksbilliger.de (NBB), was fined for its use of CCTV video surveillance to monitor employees and customers.|
|How the violation and fine could have been avoided||If you use CCTV, make sure that you use it for a legitimate reason with proportionality to a specific problem.
Prior to 2021, the largest GDPR fine to date was France’s €50 million fine issued to Google.
|1st Place - Google|
|Supervisory Authority||France’s Data protection authority, CNIL|
|Fine (penalty)||€50 million|
|Reason||Google was fined for failing to adequately explain how they process data and failing to have legal grounds to process data regarding personalized advertising.|
|How the violation and fine could have been avoided||Provide adequate information in your consent policy and give users sufficient control over. how their data is processed.|
|2nd Place - H&M|
|Supervisory Authority||The Hamburg Data protection Supervisory Authority|
|Fine (penalty)||€35.26 million|
|Reason||A global retailer, H&M, was fined for failing to have enough legal support for processing data.|
|How the violation and fine could have been avoided||Practice data minimization. Don’t process personal data unless you need to, especially sensitive data about health or religious beliefs. If you collect this information, you need to have strict access controls and regulations of use.|
|3rd Place - Telecom|
|Supervisory Authority||Italy’s Data Protection Supervisory Authority, the Garante|
|Fine (penalty)||€27.8 million|
|Reason||A telecommunications operator was fined for failing to adequately explain how they process data, failing to have legal grounds to process data and more.|
|How the violation and fine could have been avoided||Carefully manage lists of data subjects. Create and abide by marketing opt-ins or opt-outs.|
Trends in GDPR penalties and compliance
Now, we’ll go over what can be learned from last year’s GDPR fines.
Another record year for GDPR fines
2022 continued the trend of increasing fines for GDPR violations. According to DLA Piper’s survey of data protection supervisory authorities, GDPR fines amounted to €1.64 billion in 2022 - which is 50% more than the GDPR penalties from 2021. The Irish DPC handed out 5 large GDPR fines to Meta this year, making it the authority that has given out the highest amount in fines since the start of the GDPR.
Fewer data breach notifications
The average number of daily data breach notifications received by supervisory authorities decreased from 328 in 2021 to 300 in 2022. It’s a close comparison, so it is hard to make any real conclusions.
The decrease in breach notifications could signal that several years into working with the GDPR, organizations have better security and data protection measures in place. However, the number of data breaches per year has increased, according to IBM’s cost of a data breach report. So, the decrease in breach notifications could actually signal that companies aren’t reporting breaches that they should, in order to avoid investigations and GDPR fines. In previous years, the requirement to notify supervisory authorities of data breaches was prioritized for enforcement, so failing to report a breach could cost companies.
But the difference in notifications is still quite small, so we will have to keep monitoring the number before making any conclusions.
What GDPR violations are penalized the most?
A good place to start when trying to avoid GDPR fines is to look at which breaches are fined most often.
2022 GDPR fines focused on ad-tech and targeted advertising
The Irish DPC’s fines against Meta for behavioral advertising practices on Facebook and Instagram demonstrate growing attention on the relationship between internet users and tech companies. The financial models of social media companies like Meta allow “free” use of their platforms in exchange for their users’ data, which allows for targeted advertising. This exchange of personal data for use of an online service has existed for years and is now at the center of GDPR debates. The DPC was split on some parts of the decision, so GDPR enforcement around targeted advertising will be something to watch in the years to come.
Continued focus on breaches of Article 5 of the GDPR - core data protection principles
Like last year, breaches of Article 5 of the GDPR were targeted for enforcement in 2022. The lawfulness, fairness, and transparency principle and the integrity and confidentiality principle were enforced often. Additionally, breaches of privacy by design and failure to show a lawful basis for processing data were prioritized by supervisory authorities.
The other most common causes for GDPR fines since 2020 are:
Failure to communicate clearly and openly about the processing of data.
Failure to implement appropriate security measures.
Failure to provide proper notification in the event of a personal data breach.
Failure to comply with data minimization and retention requirements.
All this information about GDPR penalties and enforcement can be overwhelming. But the good news is that the most common causes of GDPR fines are pretty simple to manage for an average company. With planning and a review of the GDPR’s requirements, avoiding fines for these common GDPR breaches shouldn’t be too hard.
