We explain the reasons for these penalties and provide tips on how to prevent your company from committing similar breaches!
Top GDPR fines in 2022
- Clearview AI Inc. - €20m fine
- Meta Platforms Ireland Ltd. - €17m fine
- Google LLC - €10m fine
- Clearview AI Inc. - €9m fine
- REWE International - €8m fine
- Cosmote Mobile Telecommunications - €6m fine
- Vodafone España - €3.94m fine
- Dutch Tax & Customs Administration - €3.7m fine
- OTE Group - €3.25m fine
- Amazon Road Transport - €2m fine
- BREBAU GmbH - €1.9m fine
- Dedalus Biologie - €1.5m fine
- Danske Bank - €1.3m fine
The biggest 2022 GDPR fines in detail
1. Clearview AI Inc. - €20m fine
GDPR breaches - Art. 5 (1) a), b), e), Art. 6, Art. 9, Art. 12, Art. 13, Art. 14, Art. 15, Art. 27
The facial recognition firm, Clearview AI has been fined €20m by Italy's data protection agency for breaches of EU law. Upon investigation, the authorities found that the personal data the company holds is processed illegally. This data includes biometric and geolocation information.
Furthermore, the company was found to be in breach of transparency obligations since they had neglected to inform users of what they were doing with their selfies and using user data for purposes other than what was published online.
2. Meta Platforms Ireland Ltd. - €17m fine
GDPR breaches - Art. 5 (2), Art. 24 (1)
The Data Protection Commission (DPC) imposed a fine of €17m on Meta Platforms. An investigation into the company formally known as Facebook Ireland Ltd found that they failed to have appropriate technical and organisational measures in place.
This meant that they could not readily demonstrate the security measures that it implemented in practice to protect EU users’ data. This is in the context of twelve personal data breaches.
3. Google LLC - €10m fine
GDPR breaches - Art. 6, Art. 17
The Spanish data protection authority ('AEPD') issued a total fine of €10m to Google LLC with €5m for the violation of Article 6 of the GDPR and €5m for violating Article 17. The investigation found that Google required users to accept the transfer of content removal request copies to a third party if they wanted to remove content.
Furthermore, the only notification offered by Google was in the Google forms themselves, used for the submission of the request. AEPD also found that Google forms did not facilitate the right to erase personal data or the option to reject a transfer.
4. Clearview AI Inc. - €9m fine
GDPR breaches - Art. 5 (1) a), e), Art. 6, Art. 9, Art. 14 GDPR, Art. 15, Art. 16, Art. 17, Art. 21, Art. 22, Art. 35
The Information Commissioner's Office (ICO) in the UK has found Clearview AI Inc. to be in breach of UK data protection law. The company has been issued a fine of €9m and told to delete the data of UK residents.
The ICO came to its decision after identifying that Clearview AI Inc. fails to have a lawful reason to collect personal data, doesn't have a process in place to stop data being retained indefinitely and fails to meet the higher data protection standards required for biometric data.
5. REWE International - €8m fine
GDPR breach - Non-compliance with general data protection principles
The Austrian food retailer, REWE International, received a fine of €8 million for the careless handling of customer data. The company's customer loyalty and rewards programme, jö Bonus Club, breached the General Data Protection Regulation (GDPR) by allegedly collecting users' data without their consent and using it for marketing purposes.
Rewe International will challenge the Austrian Data Protection Authority (DPA)'s decision because jö Bonus Club operates independently as a separate subsidiary, Unser Ö-Bonus Club.
This is not the first time the jö Bonus Club has breached GDPR. The subsidiary was fined €2 million in August 2021 for the unlawful collection of millions of bonus club members' data and the subsequent sale to third parties.
6. Cosmote Mobile Telecommunications - €6m fine
GDPR breaches - Art.5(1)a), Art. 5(2), Art. 13, Art. 14, Art. 25(1), Art. 26, Art. 28, Art. 35(7)
The Hellenic Data Protection Authority (HDPA) imposed a fine of €6 million on Greece's largest mobile operator, Cosmote. After the company experienced a cyberattack in 2020, the personal data of millions of their customers was stolen.
The HDPA found that Cosmote failed to include their parent company, OTE Group, in the investigation, and they neglected to explain the severity of the data breach to their affected customers. The investigation also found that Cosmote did not implement appropriate data protection measures.
The authorities discovered that Cosmote could legally keep call data for up to 90 days and an additional 12 months if the data is pseudonymised. However, there were cases where the pseudonymisation process was incomplete, and the company held customer data for longer than is legally allowed.
7. Vodafone España - €3.94m fine
GDPR breaches - Art. 5 (1) f), Art. 5 (2)
The Spanish Data Protection Authority ('AEPD') fined Vodafone an amount of €3.94 million for failure to implement appropriate security measures to prevent the fraudulent replication of sim cards. During the investigation, AEPD found that Vodafone could not prove they had verified the identity of the fraudsters and that their security measures were insufficient.
