20 Biggest GDPR Fines of 2018, 2019, 2020, 2021 & 2022

Following the introduction of GDPR in May 2018, initial reports showed that data breach complaints increased by 160%. This rate is alarming and indicates just how critical it is to ensure staff receive comprehensive GDPR training

Top 20 GDPR fines so far

1. Amazon Europe - €746m fine (2021)
2. Meta Platforms, Inc. - €405m fine (2022)
3. Meta Platforms Ireland Limited - €265m fine (2022)
4. WhatsApp Ireland - €225m fine (2021)
5. Google Inc - €50m fine (2019)
6. H&M - €35.3m fine (2020)
7. TIM - €27.8m fine (2020)
8. British Airways - €22m fine (2020)
9. Clearview AI Inc. - €20m fine (2022)
10. Marriott International - €20m fine (2020)
11. Meta Platforms Ireland Ltd. - €17m fine (2022)
12. Wind Tre - €16.7m fine (2020)
13. Deutsche Wohnen – €14.5m fine (2019)
14. Vodafone Italia - €12.25m fine (2020)
15. Eni Gas e Luce - €11.5m fine (2020)
16. Notebooksbilliger.de - €10.4m fine (2021)
17. Google LLC - €10m fine (2022)
18. Austrian Post - €9.5m fine (2021)
19. Clearview AI Inc. - €9m fine (2022)
20. Vodafone España - €8.15m fine (2021)

In 2018, the total amount of fines issued for the year was only €436,000. This, clearly, ramped up in the years that followed. The biggest 20 GDPR fines from the past 4 years reveal some key takeaways.

Firstly, 2021 recorded two heavyweights in terms of penalty amounts. The fines dished out to Amazon Europe, and WhatsApp Ireland are in a league of their own.

Secondly, there's little evidence of firms learning a lesson from these penalties. After a  year of relatively low fines in 2019, the following two years see some hefty penalties. There's a near-even split in the number of fines from 2020 and 2021 featuring in the top 20. This trend could change in 2022 with only 5 fines featured.

We continuously track the largest GDPR fines each year. If you're interested in the full details, have a look at the all-time biggest ICO fines, the highest GDPR fines in 2019, 2020, 2021 and the most recent fines in 2022.

The 20 biggest GDPR fines in detail

1. Amazon Europe - €746m fine (2021)

GDPR breaches - Non-compliance with general data processing principles

In 2021, Luxembourg’s National Commission for Data Protection (CNPD) fined Amazon Europe a record-breaking €746 million in respect of how it uses customer data for targeted advertising purposes.

In 2018, the French privacy rights group La Quadrature du Net submitted a complaint.
The complaint - which also targeted Apple, Facebook, Google and LinkedIn - was filed on behalf of more than 10,000 customers. It alleged that Amazon had manipulated customers for commercial means by choosing what advertising and information they received.

The CNPD ruled that Amazon must commit to changing its business practices.

2. Meta Platforms, Inc. - €405m fine (2022)

GDPR breaches - Art. 5 (1) a), c), Art. 6 (1), Art. 12 (1), Art. 24, Art. 25 (1), (2), Art. 35

The Data Protection Commission (DPC) issued a fine to Meta Platforms Ireland Ltd. (Instagram) of €405m which includes a fine of €20m for the infringement of Article 6(1). This is one of the all-time biggest GDPR fines. An inquiry into the company investigated the processing of personal data of child users on the social networking service Instagram.

The DPC conducted a thorough investigation and submitted a draft decision to all peer regulators in the EU. After they couldn't reach a consensus, the case was referred to the European Data Protection Board ("EDPB"). In the end, the DPC's original recommended fine amount was imposed, and the DPC issued a reprimand to the company with an order requiring specified remedial actions.

3. Meta Platforms Ireland Limited - €265m fine (2022)

Meta Platforms Ireland Limited (MPIL), the data controller of 'Facebook' social media network, has been issued a fine of €265m along with corrective measures.  This is one of the largest fines since the beginning of GDPR.

The inquiry began after reports that a collated dataset of Facebook personal data was made available on the internet. The main issues in the inquiry involved questions of compliance with the GDPR obligation for Data Protection by Design and Default.

After a comprehensive investigation, the DPC found MPIL in breach of Articles 25(1) and 25(2) GDPR, and the supervisory authorities agreed with the final decision.

4. WhatsApp Ireland - €225m fine (2021)

GDPR breaches - Articles 5, 12, 13, 14

Ireland's data authority fined WhatsApp £193m in 2021 for violating privacy standards. It's the highest penalty the Irish Data Protection Commission (DPC) has ever imposed and the second-highest under EU GDPR standards.

