Biggest GDPR Fines of 2022

We explain the reasons for these fines and provide tips on how to prevent your company from committing similar breaches!

Top GDPR fines in 2022

1. Meta Platforms, Inc. - €405m fine
2. Meta Platforms Ireland Limited - €265m fine
3. Clearview AI Inc. - €20m fine
4. Clearview AI Inc. - €20m fine
5. Clearview AI Inc. - €20m fine
6. Meta Platforms Ireland Ltd. - €17m fine
7. Google LLC - €10m fine
8. Clearview AI Inc. - €9m fine
9. REWE International - €8m fine
10. Cosmote Mobile Telecommunications - €6m fine
11. Interserve Group Limited - €5m fine
12. Portuguese National Statistical Institute - €4.3m fine
13. Vodafone España - €3.94m fine
14. Dutch Tax & Customs Administration - €3.7m fine
15. OTE Group - €3.2m fine
16. Amazon Road Transport - €2m fine
17. Alpha Exploration - €2m fine
18. BREBAU GmbH - €1.9m fine
19. Dedalus Biologie - €1.5m fine
20. Easylife Ltd. - €1.5m fine
21. Danske Bank - €1.3m fine
22. Volkswagen - €1.1m fine

We continuously track the largest data protection fines each year, including the GDPR fines issued in 2019, 2020 and 2021.

The biggest 2022 GDPR fines in detail

1. Meta Platforms, Inc. - €405m fine

GDPR breaches - Art. 5 (1) a), c), Art. 6 (1), Art. 12 (1), Art. 24, Art. 25 (1), (2), Art. 35

The Data Protection Commission (DPC) issued a fine to Meta Platforms Ireland Ltd. (Instagram) of €405m which includes a fine of €20m for the infringement of Article 6(1). This is one of the all-time biggest GDPR fines. An inquiry into the company investigated the processing of personal data of child users on the social networking service Instagram. 

The DPC conducted a thorough investigation and submitted a draft decision to all peer regulators in the EU. After they couldn't reach a consensus, the case was referred to the European Data Protection Board ("EDPB"). In the end, the DPC's original recommended fine amount was imposed, and the DPC issued a reprimand to the company with an order requiring specified remedial actions.

2. Meta Platforms Ireland Limited - €265m fine

GDPR breaches - Art. 25 (1), (2)

Meta Platforms Ireland Limited (MPIL), the data controller of 'Facebook' social media network, has been issued a fine of €265m along with corrective measures.  This is one of the largest fines since the beginning of GDPR.

The inquiry began after reports that a collated dataset of Facebook personal data was made available on the internet. The main issues in the inquiry involved questions of compliance with the GDPR obligation for Data Protection by Design and Default.

After a comprehensive investigation, the DPC found MPIL in breach of Articles 25(1) and 25(2) GDPR, and the supervisory authorities agreed with the final decision.

3. Clearview AI Inc. - €20m fine

GDPR breaches - Art. 5 (1) a), b), e), Art. 6, Art. 9, Art. 12, Art. 13, Art. 14, Art. 15, Art. 27

The facial recognition firm Clearview AI has been fined €20m by Italy's data protection agency for breaches of EU law. Upon investigation, the authorities found that the personal data the company holds is processed illegally. This data includes biometric and geolocation information.

Furthermore, the company was found to be in breach of transparency obligations since they had neglected to inform users of what they were doing with their selfies and using user data for purposes other than what was published online.

4. Clearview AI Inc. - €20m fine

GDPR breaches- Art. 5 (1) a), Art. 6 Art. 9, Art. 12, Art. 14, Art. 15, Art. 27

The Hellenic Data Protection Authority ('HDPA')  in Greece imposed a fine of €20m on Clearview AI Inc. for lawfulness and transparency violations. This is the second fine to be issued to the company in the year.

The complaint about Clearview AI Inc. was submitted at the same time as similar complaints came through to four other supervisory authorities in Austria, France, Italy and the UK.

The HDPA uncovered a number of violations including Clearview AI's failure to meet its obligation under Article 27 to appoint a representative in the EU since Clearview AI falls within the scope of the GDPR.