Expectations for GDPR penalties in 2023
In their 2023 GDPR Fines and Data Breach report, DLA Piper anticipates which GDPR violations will be prioritized for enforcement in 2023.
Here’s what DLA Piper expects to see in in 2023:
Fines (and appeals) related to online behavioral advertising.
Fines related to improper data transfers to third countries and international organizations – potentially more clarity around the draft EU – US adequacy decision.
We’ll cover some other predictions for GDPR penalties in 2023 next.
Heavy fines from Luxembourg and Ireland
Historically, Ireland and Luxembourg are the data supervisory authorities that have given out the highest GDPR fines (remember Luxembourg’s €746 million fine on Amazon in 2021?)
Looking ahead, we can expect these two countries to be hot spots for enforcement – and for large GDPR fines – because it’s where a lot of tech companies set up their European operations.
Setting up shop in GDPR-lenient countries loses its protection effect
This year, we saw the Eurpoean Data Protection Board (EDPB) crack down on fines from local supervisory authorities that they believed were too lenient. As a reminder, Articles 60 and 63 of the GDPR give local authorities the power to refer cases to the EDPB when a violation involves multiple member states. The fines given out by the EDPB are binding, and in 2022 were much higher than the original fines proposed by the local authorities. In fact, the EDPB’s fines were 630% higher than the original fines in 2022. Moving forward, this means that companies will have a harder time avoiding GDPR fines by locating in countries that are soft on GDPR enforcement.
Increasing focus on AI
Many AI systems use personal data, which means that the technology can be regulated by the GDPR. In 2022, several supervisory authorities and the EDPB published guidance around AI’s use of personal data. For example, the EDPB issued guidelines for facial recognition technology.
Clearview AI received several high fines in 2022 for GDPR breaches related to lawfulness and transparency. They gathered publicly available images of people’s faces from the internet and social media and put them in a database that could be used for facial recognition. Clearview AI’s customers had access to this database, without individuals ever knowing that their personal data was being used for this purpose.
With the European Commission’s new digitization legislation, organizations could face double jeopardy for their use of AI in the processing of personal data. This means that companies using AI to process data could be penalized for breaches of both the GDPR and other European laws.
International data transfers and Schrems II
The Schrems II ruling provides standards for international transfers of personal data and has created much uncertainty for organizations. In 2022, the supervisory authorities of Austria, France, Italy, and Denmark issued verdicts to Google Analytics based on hardline interpretations of the GDPR pertaining to international transfers of personal data.
It is expected that by July 2023, the EU adequacy decision will replace the 2016 Privacy Shield as legislation governing international transfers. It will provide clarity around US-EU data transfers and ease compliance for US companies certified under the Data Privacy Framework (DPF). For companies that are not certified under the DPF, Standard Contractual Clauses and transfer impact assessments will likely remain the default for international transfers. With more nuanced guidelines around data transfers, we can expect to see more action from supervisory authorities in the coming year.
As GDPR enforcement evolves, we will have to wait and see how supervisory authorities in each country prioritize violations in the years to come. However, trends in past fines and expectations for 2023 can provide some insight into what we might expect this year.
How to avoid receiving a GDPR fine
Well, put simply, the easiest way to avoid receiving a GDPR penalty is to be compliant. Of course, this is easier said than done and we know that achieving GDPR compliance is no simple task. When your organization experiences a data breach and reports it to the supervisory authority, this triggers an investigation into your company’s data security and compliance, which can result in your company receiving a fine.
So, one way to avoid receiving a GDPR fine is to protect your organization from data breaches and the investigation that follows. In other words, don’t subject yourself to unnecessary investigations.
We have written a guide with everything you need to know in order to comply with the GDPR, to make sure that you are meeting all the requirements.
Another way to avoid a GDPR fine is to ensure that your data transfers are compliant, since transfers are gaining priority among supervisory authorities. Our recommendations on adapting to the Schrems II ruling can provide some guidance.
Besides practicing safe data transfers, organizations must have a process for safely deleting data that they no longer need or have the right to process.
