Biggest GDPR Fines of 2021

We explain the reasons for these penalties and provide tips on how to prevent your company from committing similar breaches!

Top 25 GDPR fines in 2021

1. Amazon Europe - €746m fine
2. WhatsApp Ireland - €225m fine
3. Google LLC - €90m fine
4. Enel Energia - €26.5m fine
5. Facebook Ireland - €60m fine
6. Google Ireland - €60m fine
7. Notebooksbilliger.de - €10.4m fine
8. Austrian Post - €9.5m fine
9. Vodafone España - €8.15m fine
10. Grindr LLC - €6.3m fine
11. Caixabank SA - €6m fine
12. Fastweb SpA – €4.5m fine
13. Sky Italia - €3.3m fine
14. Caixabank Payments & Consumer EFC - €3m fine
15. Iren Mercato - €2.9m fine
16. Dutch Minister of Finance - €2.75m fine
17. Foodinho - €2.6m fine
18. Mercadona - €2.52m fine
19. Deliveroo Italy - €2.5 fine
20. Unser Ö-Bonus Club - €2m fine
21. SGAM AG2R La Mondiale - €1.75 fine
22. Storstockholms Lokaltrafik - €1.6 fine
23. EDP Energía - €1.5m fine
24. EDP Comercializadora - €1.5m fine
25. MedHelp - €1.2m fine

We continuously track the largest data protection fines, since before the introduction of the GDPR, including those in 2019, 2020, 2021, 2022 and the latest fines in 2023.

The biggest 2021 GDPR fines in detail

1. Amazon Europe - €746m fine

GDPR breaches - Non-compliance with general data processing principles

Luxembourg’s National Commission for Data Protection (CNPD) fined Amazon Europe a record-breaking €746 million in respect of the way it uses customer data for targeted advertising purposes.

In 2018, the French privacy rights group La Quadrature du Net submitted a complaint. The complaint - which also targeted Apple, Facebook, Google and LinkedIn - was filed on behalf of more than 10,000 customers. It alleged that Amazon had manipulated customers for commercial means by choosing what advertising and information they received.

The CNPD ruled that Amazon must commit to changing its business practices.

2. WhatsApp Ireland - €225m fine

GDPR breaches -Articles 5, 12, 13, 14

Ireland's data authority fined WhatsApp £193m for violating privacy standards. It's the highest penalty the Irish Data Protection Commission (DPC) has ever imposed and the second-highest under EU GDPR standards.

A 2018 investigation revealed that WhatsApp was not transparent enough, with its customers, on how it collected, managed and processed their data. Following "a lengthy and comprehensive investigation," the Irish DPC said it had communicated its decision to other regulators, as required by under GDPR law, and had received complaints from eight countries, including Germany, France, and Italy.

3. Google LLC - €90m fine

GDPR breaches - Article 82 of the Data Protection Act

The CNIL fined Google a total of €150m with €90m issued to Google LLC and €60m to Google Ireland. CNIL's investigation into complaints about the refusal of cookies found that there was no button to reject all cookies easily. While the button to accept all is immediately available. 

Authorities justified the fine amounts by referring to the number of persons concerned. In addition to this, there are considerable profits that companies derive from advertising revenues indirectly generated from the data collected by cookies. CNIL considered Google LLC and Google Ireland jointly liable since they both determine the purpose and means related to the use of cookies.

4. Enel Energia - €26.5m fine

GDPR breaches - Art. 5 (1) a), d), Art. 5 (2), Art. 6 (1), Art. 12, Art. 13, Art. 21, Art. 24, Art. 25 (1), Art. 30, Art. 31, Art. 130 (1), (2), (4)
Enel Energia S.p.a was issued a fine of €26.5m for multiple data protection laws. Following numerous complaints, Garante investigated the company and found that the principle of accountability was also violated by "Enel Energia's inability to prove compliance with data protection laws in relation to unwanted promotional calls carried out by a business partner and for its failure to carry out the required checks on the activities of its business partners in general"

Furthermore, the Garante found that Enel Energia had not respected the requirements for transparency. They had failed to provide necessary feedback to data subjects after they had requested the right to exercise the right of access and to object.

The company had also breached GDPR by sending promotional communications by email, despite the lack of consent to the processing of personal data for marketing purposes.

