20 Biggest GDPR Fines of 2018, 2019, 2020, 2021 & 2022

Posted by

Emmeline de Chazal

on 21 Apr 2022


The past 4 years have seen some massive GDPR fines handed out to firms. Here's a breakdown of the top 20 penalties from 2018 to 2022 thus far.

20 Biggest GDPR Fines

Following the introduction of GDPR in May 2018, initial reports showed that data breach complaints increased by 160%. This rate is alarming and indicates just how critical it is to ensure staff receive comprehensive GDPR training

Top 20 GDPR fines so far

  1. Amazon Europe - €746m fine (2021)
  2. WhatsApp Ireland - €225m fine (2021)
  3. Google Inc - €50m fine (2019)
  4. H&M - €35.3m fine (2020)
  5. TIM - €27.8m fine (2020)
  6. British Airways - €22m fine (2020)
  7. Marriott International - €20m fine (2020)
  8. Wind Tre - €16.7m fine (2020)
  9. Deutsche Wohnen – €14.5m fine (2019)
  10. Vodafone Italia - €12.25m fine (2020)
  11. Eni Gas e Luce - €11.5m fine (2020)
  12. Notebooksbilliger.de - €10.4m fine (2021)
  13. Austrian Post - €9.5m fine (2021)
  14. Vodafone España - €8.15m fine (2021)
  15. REWE International - €8m fine (2022)
  16. Grindr LLC - €6.3m fine (2021)
  17. Cosmote Mobile Telecommunications - €6m fine (2022)
  18. Fastweb SpA – €4.5m fine (2021)
  19. Vodafone España - €3.94m fine (2022)
  20. Sky Italia - €3.3m fine (2021)

The biggest 20 GDPR fines from the past 4 years reveal some key takeaways. Firstly, 2021 recorded two heavyweights in terms of penalty amounts. The fines dished out to Amazon Europe and WhatsApp Ireland are in a league of their own.

Secondly, there's little evidence of firms learning a lesson from these penalties. After a  year of relatively low fines in 2019, the following two years see some hefty penalties. There's a near-even split in the number of fines from 2020 and 2021 featuring in the top 20. This trend could change this year - 2022 is still young.

In 2018, the total amount of fines issued for the year was only €436,000. This, clearly, ramped up in the years that followed. We continuously track the largest GDPR fines each year. If you're interested in the full details, have a look at the highest fines in 2019, 2020, 2021 and the most recent fines in 2022.

GDPR Compliance Roadmap

The 20 biggest GDPR fines in detail

1. Amazon Europe - €746m fine (2021)

GDPR breaches - Non-compliance with general data processing principles

In 2021, Luxembourg’s National Commission for Data Protection (CNPD) fined Amazon Europe a record-breaking €746 million in respect of how it uses customer data for targeted advertising purposes.

In 2018, the French privacy rights group La Quadrature du Net submitted a complaint.
The complaint - which also targeted Apple, Facebook, Google and LinkedIn - was filed on behalf of more than 10,000 customers. It alleged that Amazon had manipulated customers for commercial means by choosing what advertising and information they received.

The CNPD ruled that Amazon must commit to changing its business practices.

2. WhatsApp Ireland - €225m fine (2021)

GDPR breaches - Articles 5, 12, 13, 14

Ireland's data authority fined WhatsApp £193m in 2021 for violating privacy standards. It's the highest penalty the Irish Data Protection Commission (DPC) has ever imposed and the second-highest under EU GDPR standards.

A 2018 investigation revealed that WhatsApp was not transparent enough, with its customers, on how it collected, managed and processed their data. Following "a lengthy and comprehensive investigation," the Irish DPC said it had communicated its decision to other regulators, as required under GDPR law, and had received complaints from eight countries, including Germany, France, and Italy.

Data Sharing Compliance Tips

3. Google Inc - €50m fine (2019)

GDPR breaches - Articles 4, 5, 6, 13, 14

In one of the most high-profile cases of 2019, the French data regulator (CNIL) fined Google an astounding €50 million.

The fine was for a "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". Ad personalisation information was diluted throughout several documents, hindering users from knowing their full extent.