A 2018 investigation revealed that WhatsApp was not transparent enough, with its customers, on how it collected, managed and processed their data. Following "a lengthy and comprehensive investigation," the Irish DPC said it had communicated its decision to other regulators, as required under GDPR law, and had received complaints from eight countries, including Germany, France, and Italy.

5. Google Inc - €50m fine (2019)

GDPR breaches - Articles 4, 5, 6, 13, 14

In one of the most high-profile cases of 2019, the French data regulator (CNIL) fined Google an astounding €50 million.

The fine was for a "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". Ad personalisation information was diluted throughout several documents, hindering users from knowing their full extent.

Additionally, the choice to receive personalised ads was “pre-ticked” upon opening a new account, directly defying the GDPR.

6. H&M - €35.3m fine (2020)

GDPR breaches - Articles 5, 6

In 2020, the Data Protection Authority in Hamburg fined H&M €35m for the illegal surveillance of its employees.

After employees took a holiday or sick leave, they had to attend a return-to-work meeting. The company recorded some of these meetings, and the data was accessible to over 50 H&M managers.

This resulted in the company keeping "excessive" records on its workforce's families, religions, and illnesses at its Nuremberg service centre. The company then used the data to help evaluate employees’ performance and make decisions about their employment.

7. TIM - €27.8m fine (2020)

GDPR breaches - Articles 5, 6, 7, 17, 21, 32

Italian data protection regulator Garante fined telecoms provider TIM €27.8 million in 2020 for its cavalier approach to telemarketing and other GDPR breaches.

First, it sent out hundreds of thousands of unsolicited communications without the consent of data subjects who were on with the "opt-out" register or were exercising their right not to receive marketing. In one case, it contacted a single individual 155 times over a month!

Second, the privacy notices for TIM apps and promotions were not transparent, and it was unclear why they would use the data. Consent was also incorrectly managed and often invalid - with a single consent used for multiple purposes.

Data retention was also excessive - sometimes exceeding the 10-year time frame required by law and the five-year company policy.

8. British Airways - €22m fine (2020)

GDPR breaches - Article 5(1), 32

The ICO fined British Airways €22m in 2020 after failing to protect the personal data of more than 400,000 customers.

The investigation found that the airline was processing a significant amount of personal data without adequate security measures. This failure broke data protection law, and, subsequently, BA was the subject of a cyberattack in 2018, which it did not detect for more than two months.

The attacker potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Other details the attacker accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. Usernames and passwords of BA employee and administrator accounts, and usernames and PINs of up to 612 BA Executive Club accounts, were also potentially accessed.

Initially, British Airways was fined an eye-watering £183m for its GDPR failings in July 2019. However, this was reduced to €22m due to the economic impact of COVID-19.

9. Clearview AI Inc. - €20m fine (2022)

GDPR breaches - Art. 5 (1) a), b), e), Art. 6, Art. 9, Art. 12, Art. 13, Art. 14, Art. 15, Art. 27

The facial recognition firm, Clearview AI has been fined €20m by Italy's data protection agency for breaches of EU law. Upon investigation, the authorities found that the personal data the company holds is processed illegally. This data includes biometric and geolocation information.

Furthermore, the company was found to be in breach of transparency obligations since they had neglected to inform users of what they were doing with their selfies and using user data for purposes other than what was published online.

10. Marriott International - €20m fine (2020)

GDPR breach - Article 32

Marriott International Inc failed to keep millions of customers’ personal data secure, with 339 million guest records worldwide believed to have been affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack remained undetected until September 2018, when Marriott had acquired the company.

The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. Although this is a large fine, it is significantly less than the fine of £99m that the Information Commissioner's Office (ICO) initially issued.

11. Meta Platforms Ireland Ltd. - €17m fine (2022)

GDPR breaches - Art. 5 (2), Art. 24 (1)

The Data Protection Commission (DPC) imposed a fine of €17m on Meta Platforms. An investigation into the company formally known as Facebook Ireland Ltd found that they failed to have appropriate technical and organisational measures in place.

This meant that they could not readily demonstrate the security measures that it implemented in practice to protect EU users’ data. This is in the context of twelve personal data breaches.

12. Wind Tre - €16.7m fine (2020)

GDPR breaches - Article 5, 6, 12, 24, 25

Garante, the Italian data protection authority, issued a €16.7 million fine against Wind Tre in 2020 for several unlawful data processing activities concerning direct marketing practices.