5. Clearview AI Inc. - €20m fine

GDPR breaches - Art. 6, Art. 12, Art. 15, Art. 17, Art. 31

Clearview AI Inc. has been hit by the French regulator, CNIL, with another maximum financial penalty for GDPR breaches. Upon investigation, CNIL found several breaches which include unlawful processing of personal data since the collection and use of biometric data are carried out without a legal basis.

Furthermore, CNIL found that Clearview AI failed to take into account the rights of individuals in an effective and satisfactory way. CNIL has ordered the company to stop collecting and using data on individuals in France without a legal basis to do so. In addition to this, it has asked for the data already collected to be deleted.

6. Meta Platforms Ireland Ltd. - €17m fine

GDPR breaches - Art. 5 (2), Art. 24 (1)

The Data Protection Commission (DPC) imposed a fine of €17m on Meta Platforms. Upon investigation into the company formally known as Facebook Ireland Ltd, the DPC found that they failed to have appropriate technical and organisational measures in place.

This meant that they could not readily demonstrate the security measures that it implemented in practice to protect EU users' data. This is in the context of twelve personal data breaches.

7. Google LLC - €10m fine

GDPR breaches - Art. 6, Art. 17

The Spanish data protection authority ('AEPD') issued a total fine of €10m to Google LLC with €5m for the violation of Article 6 of the GDPR and €5m for violating Article 17. The investigation found that Google required users to accept the transfer of content removal request copies to a third party if they wanted to remove content.

Furthermore, the only notification offered by Google was in the Google forms themselves, used for the submission of the request. AEPD also found that Google forms did not facilitate the right to erase personal data or the option to reject a transfer.

8. Clearview AI Inc. - €9m fine

GDPR breaches - Art. 5 (1) a), e), Art. 6, Art. 9, Art. 14 GDPR, Art. 15, Art. 16, Art. 17, Art. 21, Art. 22, Art. 35

The Information Commissioner's Office (ICO) in the UK has found Clearview AI Inc. to be in breach of UK data protection law. The company has been issued a fine of €9m and told to delete the data of UK residents.

The ICO came to its decision after identifying that Clearview AI Inc. fails to have a lawful reason to collect personal data, doesn't have a process in place to stop data being retained indefinitely and fails to meet the higher data protection standards required for biometric data.

9. REWE International - €8m fine

GDPR breach - Non-compliance with general data protection principles

The Austrian food retailer, REWE International, received a fine of €8 million for the careless handling of customer data. The company's customer loyalty and rewards programme, jö Bonus Club, breached GDPR by allegedly collecting users' data without their consent and using it for marketing purposes.

Rewe International will challenge the Austrian Data Protection Authority's (DPA) decision because jö Bonus Club operates independently as a separate subsidiary, Unser Ö-Bonus Club.

This is not the first time the jö Bonus Club has breached GDPR. The subsidiary was fined €2 million in August 2021 for the unlawful collection of millions of bonus club members' data and the subsequent sale to third parties.

10. Cosmote Mobile Telecommunications - €6m fine

GDPR breaches - Art.5(1)a), Art. 5(2), Art. 13, Art. 14, Art. 25(1), Art. 26, Art. 28, Art. 35(7)

The Hellenic Data Protection Authority (HDPA) imposed a fine of €6 million on Greece's largest mobile operator, Cosmote. After the company experienced a cyberattack in 2020, the personal data of millions of their customers was stolen.

The HDPA found that Cosmote failed to include their parent company, OTE Group, in the investigation, and they neglected to explain the severity of the data breach to their affected customers. The investigation also found that Cosmote did not implement appropriate data protection measures.

The authorities discovered that Cosmote could legally keep call data for up to 90 days and an additional 12 months if the data is pseudonymised. However, there were cases where the pseudonymisation process was incomplete, and the company held customer data for longer than is legally allowed.

11. Interserve Group Limited - €5m fine

GDPR breaches - Art. 5 (1) f), Art. 32

The ICO fined Interserve Group Limited an amount of £4.4m (€5m) for failing to protect employee personal data. This fine came in the wake of a cyber attack which resulted in the personal data of 113k former and current employees being compromised.