Additionally, the choice to receive personalised ads was “pre-ticked” upon opening a new account, directly defying the GDPR.

4. H&M - €35.3m fine (2020)

GDPR breaches - Articles 5, 6

In 2020, the Data Protection Authority in Hamburg fined H&M €35m for the illegal surveillance of its employees.

After employees took a holiday or sick leave, they had to attend a return-to-work meeting. The company recorded some of these meetings, and the data was accessible to over 50 H&M managers.

This resulted in the company keeping "excessive" records on its workforce's families, religions, and illnesses at its Nuremberg service centre. The company then used the data to help evaluate employees’ performance and make decisions about their employment.

GDPR Hero Compliance Course

5. TIM - €27.8m fine (2020)

GDPR breaches - Articles 5, 6, 7, 17, 21, 32

Italian data protection regulator Garante fined telecoms provider TIM €27.8 million in 2020 for its cavalier approach to telemarketing and other GDPR breaches.

First, it sent out hundreds of thousands of unsolicited communications without the consent of data subjects who were on with the "opt-out" register or were exercising their right not to receive marketing. In one case, it contacted a single individual 155 times over a month!

Second, the privacy notices for TIM apps and promotions were not transparent, and it was unclear why they would use the data. Consent was also incorrectly managed and often invalid - with a single consent used for multiple purposes.

Data retention was also excessive - sometimes exceeding the 10-year time frame required by law and the five-year company policy.

6. British Airways - €22m fine (2020)

GDPR breaches - Article 5(1), 32

The ICO fined British Airways €22m in 2020 after failing to protect the personal data of more than 400,000 customers.

The investigation found that the airline was processing a significant amount of personal data without adequate security measures. This failure broke data protection law, and, subsequently, BA was the subject of a cyberattack in 2018, which it did not detect for more than two months.

The attacker potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Other details the attacker accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. Usernames and passwords of BA employee and administrator accounts, and usernames and PINs of up to 612 BA Executive Club accounts, were also potentially accessed.

Initially, British Airways was fined an eye-watering £183m for its GDPR failings in July 2019. However, this was reduced to €22m due to the economic impact of COVID-19.Free Cyber Security Training Presentation

7. Marriott International - €20m fine (2020)

GDPR breach - Article 32

Marriott International Inc failed to keep millions of customers’ personal data secure, with 339 million guest records worldwide believed to have been affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack remained undetected until September 2018, when Marriott had acquired the company.

The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. Although this is a large fine, it is significantly less than the fine of £99m that the Information Commissioner's Office (ICO) initially issued.

8. Wind Tre - €16.7m fine (2020)

GDPR breaches - Article 5, 6, 12, 24, 25

Garante, the Italian data protection authority, issued a €16.7 million fine against Wind Tre in 2020 for several unlawful data processing activities concerning direct marketing practices.

Following an extensive investigation, Garante discovered that hundreds of complainants received unsolicited communications sent without their previous consent, through SMS, email, phone calls, and automated calls. They were also unable to exercise their right to withdraw consent and oppose the processing for direct marketing purposes.

Claimants' data was published on public telephone lists despite their opposition. In addition to this, Garante found that Wind Tre's apps 'MyWind' and 'My3' required users to provide their consent for different processing activities with every access. They were only allowed to withdraw their “consent” after a 24-hour window.

6 Tips for Personal Data Compliance

9. Deutsche Wohnen – €14.5m fine (2019)

GDPR breaches - Article 5/25

One of Germany’s most prominent real estate companies, Deutsche Wohnen, was issued a €14.5 million fine in 2019, which was the largest in the country since the GDPR came into effect.

According to the Data Protection Authority of Berlin, the company didn't comply with general data processing principles. Personal data that the company should have erased years ago was still accessible by employees.

The fine was originally meant to be almost twice as large at €28 million. But the Berlin Commissioner considered that the company cooperated immediately and attempted to fix the issues. Because no other data abuses occurred, they lowered the fine.

10. Vodafone Italia - €12.25m fine (2020)

GDPR breaches - Articles 5(1) (2), 6(1), 7, 15(1), 16, 21, 24, 25(1), 32, 33

Garante fined Vodafone Italia €12.25m in 2020 over aggressive telemarketing practices.