5. Facebook Ireland - €60m fine

GDPR breaches - Article 82 of the Data Protection Act

The CNIL fined Facebook Ireland a total of €60m for failure to allow users residing in France to reject cookies as easily as they can accept them. CNIL received several complaints and, upon investigation, found that there was no button to reject all cookies easily. While the button to accept all cookies is immediately available.

Authorities justified the fine amounts by referring to the number of persons concerned. In addition to this, there are considerable profits that companies derive from advertising revenues indirectly generated from the data collected by cookies.

6. Google Ireland - €60m fine

GDPR breaches - Article 82 of Data Protection Act

The CNIL fined Google a total of €150m with €60m to Google Ireland and €90m issued to Google LLC. CNIL's investigation into complaints about the refusal of cookies found that there was no button to reject all cookies easily. While the button to accept all is immediately available.

Authorities justified the fine amounts by referring to the number of persons concerned. In addition to this, there are considerable profits that companies derive from advertising revenues indirectly generated from the data collected by cookies. CNIL considered Google LLC and Google Ireland jointly liable since they both determine the purpose and means related to the use of cookies.

7. Notebooksbilliger.de - €10.4m fine

GDPR breaches - Articles 5 & 6

The Lower Saxony data protection authority (LfD Niedersachsen) issued a €10.4 million fine against notebooksbilliger.de, an online retailer, for video monitoring its employees for over two years without any legal basis.

The LfD Niedersachsen noted that the cameras recorded workplaces, salesrooms, warehouses, and common areas, among other places. While notebooksbilliger.de claimed that the video camera installation aimed to prevent and investigate criminal offences and track the flow of goods in the warehouses, a company must first examine milder means, such as random bag checks when employees leave the business premises, according to the LfD Niedersachsen.

Video surveillance to uncover criminal offences is lawful if there is justified suspicion against specific persons. If this is the case, it may be permissible to monitor them with cameras for a limited period. However, the LfD Niedersachsen discovered that at notebooksbilliger.de, video surveillance was neither limited to a specific period nor particular employees.

In many cases, the company saved the recordings for 60 days - significantly longer than necessary. In addition, the LfD Niedersachsen outlined that customers of notebooksbilliger.de were also affected by the video surveillance, as some cameras were aimed at seating in the sales area, and that the video surveillance by notebooksbilliger.de was not proportionate in these cases.

8. Austrian Post - €9.5m fine

GDPR breaches - Non-compliance with general data protection principles

The Austrian Data Protection Authority ('DPA') has fined Austrian Post €9.5m for violations relating to data protection. This follows the data protection fine of €18 million that the company received in 2019.

The DPA claims that people should be able to inquire via email about personal data that the Austrian Post might have on them. Email inquiry is in addition to the contact opportunities already available through the mail, a web contact form and the company customer service centre.

9. Vodafone España - €8.15m fine

GDPR breaches - Articles 21, 23, 24, 28, 44, 48

As recently as March 2021, the Spanish data protection authority, AEPD, had imposed its largest-ever fine of €8.15 million on the mobile telephone network operator, Vodafone España.

According to the AEPD, Vodafone España had violated multiple data protection laws while conducting various marketing campaigns and non-compliant data transfers.

Through their investigations, the AEPD found that Vodafone had failed to comply with GDPR as it, along with its distributors, collaborators, and agents, had contacted customers via email, telephone and text who had opted out of its marketing campaigns.

In their defence, Vodafone had claimed that they were trialling the implementation of a new routing system to verify the legality of its data and filter out users who had opted out of marketing communications.

However, the AEPD had concluded that the system continued sending marketing messages to those who had specifically opted out of receiving these and noted there should have been a filtering system for all parties to use.

The AEPD found no guarantees were put in place by the processors to ensure that they had implemented effective technical and organisational measures and that Vodafone had made no such requirements.

Vodafone had also transferred personal customer data to a telecom supplier in Peru, which is outside the European Economic Area. That contract did not provision to abide by the GDPR requisite clauses for sharing data with such countries.

10. Grindr LLC - €6.3m fine

GDPR breaches - Articles 6 & 9

The Norwegian DPA issued its largest-ever fine following a complaint from the Norwegian Consumer Council.

It found that the location-based dating app had shared data with third parties, including GPS location, IP address, advertising ID, age, gender and the fact that the user was on Grindr. A person's sexual orientation constitutes special category data that merits particular protection under GDPR rules.

Users were forced to agree to the privacy policy without explicit consent to the sharing of their data for behavioural advertisements.