Following an extensive investigation, Garante discovered that hundreds of complainants received unsolicited communications sent without their previous consent, through SMS, email, phone calls, and automated calls. They were also unable to exercise their right to withdraw consent and oppose the processing for direct marketing purposes.

Claimants' data was published on public telephone lists despite their opposition. In addition to this, Garante found that Wind Tre's apps 'MyWind' and 'My3' required users to provide their consent for different processing activities with every access. They were only allowed to withdraw their “consent” after a 24-hour window.

13. Deutsche Wohnen – €14.5m fine (2019)

GDPR breaches - Article 5/25

One of Germany’s most prominent real estate companies, Deutsche Wohnen, was issued a €14.5 million fine in 2019, which was the largest in the country since the GDPR came into effect.

According to the Data Protection Authority of Berlin, the company didn't comply with general data processing principles. Personal data that the company should have erased years ago was still accessible by employees.

The fine was originally meant to be almost twice as large at €28 million. But the Berlin Commissioner considered that the company cooperated immediately and attempted to fix the issues. Because no other data abuses occurred, they lowered the fine.

14. Vodafone Italia - €12.25m fine (2020)

GDPR breaches - Articles 5(1) (2), 6(1), 7, 15(1), 16, 21, 24, 25(1), 32, 33

Garante fined Vodafone Italia €12.25m in 2020 over aggressive telemarketing practices.

Garante launched its investigation after receiving ‘hundreds’ of complaints about nuisance calls from Vodafone’s sales networks. It found that Vodafone’s customer information storage system had multiple flaws. The company had purchased contacts lists from external providers – with the information of up to 4.5 million people secured without user consent.

Vodafone justified the unwanted communication as human error, but this was not deemed an appropriate excuse by the regulator, with other factors including the ‘significantly negligent nature’ and recurrence of the calls.

The regulator has ordered Vodafone to overhaul its telemarketing procedures in Italy and was prohibited from processing personal data acquired from third parties without first gaining user consent.

15. Eni Gas e Luce - €11.5m fine (2020)

GDPR breaches - Articles 5, 6, 7, 21, 32

In Italy, Eni Gas e Luce (Egl) was fined €11.5 million in 2020 by the data protection watchdog for illegal processing of personal data and activating unsolicited contracts.

Its first fine (€8.5m) related to the unlawful processing of personal information for telemarketing and telesales purposes. An investigation found widespread violations, including:

• Marketing calls made to individuals without their consent or despite them objecting to marketing calls.
• Inadequate procedures for checking the public "opt-out" register.
• No technical or organisational measures to log consent.
• Keeping personal data for longer than is necessary.
• Acquiring personal information from other entities without checking consent.

The second fine of €3m was for unsolicited contracts to supply gas and electricity. Around 7,200 individuals learned of the new contract with the first bill or the termination of contract letter from their previous supplier. Customers complained of forged signatures and incorrect information.

16. Notebooksbilliger.de - €10.4m fine (2021)

GDPR breaches - Articles 5, 6

The Lower Saxony data protection authority (LfD Niedersachsen) issued a €10.4 million fine against notebooksbilliger.de, an online retailer, for video monitoring its employees for over two years without any legal basis.

The LfD Niedersachsen noted that the cameras recorded workplaces, salesrooms, warehouses, and common areas, among other places. While notebooksbilliger.de claimed that the video camera installation aimed to prevent and investigate criminal offences and track the flow of goods in the warehouses, a company must first examine milder means, such as random bag checks when employees leave the business premises, according to the LfD Niedersachsen.

Video surveillance to uncover criminal offences is lawful if there is justified suspicion against specific persons. If this is the case, it may be permissible to monitor them with cameras for a limited period. However, the LfD Niedersachsen discovered that at notebooksbilliger.de, video surveillance was neither limited to a specific period nor particular employees.

In many cases, the company saved the recordings for 60 days - significantly longer than necessary. In addition, the LfD Niedersachsen outlined that customers of notebooksbilliger.de were also affected by the video surveillance. This is due to some cameras aimed at seating in the sales area, and that the video surveillance by notebooksbilliger.de was not proportionate in these cases.

17. Google LLC - €10m fine (2022)

GDPR breaches - Art. 6, Art. 17

The Spanish data protection authority ('AEPD') issued a total fine of €10m to Google LLC with €5m for the violation of Article 6 of the GDPR and €5m for violating Article 17. The investigation found that Google required users to accept the transfer of content removal request copies to a third party if they wanted to remove content.

Furthermore, the only notification offered by Google was in the Google forms themselves, used for the submission of the request. AEPD also found that Google forms did not facilitate the right to erase personal data or the option to reject a transfer.