The data that was compromised in the cyber attack included national insurance numbers, employee bank accounts as well as special category data such as ethic group, details of sexual orientation and disabilities.

After investigation, the ICO found that the company had failed to follow up on the initial alert of suspicious activity. Furthermore, Interserve used outdated software systems and protocols and lacked carrying out adequate staff training and risk assessments.

12. Portuguese National Statistical Institute - €4.3m fine

GDPR breaches - Art. 5 (1) a), Art. 9 (1), Art. 12, Art. 13, Art. 28 (1), (6), (7), Art. 35 (1), (2), (3) b), Art. 44, Art. 46 (2)

The Portuguese Supervisory Authority (CNPD) fined the Portuguese National Statistical Institute €4.3m for infringing different GDPR provisions "in the context of the 2021 Census data processing". After launching an investigation, the CNPD identified five key infringements in particular.

These infingements included a lack of lawfulness when it comes to processing special categories of personal data. Furthermore, failure to comply with transparency obligations, a lack of a DPIA which encompasses the entirety of the processing operations and relevant dimensions of Census, due diligence failures and a failure to comply with legal requirements for international data transfers.

13. Vodafone España - €3.94m fine

GDPR breaches - Art. 5 (1) f), Art. 5 (2)

The Spanish Data Protection Authority ('AEPD') fined Vodafone an amount of €3.94 million for failure to implement appropriate security measures to prevent the fraudulent replication of sim cards. During the investigation, AEPD found that Vodafone could not prove they had verified the identity of the fraudsters and that their security measures were insufficient.

Furthermore, authorities concluded that the company displayed a lack of accountability. In response to Vodafone's argument that the replication of sim cards was due to human error, AEPD stated that repetitive human error indicates "a lack of foresight of the risks, a lack of analysis and planning, and a lack of security measures."

14. Dutch Tax & Customs Administration - €3.7m fine

GDPR breaches - Art. 5 (1) a), b), d), e), Art. 6 (1), Art. 32 (1), Art. 35 (2)

The Dutch Data Protection Authority (DPA) imposed a fine of €3.7m on the Tax & Customs Administration for the illegal processing of personal data in the Fraud Signalling Facility (FSV). This is the highest fine issued by the DPA due to the severity of this breach.

During the investigation, the DPA discovered several violations of the privacy law. For example, the Tax & Customs Administration had no legal reason to process personal data and the security of the data was not in order.

Furthermore, the data was often incorrect which resulted in the incorrect registration of people as possible fraudsters which had negative consequences for a large number of people.

15. OTE Group - €3.2m fine

GDPR breaches - Art. 32

Following the leakage of subscriber call data, the HDPA fined the OTE Group a total of £3.2 million. The investigation into the company was triggered when Cosmote reported a data breach. It was found that Cosmote should have included the OTE Group in the investigation into data protection measures.

The HDPA concluded that both Cosmote and the OTE Group were responsible for determining the organisational and technical security measures. Furthermore, the OTE Group breached GDPR by failing to implement adequate security measures.

16. Amazon Road Transport - €2m fine

GDPR breaches - Art. 6 (1), Art. 10, Art. 10 LOPDGDD

AEDP imposed a fine of €2 million on Amazon Road Transport for the failure to implement adequate procedures for collecting and processing personal data relating to criminal conviction.

A representative of the General Union of Workers filed a claim with the AEPD. They noted that, for hiring self-employed contractors, Amazon Road Transport requests certificates of absence of a criminal record, i.e. negative certificates. Furthermore, they require candidates' consent to transfer this data to group companies and their suppliers located outside the European Economic Area.

As a result, the AEPD rejected Amazon Road Transport's claims regarding the processing of negative criminal conviction certificates. Additionally, authorities refused to accept the company's interpretation of Article 10 of the GDPR, as well as Article 10 of the LOPDGDD.

17. Alpha Exploration - €2m fine

GDPR breaches - Art. 5 (1) a), e), f), Art. 6, Art. 7, Art. 12 (1), Art. 13, Art. 14, Art. 27 (4), Art. 28, Art. 32, Art. 35

The Italian Data Protection Authority (Garante) has fined Alphas Exploration €2m for non-compliance with general data processing principles. This specifically relates to providing Clubhouse service in breach of the GDPR.