The fine was reduced to reflect the firm's financial position and that it has now changed permissions on its app.

11. Caixabank SA - €6m fine

GDPR breaches - Articles 6 & 14

In mid-January 2021, the AEPD issued a €6 million fine to Caixabank SA for breaching Articles 6, 13 and 14 of the GDPR.

In its investigations, this Spanish data protection authority found that Caixabank did not sufficiently justify the legal basis for processing personal data belonging to its customers. The bank did not comply with obtaining valid, unequivocal, and informed consent from its customers before processing their data.

The AEPD had also found that the information provided by Caixabank within various documents and channels was not uniform, and the terminology used in its privacy policy was deemed imprecise.

There was also insufficient information on the customer user profiles made by the bank, how these were leveraged, what rights customers had over these profiles and what the data retention periods were for these.

12. Fastweb SpA – €4.5m fine

GDPR breaches - Articles 5, 6, 7, 12, 13, 21, 24, 25, 32, 33, 34

In April 2021, the Italian data protection authority, Garante, issued a €4.5 million fine on Fastweb SpA. This telecommunications company provides landline, broadband internet, and IPTV (internet protocol television) services in Italy.

Following hundreds of complaints and reports made by consumers, Garante conducted a complex investigation in which it found that Fastweb had processed the personal data of millions of its users for telemarketing purposes without obtaining their consent.

Garante had also found that Fastweb used fictitious telephone numbers or numbers not registered with the Register of Communication Operators ('RCO') to contact its users to promote its telephone and internet services.

It found the security measures for Fastweb's customer data management systems to be inadequate as well.

13. Sky Italia - €3.3m fine

GDPR breaches - Articles 5 (1), (2), 6 (1), 7, 12 (2), 14, 21, 28, 29

The Italian Data Protection Authority, Garante, fined Sky Italia an amount of €3.3 million over GDPR violations. Upon investigation, Garante found that there were multiple issues with the company's telemarketing campaign.

The main issue with Sky Italia's promotional calls was that they were conducted without providing individuals with adequate information about the processing. There was also no proper consent since they used unverified lists obtained from other companies.

In addition to this, Garante discovered that Sky Italia did not meet the necessary prerequisite of lawfulness before carrying out promotional activities. Furthermore, the company failed to take action on several objections to the processing made by data subjects.

14.Caixabank Payments & Consumer EFC - €3m fine

GDPR breaches - Article 6 (1)

The Spanish Data Protection Authority, AEPD, imposed a fine of €3 million on Caixabank Payments & Consumer EFC, EP for unlawful personal data processing and the violation of Article 6 of the GDPR. The company received a complaint from an individual who was included in the bank's marketing campaigns without proper consent and without adequate information about the data processing.

Furthermore, AEPD's investigation revealed that Caixabank had requested information from this individual regarding a solvency file despite this individual having no ongoing contracts with the bank. In fact, the relationship between the former client and the bank had ended in 2014.

In addition to the fine, AEPD imposed a six-month compliance period on Caixabank.

15. Iren Mercato - €2.9m fine

GDPR breaches - Articles 5(1), 5 (2) 6 (1), 7 (1)

Garante, the Italian data protection authority, fined Iren Mercato SpA, a company operating in the energy sector, €3 million for undertaking telemarketing without valid consent.

Following various complaints and reports, it was found that personal data Iren processed for telemarketing had been obtained indirectly from a third-party source, Nethex Digital Marketing.

Nethex had acquired the data, as an independent data controller, from two other companies. Those two companies had obtained the necessary consent from their customers for the telemarketing activities carried out by both themselves and by third parties, including Nethex. Importantly, that consent did not extend to the transfer of customer data from Nethex to Iren.

Garante found that Iren had failed to verify that all of its telemarketing was based on free, specific, and informed consent, hence breaching the principles of lawfulness, transparency and accountability.

16. Dutch Minister of Finance - €2.75m fine

GDPR breaches - Articles 5 (1), 6 (1) & 8

The Dutch Data Protection Authority (DPA) imposed a €2.75 million fine on the Dutch Tax Administration for discriminatory and unlawful data processing.

The administration should have deleted data relating to dual nationality back in 2014. Instead, they retained it and misused it.

Entitlement to childcare benefits is not contingent on nationality but on lawful residence in the Netherlands. Using nationality data to assess applications, combat fraud, or determine risk is unlawful, which was exactly what was being done.