18. Austrian Post - €9.5m fine (2021)

GDPR breaches - Non-compliance with general data protection principles

The Austrian Data Protection Authority ('DPA') fined Austrian Post €9.5m for violations relating to data protection. This follows the data protection fine of €18 million that the company received in 2019, which the Federal Administrative Court overturned.

The DPA claims that people should be able to inquire via email about personal data that the Austrian Post might have on them. Email inquiry is in addition to the contact opportunities already available through the mail, a web contact form and the company customer service centre.

19. Clearview AI Inc. - €9m fine (2022)

GDPR breaches - Art. 5 (1) a), e), Art. 6, Art. 9, Art. 14 GDPR, Art. 15, Art. 16, Art. 17, Art. 21, Art. 22, Art. 35

The Information Commissioner's Office (ICO) in the UK has found Clearview AI Inc. to be in breach of UK data protection law. The company has been issued a fine of €9m and told to delete the data of UK residents.

The ICO came to its decision after identifying that Clearview AI Inc. fails to have a lawful reason to collect personal data, doesn't have a process in place to stop data from being retained indefinitely and fails to meet the higher data protection standards required for biometric data.

20. Vodafone España - €8.15m fine (2021)

GDPR breaches - Articles 21, 23, 24, 28, 44, 48

In March 2021, the Spanish data protection authority, AEPD, had imposed its largest-ever fine of €8.15 million on mobile telephone network operator, Vodafone España.

According to the AEPD, Vodafone España had violated multiple data protection laws while conducting various marketing campaigns and non-compliant data transfers.

Through their investigations, the AEPD found that Vodafone had failed to comply with GDPR aswith GDPR. Along with its distributors, collaborators, and agents,, had contacted customers via email, telephone and text who had opted out of its marketing campaigns.

In their defence, Vodafone had claimed that they were trialling the implementation of a new routing system to verify the legality of its data and filter out users who had opted out of marketing communications.

However, the AEPD had concluded that the system continued sending marketing messages to those who had specifically opted out of receiving these and noted there should have been a filtering system for all parties to use.

The AEPD found no guarantees were put in place by the processors to ensure that they had implemented effective technical and organisational measures and that Vodafone had made no such requirements.

Vodafone had also transferred personal customer data to a telecom supplier outside the European Economic Area in Peru. That contract did not abide by the GDPR requisite clauses for sharing data with such countries.

Infamous pre-GDPR data breaches

Yahoo

Yahoo currently wears the crown for the biggest data breach of the 21st century. In September 2016, the internet giant revealed that its 2014 data breach had compromised the personal data of 500 million users. Later that year, another breach from 2013 came to light that had compromised 1 billion accounts. That’s one for every seven or eight people on the planet!

But the full extent of the multiple breaches was not acknowledged until October 2017, when Yahoo's new owner Verizon discovered it was not 1 billion accounts that had been compromised in 2013, but 3 billion accounts! That’s every single account under the Yahoo name, including Flickr and Tumblr.

The breaches knocked a huge chunk off Yahoo’s sale price - to the tune of $350 million. Having once been valued at $100 billion, Verizon paid just $4.48 billion for the core internet business. In October last year, Yahoo agreed to pay $50 million in damages- of which half will be paid by Verizon and the other by Altaba, Inc. (Yahoo changed its name to Altaba after the sale of its core business).

But, what would have happened if this breach had taken place post-GDPR?

Of course, the scope of the breach was significant. But, what would have been crucial today, was that Yahoo didn’t disclose the extent of the breach within 72 hours as the GDPR requires. And with revenue in excess of $4 billion for the year 2012/2013, Yahoo would have faced an $80 million fine, or potentially as much as $160 million!

Facebook

Facebook, now known as Meta, was slapped with the £500,000 fine for its role in the well-documented Cambridge Analytica scandal. The information of 87 million Facebook users was improperly shared with the political consultancy through a quiz that collected data from participants and their friends.

Facebook was found guilty of allowing application developers access to user information without sufficient consent, failing to make suitable checks to secure personal information, and not taking action once the misuse of data was discovered.

Equifax

Equifax was fined £500,000 after failing to protect the personal information of up to 15 million UK customers during a cyber attack. Hackers stole personal data including names, dates of birth, addresses, passwords, driving licences and financial details. The company had retained data for longer than necessary, making it vulnerable to unauthorised access.

The systems compromised were actually based in the US, but because the UK branch failed to ensure its American parent was protecting UK customers, the ICO was forced to issue the fine.

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.