The Garante found that the company depended on inappropriate legal bases "to justify a number of different processing activities". In particular, they got consent for direct marketing using opt-out mechanisms. Furthermore, the Garante found that the "profiling aimed at showing users personalised content and suggestions could not be based on the need to execute the contract".

Alpha Exploration also failed to give information to non-users about the processing of their phone numbers. This resulted in the issue of the fine, the Garante putting an end to any further processing conducted for direct marketing purposes, increasing the transparency of processing and conducting a DPIA.

18. BREBAU GmbH - €1.9m fine

GDPR breaches - Art. 5 (1), Art. 6 (1), Art. 9

BREBAU GmbH was issued a fine of €1.9m by the Bremen Commissioner for legal and transparency violations. The investigation found that the BREBAU GmbH had processed data on over 9 500 prospective tenants.

This data was processed without a legal basis and over half the cases involved data that is particularly protected under the GDPR. Due to the severe violation of data protection, a higher fine would have been imposed if the company had not co-operated and endeavoured to minimise the damage caused by these violations.

19. Dedalus Biologie - €1.5m fine

GDPR breaches - Art. 28, Art. 29, Art. 32

After a massive leak in medical data involving over 500 000 people, Dedalus was fined €1.5m. The penalty is a result of security defects and the failure to fulfil several other obligations under the GDPR which led to this data leak.

The CNIL also appealed to the Paris Judicial Court to block access to the site on which the data was leaked which has minimised the impact on the individuals involved.

20. Easylife Ltd. - €1.5m fine

GDPR breaches - Art. 5 (1) a), Art. 6, Art. 9, Art. 13 (1) c), Regulation 21 PECR

The ICO fined Easlife ltd €1.5m for the unlawful use of personal data and predetory marketing calls. Upon investigation, the ICO found that the company had used the personal information of 145.4k customers to predict their medical condition and offer them health-related products without their consent.

Reagrding the violations under PECR, the investigation revealed that the company had made 1,345,732 unwanted marketing calls to individuals registered with the Telephone Preference Service.

21. Danske Bank - €1.3m fine

GDPR breaches - Art. 5 (2)

The Danish Data Protection Agency has reported Danske Bank to the police and fined the bank DKK 10 million. This is due to its failure to present proper procedures for deleting and storing personal data in over 400 systems.

In 2020, Danske Bank reported that it was storing data longer than necessary and its systems were not fully compliant with GDPR. However, this report came two years after the GDPR came into effect despite the bank knowing that it would fail to meet the compliance deadline for data retention and deletion.

22. Volkswagen - €1.1m fine

GDPR breaches - Art. 13, Art. 28, Art. 30, Art. 35

The State Commissioner for Data Protection (LfD) of Lower Saxony has fined Volkswagen €1.1m for GDPR violations during test drives. For the purposes of testing and training a driving assistance system designed for preventing traffic accidents, cameras were attached to a test car.

LfD found that Volkswagen had failed to use signs of a camera symbol and other prescribed information for other road users, they also had not entered into a data processing agreement with the service provider that carried out the test and no data protection impact assessment had been conducted.

Furthermore, the company had no explanation of the technical and organisational protection measures in the processing activities records.

What can we learn from these GDPR fines?

In some instances, the only conclusion is that the companies involved seemed to have forgotten that the GDPR existed. However, amongst the other penalties, there are some common themes to be learned from:

1. Always make proper disclosures to individuals (in contracts and privacy notices) about what personal data you process and your lawful basis for doing so.
2. Never use personal information in unfair, detrimental, unexpected, or misleading ways.
3. Ensure personal information is promptly deleted or securely destroyed once the purpose for which it was collected no longer applies.
4. Set up procedures and enforce rules to keep personal data secure - don't underestimate the inconvenience, worry or distress to individuals if their personal data is lost or stolen.
5. Appoint a Data Protection Officer (DPO), someone with overall responsibility who can ensure proper governance and accountability across your company.

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.