Biggest GDPR Fines of 2022

Posted by

Matt Green

on 14 Mar 2022


The first quarter of 2022 has seen substantial penalties dished out to firms, with some finding themselves on the receiving end yet again.

Biggest GDPR Fines of 2022

We explain the reasons for these penalties and provide tips on how to prevent your company from committing similar breaches!

Top GDPR fines in 2022

  1. REWE International - €8m fine
  2. Cosmote Mobile Telecommunications - €6m fine
  3. Vodafone España - €3.94m fine
  4. OTE Group - €3.25m fine
  5. Amazon Road Transport - €2m fine
  6. Danske Bank - €1.3m fine

We continuously track the largest data protection fines each year, including the GDPR fines issued in 2019,2020 and 2021.

Free GDPR Self-assessment Questionnaire

The biggest 2022 GDPR fines in detail

1. REWE International - €8m fine

GDPR breach - Non-compliance with general data protection principles

The Austrian food retailer, REWE International, received a fine of €8 million for the careless handling of customer data. The company's customer loyalty and rewards programme, jö Bonus Club, breached the General Data Protection Regulation (GDPR) by allegedly collecting users' data without their consent and using it for marketing purposes.

Rewe International will challenge the Austrian Data Protection Authority (DPA)'s decision because jö Bonus Club operates independently as a separate subsidiary, Unser Ö-Bonus Club.

This is not the first time the jö Bonus Club has breached GDPR. The subsidiary was fined €2 million in August 2021 for the unlawful collection of millions of bonus club members' data and the subsequent sale to third parties.

2. Cosmote Mobile Telecommunications - €6m fine

GDPR breaches - Art.5(1)a), Art. 5(2), Art. 13, Art. 14, Art. 25(1), Art. 26, Art. 28, Art. 35(7)

The Hellenic Data Protection Authority (HDPA) imposed a fine of €6 million on Greece's largest mobile operator, Cosmote. After the company experienced a cyberattack in 2020, the personal data of millions of their customers was stolen.

The HDPA found that Cosmote failed to include their parent company, OTE Group, in the investigation, and they neglected to explain the severity of the data breach to their affected customers. The investigation also found that Cosmote did not implement appropriate data protection measures.

The authorities discovered that Cosmote could legally keep call data for up to 90 days and an additional 12 months if the data is pseudonymised. However, there were cases where the pseudonymisation process was incomplete, and the company held customer data for longer than is legally allowed.

Data Sharing Compliance Tips

3.Vodafone España - €3.94m fine

GDPR breaches - Art. 5 (1) f), Art. 5 (2)

The Spanish Data Protection Authority ('AEPD') fined Vodafone an amount of €3.94 million for failure to implement appropriate security measures to prevent the fraudulent replication of sim cards. During the investigation, AEPD found that Vodafone could not prove they had verified the identity of the fraudsters and that their security measures were insufficient.

Furthermore, authorities concluded that the company displayed a lack of accountability. In response to Vodafone's argument that the replication of sim cards was due to human error, AEPD stated that repetitive human error indicates "a lack of foresight of the risks, a lack of analysis and planning, and a lack of security measures."

4. OTE Group - €3.25m fine

GDPR breaches - Art. 32

Following the leakage of subscriber call data, the HDPA fined the OTE Group a total of £3.25 million. The investigation into the company was triggered when Cosmote reported a data breach. It was found that Cosmote should have included the OTE Group in the investigation into data protection measures.

The HDPA concluded that both Cosmote and the OTE Group were responsible for determining the organisational and technical security measures. Furthermore, the OTE Group breached GDPR by failing to implement adequate security measures.

5. Amazon Road Transport - €2m fine

GDPR breaches - Art. 6 (1), Art. 10, Art. 10 LOPDGDD

AEDP imposed a fine of €2 million on Amazon Road Transport for the failure to implement adequate procedures for collecting and processing personal data relating to criminal conviction.

A representative of the General Union of Workers filed a claim with the AEPD. They noted that, for hiring self-employed contractors, Amazon Road Transport requests certificates of absence of a criminal record, i.e. negative certificates. Furthermore, they require candidates' consent to transfer this data to group companies and their suppliers located outside the European Economic Area.

As a result, the AEPD rejected Amazon Road Transport's claims regarding the processing of negative criminal conviction certificates. Additionally, authorities refused to accept the company's interpretation of Article 10 of the GDPR, as well as Article 10 of the LOPDGDD.

6. Danske Bank - €1.3m fine

GDPR breaches - Art. 5 (2)

The Danish Data Protection Agency has reported Danske Bank to the police and fined the bank DKK 10 million. This is due to its failure to present proper procedures for deleting and storing personal data in over 400 systems.

In 2020, Danske Bank reported that it was storing data longer than necessary and its systems were not fully compliant with GDPR. However, this report came two years after the GDPR came into effect despite the bank knowing that it would fail to meet the compliance deadline for data retention and deletion.

GDPR Training Presentation

What can we learn from these GDPR fines?

In some instances, the only conclusion is that the companies involved seemed to have forgotten that the GDPR existed. However, amongst the other penalties, there are some common themes to be learned from:

  1. Always make proper disclosures to individuals (in contracts and privacy notices) about what personal data you process and your lawful basis for doing so.
  2. Never use personal information in unfair, detrimental, unexpected, or misleading ways.
  3. Ensure personal information is promptly deleted or securely destroyed once the purpose for which it was collected no longer applies.
  4. Set up procedures and enforce rules to keep personal data secure - don't underestimate the inconvenience, worry or distress to individuals if their personal data is lost or stolen.
  5. Appoint a Data Protection Officer (DPO), someone with overall responsibility who can ensure proper governance and accountability across your company.

GDPR Course Library

Want to learn more about GDPR?

To help you plan and execute compliance in your organisation, we have created a comprehensive GDPR roadmap.

Our best-selling Compliance Essentials Library and award-winning LMS provide a one-stop compliance training solution, including GDPR compliance e-learning

And our searchable GDPR compliance glossary explain key terms and regularly report on learnings from the largest compliance fines resulting from regulatory breaches.

We also have 80+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!

If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.

Last but not least, you can interact in person with thought leaders and your peers at one of our popular live webinars and face-to-face events.

If you've any questions or concerns about compliance or e-learning, please get in touch.

We're happy to help!

Compliance Essentials

Compliance Essentials Library is our best-selling comprehensive corporate training solution.

100+ e-learning and microlearning courses that help companies from SMEs to multinationals achieve compliance success.

Start a Free Trial

cta-banner-placeholder