Since the General Data Protection Regulation (GDPR) came into effect in 2018, it has completely transformed how companies deal with their clients’ personal data. It brought about tailor-made reforms for today's world and promised to come down hard on any companies that failed to respect them.
Fines totalling €272.5 million have been imposed for a wide range of GDPR infringements. Italy tops the rankings for aggregate fines of more than €69.3 million since the application of the GDPR on 25 May 2018. Germany and France came second and third with aggregate fines of €69.1 million and €54.4 million.
While most companies have cleaned up their act when it comes to data protection, there are plenty who still fall foul of the law and are being investigated and fined accordingly. The daily rate of breach notifications in Europe experienced double-digit growth for the second year running.
"Fines and breach notifications continue their double digit annual growth
and European regulators have shown their willingness to use their enforcement powers. They have also adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead. However we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high profile fines being reduced due to financial hardship. "
We track compliance fines across many areas of compliance and have complementary articles detailing the biggest GDPR fines in 2019, 2021 and the most recent fines in 2022.
Countdown of the biggest GDPR fines in 2020
1. H&M - fined €35.3m
GDPR article 5/6 breaches
The Data Protection Authority in Hamburg fined H&M €35m for the illegal surveillance of its own employees.
After employees took a holiday or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded, and the data accessible to over 50 H&M managers.
This resulted in the company keeping "excessive" records on its workforce's families, religions, and illnesses at its Nuremberg service centre. The data would then be used to help evaluate employees’ performance and make decisions about their employment.
2. TIM - fined €27.8m
GDPR article 5, 6, 7, 17, 21 & 32 breaches
Italian data protection regulator Garante fined telecoms provider TIM €27.8 million for its cavalier approach to telemarketing and other GDPR breaches.
First, it sent out hundreds of thousands of unsolicited communications without the consent of data subjects who were on with the "opt-out" register or were exercising their right not to receive marketing. In one case, it contacted a single individual 155 times over the course of a month!
Second, the privacy notices for TIM apps and promotions were not transparent, and it was unclear about the purpose for which data would be used. Consent was also incorrectly managed and often invalid - with one single consent being used for multiple purposes.
Data retention was also excessive - sometimes exceeding the 10-year time frame required by law and the five-year company policy.
In addition, there were flaws in its data breach procedures. TIM filed multiple breaches with the DPA but had failed to do so within the 72-hour deadline. In short, its systems and procedures failed to meet the "privacy by design" principle.
3. British Airways €22m
GDPR article 5(1) & 32 breaches
The ICO fined British Airways €22m after failing to protect the personal data of more than 400,000 customers.
The investigation found that the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law, and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.
The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Other details believed to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. Usernames and passwords of BA employee and administrator accounts, as well as usernames and PINs of up to 612 BA Executive Club accounts, were also potentially accessed.
Initially, British Airways had been fined an eye-watering £183m for its GDPR failings last July. However, this was later reduced to €22m due to the economic impact of COVID-19.
4. Marriott International Inc - fined €20m
GDPR article 32 breach
Marriott International Inc failed to keep millions of customers’ personal data secure, with 339 million guest records worldwide believed to have been affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack remained undetected until September 2018, by which time Marriott had acquired the company.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.
5. Wind Tre - fined €16.7m
GDPR article 5, 6, 12, 24 & 25 breaches
Garante, the Italian data protection authority, issued a €16.7 million fine against Wind Tre for several unlawful data processing activities concerning direct marketing practices.
Following an extensive investigation, Garante discovered that hundreds of complainants received unsolicited communications, sent without their previous consent, through SMS, email, phone calls, and automated calls. They were also unable to exercise their right to withdraw consent and oppose the processing for direct marketing purposes.
Claimants' data was published on telephone public lists despite their opposition. In addition to this, Garante found that Wind Tre's apps 'MyWind' and 'My3' required users to provide their consent for different processing activities with every access. They were only allowed to withdraw their “consent” only after a 24-hour window had passed.
6. Deutsche Wohnen - fined €14.5m
GDPR article 5 and 25 breaches
The Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine against Deutsche Wohnen, a German real estate company.
The infraction related to the over retention of personal data. Deutsche Wohnen failed to establish GDPR-compliant data retention and deletion procedure for tenants’ personal data. This was aggravated by the fact that in 2017, the Berlin DPA had already flagged non-compliance with its retention obligations during an on-site audit.
Although Deutsche Wohnen had taken initial measures to remedy the non-compliance, the supervisory authority revealed during its second audit in 2019 that these measures had not led to the establishment of a GDPR compliant archiving system as Deutsche Wohnen was still unable to demonstrate a clean-up of its database or legal grounds for the ongoing storage.
According to the head of the Berlin DPA, Deutsche Wohnen could have readily complied by implementing an archiving system that separates data with different retention periods, thereby allowing differentiated deletion periods as such solutions are commercially available.
7. Vodafone Italia - fined €12.25m
GDPR article 5(1) (2), 6(1), 7, 15(1), 16, 21, 24, 25(1), 32, 33 breaches
Garante fined Vodafone Italia €12.25m over aggressive telemarketing practices.
Garante launched its investigation after receiving ‘hundreds’ of complaints about nuisance calls from Vodafone’s sales networks. It found that Vodafone’s customer information storage system had multiple flaws. The company had purchased contacts lists from external providers – with the information of up to 4.5 million people secured without user consent.
Vodafone justified the unwanted communication as human error, but this was not deemed an appropriate excuse by the regulator, with other factors including the ‘significantly negligent nature’ and recurrence of the calls.
The regulator has ordered Vodafone to overhaul its telemarketing procedures in Italy and has been prohibited from processing personal data acquired from third parties without first gaining user consent.
8. Eni Gas e Luce - fined €11.5m
GDPR article 5, 6, 7, 21 & 32 breaches
In Italy, Eni Gas e Luce (Egl) was fined €11.5 million by the data protection watchdog for illegal processing of personal data and activating unsolicited contracts.
Its first fine (€8.5m) relates to the unlawful processing of personal information for telemarketing and telesales purposes. An investigation found widespread violations, including:
- Marketing calls being made to individuals without their consent or despite them objecting to marketing calls.
- Inadequate procedures for checking the public "opt-out" register.
- No technical or organisational measures to log consent.
- Keeping personal data for longer than is necessary.
- Acquiring personal information from other entities without checking consent.
The second fine of €3m was for unsolicited contracts to supply gas and electricity. Around 7,200 individuals learned of the new contract with the first bill or the termination of contract letter from their previous supplier. Customers complained of forged signatures and incorrect information.
Other notable UK data-breach fines in 2020
Currys PC World and Dixon's Travel fined £500k for a historic breach
Only a couple of weeks into 2020, the Information Commissioner's Office (ICO) was already demonstrating its resolution to tackle data breaches. Whilst not a GDPR fine - a bullet dodged for sure - we still feel it is worthy of including in the list.
The ICO handed out a £500k fine to DSG Retail Limited - better known as Currys PC World and Dixon's Travel (the maximum possible) for a historic data breach dating back to 2018.
The investigation found:
- Point-of-sale systems were compromised, and malware was installed on 5,390 tills at its stores between July 2017 and April 2018, leading to customers' personal data being harvested.
- The company had failed to secure its systems granting unauthorised access to 5.6 million payment card details of transactions and the personal information (including contact details and failed credit checks) of 14 million people.
- Its security arrangements were poor. The company had failed to adequately protect personal data - with inadequate software patching, no local firewall, a lack of network segregation and routine security testing. The ICO said the breach would significantly affect people's privacy, making them vulnerable to financial theft and identity fraud.
"Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen. The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR."
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.