Ever since coming into effect in 2018, the General Data Protection Regulation (GDPR) has completely transformed how companies deal with their clients’ personal data. It brought about tailor-made reforms for today's world and promised to come down hard on any companies that failed to respect them.
While most companies have cleaned up their act when it comes to data protection, there are plenty who still fall foul of the law and are being investigated and fined accordingly.
We track compliance fines across many areas of compliance and have complementary articles detailing the biggest GDPR fines in 2020, 2021 and the most recent fines in 2022.
Biggest GDPR fines in 2019 in detail
1. British Airways - fined £183m (pending)
GDPR article 32 breach
British Airways is now facing the mother of all fines as the result of a cyberattack which is believed to have started in June 2018.
British Airways website traffic was redirected to a fraudulent website, where hackers could harvest personal data.
The attack compromised the details of around 500,000 customers, and it wasn’t until September of the same year that the ICO was made aware of it. Investigators found that British Airways was to blame due to poor security arrangements.
2. Marriott International - fined £99m (pending)
GDPR article 32 breaches
Marriott International faces a staggering £99 million fine for a personal data breach affecting 339m people, of which 30m reside within the European Economic Area (EEA).
The breach is believed to have occurred in 2014 after the Starwood hotels group had their systems compromised. Despite Starwood being acquired by Marriott in 2016, the breach remained undiscovered until 2018.
The ICO judged that Marriott had not carried out proper due diligence when acquiring Starwood and should have taken further steps to keep its systems secure.
3. Google Inc - fined €50m (£43m)
GDPR article 4/5/6/13/14 breaches
In one of the most high-profile cases of the year, the French data regulator (CNIL) fined Google an astounding €50 million.
The fine was for "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". Ad personalisation information was diluted throughout several different documents, hindering users from being aware of their full extent.
Additionally, the choice to receive personalised ads was “pre-ticked” upon opening a new account, directly defying the GDPR.
4. Austrian Post – fined €18m (£15.5m)
GDPR article 5.1.a/6 breaches
Even national postal carriers aren’t exempt from the repercussions of breaching the GDPR. After an investigation, the Austrian Data Protection Authority (DSB) discovered that the Austrian Post had drafted profiles of over three million Austrian nationals.
These profiles included personal information such as habits, personal preferences, residential addresses, and even possible political affinities. The data gathered was then sold to interested parties, such as private companies and political parties.
DSB ruled that the Austrian Post had an insufficient legal basis for processing this kind of data. The fine was so high because they were financially profiting from this behaviour.
5. Deutsche Wohnen – fined €14.5m (£12.5m)
GDPR article 5/25 breaches
One of Germany’s most prominent real estate companies, Deutsche Wohnen, was issued a €14.5 million fine, which was the largest in the country since the GDPR came into effect.
According to the Data Protection Authority of Berlin, the company didn't comply with general data processing principles. Personal data that should have been erased years ago was still accessible by employees.
Curiously, the fine was originally meant to be almost twice as large at €28 million. But the Berlin Commissioner took into consideration that the company cooperated immediately and attempted to fix the issues. Because no other data abuses occurred, they lowered the fine.
6. National Revenue Agency - fined €2.6m (£2.2m)
GDPR article 32 breach
A massive data breach occurred when a hacker gained access to the National Revenue Agency’s confidential database. Five out of the seven million people living in Bulgaria had their personal data disclosed.
After gaining access, the hacker then posted half of the database onto public forums and handed the other half over to the press.
The Data Protection Commission of Bulgaria (KZLD) found that the hack took advantage of poor organisational and technical protection of information security. The far-reaching extent of this GDPR breach meant that KZLD had no option but to issue a substantial fine.
7. Morele.net - fined €645k (£555k)
GDPR article 32 breach
Online retailers Morale.net also had to face the music in September when they were fined by Poland’s Personal Data Protection Office (UODO) for breaching the GDPR.
The retailer’s enormous data breach is believed to have affected around 2.2 million people who made purchases via the group’s network of websites.
UODO concluded that Morale.net failed to respond to the emergence of irregular traffic. As a result, many of those affected were at a high risk of suffering from adverse effects, including identity fraud.
8. DSK Bank - fined €511k (£440k)
GDPR article 32 breach
The Bulgarian DPA fined DSK Bank for failing to safeguard the personal data of over 33,000 clients. Information accessed by outsiders included property deed data, full names and addresses, ID card copies, and private account information.
Bulgaria’s DPA opened an investigation after DSK confessed to negotiating with a former convict who claimed to have possession of the bank’s client database.
Worryingly, the bank did not even know if its system had been hacked or not, leaving the source of the leak in the dark.
9. Haga Hospital - fined €460k (£396k)
GDPR article 32 breach
A large teaching hospital, HagaZiekenhuis, was fined for lacking internal security on patient records by the Dutch Data Protection Authority (DPA).
In a nutshell, most members of staff could access any patient’s medical records, regardless of whether they had the clearance to do so or not.
How did this happen? For starters, the hospital’s database lacked 2-factor authentication, which made accessing files a breeze.
What’s more, the hospital was found to have no way of flagging unauthorised access to its database in real-time. Hence, it was almost impossible to hold anyone accountable for such breaches.
10. SERGIC (Real Estate) - fined €400k (£345k)
GDPR article 32 breach
The French Data Protection Authority (CNIL) found SERGIC guilty of two major GDPR breaches. It took SERGIC six months to fix the offending issue, during which time no emergency measures were taken to limit the impact.
Firstly, the company retained information and documents of unsuccessful rental candidates for far longer than necessary for processing.
Secondly, they had failed to implement a basic authentication procedure on their website. As a result, personal documents, including tax notices, account statements and divorce judgements, could be viewed by others.
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.