The Tax Administration has ceased these violations now.

17. Foodinho - €2.6m fine

GDPR breaches - Articles 5(1), 13, 22(3), 25, 30(1), 32, 35, 37 (7)

Garante, the Italian data protection authority, fined Foodinho €2.6m for its use of performance algorithms in connection with its employees.

They were found to breach the principles of transparency, security, and privacy by default and design and for not implementing suitable measures to safeguard employee rights and freedoms against discriminatory automated decision-making.

Foodinho made decisions about its riders based solely on automated decision-making, by analysing or predicting aspects of their professional performance, behaviour, and their location and movements. This significantly affected the riders, excluding some riders from work.

The company did not adopt any measures that would allow their riders to exercise their rights or inform them of these rights. No system was adopted to check for accuracy or reduce the risk of discrimination in respect of either the excellency or work allocation system.

The decision was the first relating to the algorithmic management of gig workers.

18. Mercadona - €2.52m fine

GDPR breaches – Articles 5(1) 6, 9, 12, 13, 25(1), 35

The Spanish data protection authority, AEPD, fined the Mercadona supermarket chain €2.5 million for unlawful use of facial recognition.

Mercadona was using a facial recognition system in 48 of its Spanish shops to detect individuals with criminal convictions or restraining orders. The system also captured facial images of all customers entering their supermarkets, including children and employees.

The AEPD found the processing of biometric data through its facial recognition system unlawful, as none of the legal grounds available under Article 9 of the EU GDPR could be used by Mercadona. In addition, it found that the processing did not meet the principles of necessity, proportionality and data minimisation, transparency and privacy by design.

The data protection impact assessment conducted by Mercadona was insufficient and incomplete as it did not account for the risks posed to Mercadona employees by the data processing.

19. Deliveroo Italy - €2.5 fine

GDPR breaches – Articles 5(1), 13, 22 (3), 25, 30 (1), 32, 35, 37(7)

Garante, the Italian data protection authority, fined Deliveroo Italy €2.5m for its use of algorithms in connection with its employees in a similar case to Foodinho.

Deliveroo collected a disproportionate amount of personal data of its riders in violation of the principles of storage limitation, data minimisation, transparency and lawfulness under Article 5 of the GDPR.

The company used this data for the automated rating of riders’ performance and assignment of work. The company was not sufficiently transparent about the algorithms used for managing its riders, for both the assignment of orders and the booking of work shifts.

Garante imposed a number of corrective measures on Deliveroo. These included compliance with transparency requirements and implementing appropriate measures to periodically verify the correctness and accuracy of the results from their algorithmic systems.

20. Unser Ö-Bonus Club - €2m fine

GDPR breaches – Articles 6, 7, 12

The Austrian data protection authority fined loyalty program operator Unser Ö-Bonus Club €2 million for unlawful user data collection.

Registrants to the Unser Ö-Bonus Club program had their shopping behaviour collected and analysed to create a unique customer profile. Unser Ö-Bonus Club then passed this information to advertising partners for profit, whilst the users were unaware of both the data processing and the sale of their profiles.

In fact, the procedure was mentioned if a user scrolled down, but the consent prompt was positioned at the top. This meant that everyone accepted the terms without being informed about what they entailed.

The initial investigation alerted Unser Ö-Bonus Club about this problem, and they admitted that the form elements were incorrectly laid out.

The company served users with inadequate consent declarations, engaged in unlawful processing of personal customer data for profiling purposes, and didn't rectify the situation even after admitting their wrongdoing.

21. SGAM AG2R La Mondiale - €1.75m fine

GDPR breaches – Articles 5, 13 & 14

The French Data Protection Authority (CNIL) fined SGAM AG2R La Mondiale €1.75 for failing to comply with the GDPR in respect of data retention periods and providing information to individuals.

The first breach involved an excessive retention period for personal data.

The CNIL noted the absence of an archiving mechanism that would allow customer data to be kept for accounting, tax or litigation purposes within the maximum applicable limitation periods, either by transferring them to a dedicated archive or by putting in place access restrictions. This meant that customer data was being retained for an unjustifiable period after customer contracts had ended.

The second breach concerned subcontractors' telemarketing calls.

• failing to inform contacts why calls were recorded or their right to object;
• failing to provide information concerning the processing of their personal data or the other rights they have with regard to their data;
• failing to provide information on how to obtain more information on the protection of their personal data, e.g. by sending an e-mail.