Protect your organization from a data breach
As mentioned, preventing data breaches is the best way to avoid GDPR fines. Data breaches are most often caused by human error – for example, when an employee accidentally clicks on a malicious email. For this reason, one of the best strategies to prevent a data breach within your organization is to train your team. And, since training is a requirement for GDPR compliance, training is a win-win. You can strengthen your training efforts by introducing different kinds of training, such as phishing testing, and by focusing on creating a strong security culture within your company.
We at CyberPilot, offer awareness training to help organizations stay compliant with the GDPR and create a stronger resilience against IT threats. We currently have a free trial of our awarness training program.
Spotlight: Data breach notifications per day
One way to predict GDPR fines for the coming year is to look at the number of data breach notifications supervisory authorities receive daily. In the past, breach notifications and the number of penalties have both increased every year. But this year, the daily breach notifications decreased.
Here, you can see a table that shows the number of per capita breach notifications received by supervisory authorities in a few countries. For easy comparison, the breach notifications are shown per 100,000 people.
Per capita breach notifications (between 28 January 2022 and 27 January 2023)
*Per capital values sourced from DLA Piper. Breach statistics were not available for Germany and the UK, so they were extrapolated in this report.
It’s likely that daily breach notifications are decreasing due to a failure to report, rather than an actual decrease in data breaches. So, in 2023 we will keep an eye on how supervisory authorities penalize GDPR violations related to the requirement to notify authorities of personal data breaches.
What does this mean for an average company?
Although the biggest fines for GDPR breaches are what make the news, small and mid-sized companies are also held accountable to the GDPR. While a smaller company is unlikely to receive a massive fine, any fine will undoubtedly affect a company’s profitability and reputation.
Smaller companies should prioritize compliance in the areas that were prominent causes of fines in recent years. For example, an average company should maintain adequate security measures, abide by the principles of transparency and legal basis, notify the appropriate parties in the event of a breach, and practice secure data minimization. Special attention should be paid to employee training, which reduces the likelihood of a breach, and to international data transfers.
Even though fines for GDPR violations are increasing, there is no need to panic about GDPR fines. We are all still learning how fines are prioritized, and the supervisory authorities are still establishing their own processes. As long as you keep an eye on fines within your country and avoid the same kind of mistakes, your company should be safe.
It can sometimes pay off to challenge a GDPR fine
Many of the largest fines that have been imposed for GDPR violations are in the appeals process, and some companies have been successful in appealing or reducing their fines. In 2020, companies were successful in reducing the fines they received due in part to the financial hardships incurred by the COVID-19 pandemic. Even in 2023 though, GDPR regulation is still relatively new which brings with it a good amount of legal uncertainty. If you have a reasonable argument about a fine you receive, it could benefit you to challenge it. However, you should always weigh the cost of an appeal with the potential benefit you would receive if the fine were reduced or eliminated.
We hope this post serves as a useful guide for GDPR rules and fines. When it comes to avoiding GDPR fines, one of the most important things you can do is look at how your supervisory authority acts. By checking what violations your supervisory authority prioritizes for fines, you can avoid similar mistakes. Remember that we’re all still learning about GDPR enforcement and there is a lot of flexibility in how penalties are decided.
Please do not hesitate to reach out to us if CyberPilot’s awareness and phishing training can supplement your GDPR compliance efforts.
People also ask
What is a GDPR breach?
A GDPR breach is any incident in which personal data that is subject to the General Data Protection Regulation (GDPR) is accessed, disclosed, altered, deleted, or otherwise processed in an unauthorised or unlawful manner, potentially resulting in harm to the data subjects.
What is the penalty for not complying with GDPR?
Non-compliance with GDPR can result in fines of up to €20 million or 4% of a company's global annual turnover, whichever is greater. Additionally, data subjects may also have the right to seek compensation for damages suffered as a result of the non-compliance.
How do I report a data breach as an individual?
If you believe your personal data has been compromised, you should notify the organisation responsible for storing the data as soon as possible. You can also report the breach to the Danish Data Protection Agency (Datatilsynet) in Denmark, which is responsible for enforcing data protection laws.
The Danish Data Protection Agency has published statistics on GDPR security breaches. Find out the most common security breaches and how to avoid them.
You need to know your role as a data controller and as a data processor as it plays a big part of responsibility when it comes to the GDPR. Here's what you need to know.
You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.