Furthermore, authorities concluded that the company displayed a lack of accountability. In response to Vodafone's argument that the replication of sim cards was due to human error, AEPD stated that repetitive human error indicates "a lack of foresight of the risks, a lack of analysis and planning, and a lack of security measures."
8. Dutch Tax & Customs Administration - €3.7m fine
GDPR breaches - Art. 5 (1) a), b), d), e), Art. 6 (1), Art. 32 (1), Art. 35 (2)
The Dutch Data Protection Authority (DPA) imposed a fine of €3.7m on the Tax & Customs Administration for the illegal processing of personal data in the Fraud Signalling Facility (FSV). This is the highest fine issued by the DPA due to the severity of this breach.
During the investigation, the DPA discovered several violations of the privacy law. For example, the Tax & Customs Administration had no legal reason to process personal data and the security of the data was not in order.
Furthermore, the data was often incorrect which resulted in the incorrect registration of people as possible fraudsters which had negative consequences for a large number of people.
9. OTE Group - €3.25m fine
GDPR breaches - Art. 32
Following the leakage of subscriber call data, the HDPA fined the OTE Group a total of £3.25 million. The investigation into the company was triggered when Cosmote reported a data breach. It was found that Cosmote should have included the OTE Group in the investigation into data protection measures.
The HDPA concluded that both Cosmote and the OTE Group were responsible for determining the organisational and technical security measures. Furthermore, the OTE Group breached GDPR by failing to implement adequate security measures.
10. Amazon Road Transport - €2m fine
GDPR breaches - Art. 6 (1), Art. 10, Art. 10 LOPDGDD
AEDP imposed a fine of €2 million on Amazon Road Transport for the failure to implement adequate procedures for collecting and processing personal data relating to criminal conviction.
A representative of the General Union of Workers filed a claim with the AEPD. They noted that, for hiring self-employed contractors, Amazon Road Transport requests certificates of absence of a criminal record, i.e. negative certificates. Furthermore, they require candidates' consent to transfer this data to group companies and their suppliers located outside the European Economic Area.
As a result, the AEPD rejected Amazon Road Transport's claims regarding the processing of negative criminal conviction certificates. Additionally, authorities refused to accept the company's interpretation of Article 10 of the GDPR, as well as Article 10 of the LOPDGDD.
11. BREBAU GmbH - €1.9m fine
GDPR breaches - Art. 5 (1), Art. 6 (1), Art. 9
BREBAU GmbH was issued a fine of €1.9m by the Bremen Commissioner for legal and transparency violations. The investigation found that the BREBAU GmbH had processed data on over 9 500 prospective tenants.
This data was processed without a legal basis and over half the cases involved data that is particularly protected under the GDPR. Due to the severe violation of data protection, a higher fine would have been imposed if the company had not co-operated and endeavoured to minimise the damage caused by these violations.
12. Dedalus Biologie - €1.5m fine
GDPR breaches - Art. 28, Art. 29, Art. 32
After a massive leak in medical data involving over 500 000 people, Dedalus was fined €1.5m. The penalty is a result of security defects and the failure to fulfil several other obligations under the GDPR which led to this data leak.
The CNIL also appealed to the Paris Judicial Court to block access to the site on which the data was leaked which has minimised the impact on the individuals involved.
13. Danske Bank - €1.3m fine
GDPR breaches - Art. 5 (2)
The Danish Data Protection Agency has reported Danske Bank to the police and fined the bank DKK 10 million. This is due to its failure to present proper procedures for deleting and storing personal data in over 400 systems.
In 2020, Danske Bank reported that it was storing data longer than necessary and its systems were not fully compliant with GDPR. However, this report came two years after the GDPR came into effect despite the bank knowing that it would fail to meet the compliance deadline for data retention and deletion.
What can we learn from these GDPR fines?
In some instances, the only conclusion is that the companies involved seemed to have forgotten that the GDPR existed. However, amongst the other penalties, there are some common themes to be learned from:
- Always make proper disclosures to individuals (in contracts and privacy notices) about what personal data you process and your lawful basis for doing so.
- Never use personal information in unfair, detrimental, unexpected, or misleading ways.
- Ensure personal information is promptly deleted or securely destroyed once the purpose for which it was collected no longer applies.
- Set up procedures and enforce rules to keep personal data secure - don't underestimate the inconvenience, worry or distress to individuals if their personal data is lost or stolen.
- Appoint a Data Protection Officer (DPO), someone with overall responsibility who can ensure proper governance and accountability across your company.
Want to learn more about GDPR?
To help you plan and execute compliance in your organisation, we have created a comprehensive GDPR roadmap.
We also have 80+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.
Last but not least, you can interact in person with thought leaders and your peers at one of our popular live webinars and face-to-face events.
If you've any questions or concerns about compliance or e-learning, please get in touch.
We're happy to help!