Garante launched its investigation after receiving ‘hundreds’ of complaints about nuisance calls from Vodafone’s sales networks. It found that Vodafone’s customer information storage system had multiple flaws. The company had purchased contacts lists from external providers – with the information of up to 4.5 million people secured without user consent.

Vodafone justified the unwanted communication as human error, but this was not deemed an appropriate excuse by the regulator, with other factors including the ‘significantly negligent nature’ and recurrence of the calls.

The regulator has ordered Vodafone to overhaul its telemarketing procedures in Italy and was prohibited from processing personal data acquired from third parties without first gaining user consent.

Conducting a GDPR Audit

11. Eni Gas e Luce - €11.5m fine (2020)

GDPR breaches - Articles 5, 6, 7, 21, 32

In Italy, Eni Gas e Luce (Egl) was fined €11.5 million in 2020 by the data protection watchdog for illegal processing of personal data and activating unsolicited contracts.

Its first fine (€8.5m) related to the unlawful processing of personal information for telemarketing and telesales purposes. An investigation found widespread violations, including:

  • Marketing calls made to individuals without their consent or despite them objecting to marketing calls.
  • Inadequate procedures for checking the public "opt-out" register.
  • No technical or organisational measures to log consent.
  • Keeping personal data for longer than is necessary.
  • Acquiring personal information from other entities without checking consent.

The second fine of €3m was for unsolicited contracts to supply gas and electricity. Around 7,200 individuals learned of the new contract with the first bill or the termination of contract letter from their previous supplier. Customers complained of forged signatures and incorrect information.

12. Notebooksbilliger.de - €10.4m fine (2021)

GDPR breaches - Articles 5, 6

The Lower Saxony data protection authority (LfD Niedersachsen) issued a €10.4 million fine against notebooksbilliger.de, an online retailer, for video monitoring its employees for over two years without any legal basis.

The LfD Niedersachsen noted that the cameras recorded workplaces, salesrooms, warehouses, and common areas, among other places. While notebooksbilliger.de claimed that the video camera installation aimed to prevent and investigate criminal offences and track the flow of goods in the warehouses, a company must first examine milder means, such as random bag checks when employees leave the business premises, according to the LfD Niedersachsen.

Video surveillance to uncover criminal offences is lawful if there is justified suspicion against specific persons. If this is the case, it may be permissible to monitor them with cameras for a limited period. However, the LfD Niedersachsen discovered that at notebooksbilliger.de, video surveillance was neither limited to a specific period nor particular employees.

In many cases, the company saved the recordings for 60 days - significantly longer than necessary. In addition, the LfD Niedersachsen outlined that customers of notebooksbilliger.de were also affected by the video surveillance. This is due to some cameras aimed at seating in the sales area, and that the video surveillance by notebooksbilliger.de was not proportionate in these cases.

Free GDPR Self-assessment Questionnaire

13. Austrian Post - €9.5m fine (2021)

GDPR breaches - Non-compliance with general data protection principles

The Austrian Data Protection Authority ('DPA') fined Austrian Post €9.5m for violations relating to data protection. This follows the data protection fine of €18 million that the company received in 2019, which the Federal Administrative Court overturned.

The DPA claims that people should be able to inquire via email about personal data that the Austrian Post might have on them. Email inquiry is in addition to the contact opportunities already available through the mail, a web contact form and the company customer service centre.

14. Vodafone España - €8.15m fine (2021)

GDPR breaches - Articles 21, 23, 24, 28, 44, 48

In March 2021, the Spanish data protection authority, AEPD, had imposed its largest-ever fine of €8.15 million on mobile telephone network operator, Vodafone España.

According to the AEPD, Vodafone España had violated multiple data protection laws while conducting various marketing campaigns and non-compliant data transfers.

Through their investigations, the AEPD found that Vodafone had failed to comply with GDPR aswith GDPR. Along with its distributors, collaborators, and agents,, had contacted customers via email, telephone and text who had opted out of its marketing campaigns.