22. Storstockholms Lokaltrafik - €1.6m fine

GDPR breaches – Articles 5, 6 & 13

The Swedish Authority for Privacy Protection (IMY) fined Storstockholms Lokaltrafik SEK 16,000,000 for GDPR breaches relating to its use of body-worn camera surveillance equipment used during ticket control checks.

The IMY found that the surveillance had been undertaken unlawfully. It had breached transparency and data minimisation principles and failed to provide data subjects with sufficient information.

23. EDP Energía - €1.5m fine

GDPR breaches – Articles 13 & 25

In May 2021, the Spanish data protection authority, AEPD, issued a €1.5 million fine on EDP Energía, S.A.U., an energy supplier to businesses and communities in Spain.

Following various complaints received from customers about their data being processed and used without their explicit consent, the AEPD conducted an investigation that found that EDP Energía had failed to implement the required technical and organisational measures and obtain consent when contacting customers via representatives.

The AEPD also found that EDP Energía had provided insufficient information to data subjects when contracting through different service providers and severely breached Article 25 of the GDPR.

24. EDP Comercializadora - €1.5m fine

GDPR breaches - Articles 23 & 25 breaches

Again, in May 2021, the AEPD, which is the Spanish data protection authority, had issued a fine of €1.5M to EDP Comercializadora S.A, a utility provider to companies in Spain, for violating security and transparency clauses within the GDPR.

The AEPD had found that EDP Comercializadora had failed to implement the required technical and organisational security measures to protect customer data when entering a gas services contract through various third parties.

It found that there was no procedure whereby representatives could prove that they were working on behalf of EDP Comercializadora, which meant any shared data could potentially have been exposed to the risks of identity theft or fraud and other economic damages.

The AEPD also found that the EDP Comercializadora has breached Article 13 of the GDPR because it failed to provide data subjects sufficient information when entering contracts through different service providers.

25. MedHelp - €1.2m fine

GDPR breaches – Articles 5, 6, 9, 13, 32

In June 2021, the Swedish Authority for Privacy Protection, IMY, issued a €1.2 million fine to MedHelp for a leak of sensitive data.

Although the company had contracted out the processing of call recordings to another company, the regulator judged that as the data controller MedHelp's responsibility to ensure that the data was stored securely. Instead, the data was stored on a server that didn't even have passwords set up.

The issue came to light via an anonymous tip to a journalist.

As the third-party processor fell outside Swedish jurisdiction, they only received an administrative fine, as did the municipal region for failing to inform citizens of their rights in this case.

Other large GDPR fines in 2021

Equifax Iberica - €1m fine

GDPR breaches - Articles 5, 6 & 14

In April 2021, the AEPD issued a €1M fine on Equifax Iberica for violating the lawfulness, accuracy, and transparency clauses within the GDPR.

The AEPD had received 96 complaints where the personal data of individuals associated with alleged debts were included in the File of Judicial Claims and Public Bodies ('FIJ') without their consent.

This data was made publicly available – through newspapers and newsletters – to notify the public that an administrative or judicial resolution was to be made effective in this matter.

This also meant that Equifax Iberica had failed to comply with the transparency clauses as stated in Article 14 of the GDPR.

WS WiSpear Systems Ltd - €925k fine

GDPR breaches - Articles 5 (1)

Israeli company WiSpear Systems Ltd has been fined an amount of €925,000 by the personal data commissioner. The administrative fine was issued for violation of the principle of lawfulness, objectivity and transparency.

These violations relate to the company's operation of a van that could carry out covert surveillance. The company was accused of using this spy van to intercept private communications.

What can we learn from these GDPR fines?

In some instances, the only conclusion is that the companies involved seemed to have forgotten that the GDPR existed. However, amongst the other penalties, there are some common themes to be learned from:

1. Always make proper disclosures to individuals (in contracts and privacy notices) about what personal data you process and what your lawful basis is for doing so.
2. Never use personal information in ways that are unfair, detrimental, unexpected or misleading.
3. Ensure personal information is promptly deleted or securely destroyed once the purpose for which it was collected no longer applies.
4. Set up procedures and enforce rules to keep personal data secure - don't underestimate the inconvenience, worry or distress to individuals if their personal data is lost or stolen.
5. Appoint a Data Protection Officer (DPO), someone with overall responsibility who can ensure proper governance and accountability across your company.

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.