In their defence, Vodafone had claimed that they were trialling the implementation of a new routing system to verify the legality of its data and filter out users who had opted out of marketing communications.

However, the AEPD had concluded that the system continued sending marketing messages to those who had specifically opted out of receiving these and noted there should have been a filtering system for all parties to use.

The AEPD found no guarantees were put in place by the processors to ensure that they had implemented effective technical and organisational measures and that Vodafone had made no such requirements.

Vodafone had also transferred personal customer data to a telecom supplier outside the European Economic Area in Peru. That contract did not abide by the GDPR requisite clauses for sharing data with such countries.

DPO Role & Responsibilities

15. REWE International - €8m fine (2022)

GDPR breach - Non-compliance with general data protection principles

The Austrian food retailer, REWE International, received a fine of €8 million for the careless handling of customer data. The company's customer loyalty and rewards programme, jö Bonus Club, breached the General Data Protection Regulation (GDPR) by allegedly collecting users' data without their consent and using it for marketing purposes.

Rewe International will challenge the Austrian Data Protection Authority (DPA)'s decision because jö Bonus Club operates independently as a separate subsidiary, Unser Ö-Bonus Club.

This is not the first time the jö Bonus Club has breached GDPR. The subsidiary was fined €2 million in August 2021 for the unlawful collection of millions of bonus club members' data and the subsequent sale to third parties.

16. Grindr LLC - €6.3m fine (2021)

GDPR breaches - Articles 6, 9

The Norwegian DPA issued its largest-ever fine following a complaint from the Norwegian Consumer Council.

It found that the location-based dating app had shared data with third parties including GPS location, IP address, advertising ID, age, gender and the fact that the user was on Grindr. A person's sexual orientation constitutes special category data that merits particular protection under GDPR rules.

Users were forced to agree to the privacy policy without explicit consent to the sharing of their data for behavioural advertisements.

The fine was reduced to reflect the firm's financial position and that it has now changed permissions on its app.

Free Information Security Training Presentation

17. Cosmote Mobile Telecommunications - €6m fine (2022)

GDPR breaches - Articles 5(1)a), 5(2), 13, 14, 25(1), 26, 28, 35(7)

The Hellenic Data Protection Authority (HDPA) imposed a fine of €6 million on Greece's largest mobile operator, Cosmote. After the company experienced a cyberattack in 2020, the personal data of millions of their customers was stolen.

The HDPA found that Cosmote failed to include its parent company, OTE Group, in the investigation. They neglected to explain the data breach's severity to their affected customers. The investigation also found that Cosmote did not implement appropriate data protection measures.

The authorities discovered that Cosmote could legally keep call data for up to 90 days and 12 months if the data is pseudonymised. However, there were cases where the pseudonymisation process was incomplete, and the company held customer data for longer than is legally allowed.

18. Fastweb SpA – €4.5m fine (2021)

GDPR breaches - Articles 5, 6, 7, 12, 13, 21, 24, 25, 32, 33, 34

In April 2021, the Italian data protection authority, Garante, issued a €4.5 million fine on Fastweb SpA. This telecommunications company provides landline, broadband internet, and IPTV (internet protocol television) services in Italy.

Following hundreds of complaints and reports made by consumers, Garante had conducted a complex investigation. It had found that Fastweb had processed the personal data of millions of its users for telemarketing purposes without obtaining their consent.

Garante had also found that Fastweb used fictitious telephone numbers or numbers not registered with the Register of Communication Operators ('RCO') to contact its users to promote its telephone and internet services.

It had found the security measures for Fastweb's customer data management systems to be inadequate.

Free GDPR Personal Data Awareness Poster

19. Vodafone España - €3.94m fine (2022)

GDPR breaches - Articles 5 (1) f), Art. 5 (2)

The Spanish Data Protection Authority ('AEPD') fined Vodafone an amount of €3.94 million for failure to implement appropriate security measures to prevent the fraudulent replication of sim cards. During the investigation, AEPD found that Vodafone could not prove they had verified the identity of the fraudsters and that their security measures were insufficient.

Furthermore, authorities concluded that the company displayed a lack of accountability. In response to Vodafone's argument that the replication of sim cards was due to human error, AEPD stated that repetitive human error indicates "a lack of foresight of the risks, a lack of analysis and planning, and a lack of security measures."

It is worth noting that this is the second time Vodafone España has appeared on the top 20 list, indicating that it is a glutton for punishment. The company received significant two significant fines in the space of 4 years.

20. Sky Italia - €3.3m fine (2021)

GDPR breaches - Articles 5 (1), (2), 6 (1), 7, 12 (2), 14, 21, 28, 29

The Italian Data Protection Authority, Garante, fined Sky Italia an amount of €3.3 million over GDPR violations in 2021. Upon investigation, Garante found multiple issues with the company's telemarketing campaign.

The main issue with Sky Italia's promotional calls was that they were conducted without providing individuals with adequate information about the processing. There was no proper consent since they used unverified lists obtained from other companies.

In addition to this, Garante discovered that Sky Italia did not meet the necessary prerequisite of lawfulness before carrying out promotional activities. Furthermore, the company failed to take action on several objections to the processing made by data subjects.

Answers to 10 GDPR FAQs

Infamous pre-GDPR data breaches

Yahoo

Yahoo currently wears the crown for the biggest data breach of the 21st century. In September 2016, the internet giant revealed that its 2014 data breach had compromised the personal data of 500 million users. Later that year, another breach from 2013 came to light that had compromised 1 billion accounts. That’s one for every seven or eight people on the planet!

But the full extent of the multiple breaches was not acknowledged until October 2017, when Yahoo's new owner Verizon discovered it was not 1 billion accounts that had been compromised in 2013, but 3 billion accounts! That’s every single account under the Yahoo name, including Flickr and Tumblr.

The breaches knocked a huge chunk off Yahoo’s sale price - to the tune of $350 million. Having once been valued at $100 billion, Verizon paid just $4.48 billion for the core internet business. In October last year, Yahoo agreed to pay $50 million in damages - of which half will be paid by Verizon and the other by Altaba, Inc. (Yahoo changed its name to Altaba after the sale of its core business).

But, what would have happened if this breach had taken place post-GDPR?

Of course, the scope of the breach was significant. But, what would have been crucial today, was that Yahoo didn’t disclose the extent of the breach within 72 hours as the GDPR requires. And with revenue in excess of $4 billion for the year 2012/2013, Yahoo would have faced an $80 million fine, or potentially as much as $160 million!

Facebook

Facebook, now known as Meta, was slapped with the £500,000 fine for its role in the well-documented Cambridge Analytica scandal. The information of 87 million Facebook users was improperly shared with the political consultancy through a quiz that collected data from participants and their friends.

Facebook was found guilty of allowing application developers access to user information without sufficient consent, failing to make suitable checks to secure personal information, and not taking action once the misuse of data was discovered.

Equifax

Equifax was fined £500,000 after failing to protect the personal information of up to 15 million UK customers during a cyber attack. Hackers stole personal data including names, dates of birth, addresses, passwords, driving licences and financial details. The company had retained data for longer than necessary, making it vulnerable to unauthorised access.

The systems compromised were actually based in the US, but because the UK branch failed to ensure its American parent was protecting UK customers, the ICO was forced to issue the fine.

GDPR Training Presentation

Want to learn more about GDPR?

To help you plan and execute compliance in your organisation, we have created a comprehensive GDPR roadmap.

Our best-selling Compliance Essentials Library and award-winning LMS provide a one-stop compliance training solution, including GDPR compliance e-learning.

And our searchable GDPR compliance glossary explain key terms and regularly report on learnings from the largest compliance fines resulting from regulatory breaches.

We also have 80+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!

If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.

Last but not least, you can interact in person with thought leaders and your peers at one of our popular live webinars and face-to-face events.

If you've any questions or concerns about compliance or e-learning, please get in touch.

We're happy to help!

Compliance Essentials

Compliance Essentials Library is our best-selling comprehensive corporate training solution.

100+ e-learning and microlearning courses that help companies from SMEs to multinationals achieve compliance success.

Start a Free Trial

cta-banner-placeholder