Biggest GDPR Fines of 2023

Posted by

Emmeline de Chazal

on 22 Sep 2023

Last year saw the biggest GDPR fine issued to date, at over a billion euros. We review the largest penalties dished out in 2023.

GDPR fines 2023

It has been a record-breaking year for GDPR fines, and we still have over a quarter of 2023 remaining. We explain the reasons for these fines and provide tips on how to prevent your company from committing similar breaches!

Top GDPR fines in 2023

  1. Meta Platforms Ireland Ltd. - €1.2bn fine
  2. Meta Platforms Ireland Ltd. - €390m fine
  3. TikTok Ltd - €345m fine
  4. Criteo - €40m fine
  5. TikTok - £12.7m fine
  6. Axpo Italia Spa - €10m fine
  7. TIM SpA - €7.6m fine
  8. WhatsApp Ireland Ltd. - €5.5m fine
  9. EOS Matrix - €5.47 fine
  10. Clearview AI Inc - €5.2m penalty
  11. Spotify - €4.9m fine
  12. Trygg-Hansa - €3m fine
  13. B2 Kapital - €2.2m fine

We continuously track the largest data protection fines each year, including the GDPR fines issued in 2019, 2020, 2021 and fines issued in 2022.

Free GDPR Training Presentation

The biggest 2023 GDPR fines in detail

1. Meta Platforms Ireland Ltd. - €1.2bn fine

GDPR breaches - Art. 46 (1)

Ireland's Data Protection Commission (DPC) found Meta to be in violation of GDPR international transfer guidelines. The record-breaking fine of €1.2bn was issued to Facebook's parent company after it mishandled personal data when transferring it between Europe and the United States (US).

At the heart of the breach is Meta's transfer of data to the US on the basis of standard contractual clauses since 2020. This is the only valid way to transfer data between the EU and the US, provided there is an adequate level of data protection, which Meta failed to provide.

In addition to the fine, Meta has been ordered to bring its data transfers into compliance with the GDPR. Meta has stated that it will appeal this decision.

2. Meta Platforms Ireland Ltd. - €390m fine

GDPR breaches - Art. 5 (1) a), Art. 6 (1), Art. 12, Art. 13 (1) c)

Meta Platforms Ireland Ltd. makes a second appearance for the year with a €390m fine for requesting to use people's data for ads on Facebook and Instagram in an unlawful manner. The regulator states that Meta cannot force consent by asking consumers to accept how their data is used or leave the platform.

During the investigation, the Irish Data Protection Commission (DPC) also found that Meta was not clear enough about how and why it would use a user's data.

Free GDPR Self-assessment Questionnaire

3. TikTok Ltd - €345m fine

GDPR breaches - Art. 5 (1) c), 5 (1) f), Art. 12 (1), Art. 13 (1) e), Art. 24 (1), Art. 25 (1), (2)

Irish Data Protection Commissioner (DPC) has fined TikTok €345m for breaching a number of GDPR rules, including putting 13-17-year-old users' accounts on default public setting.

This failure to shield underage users from public view was coupled with not supplying these users with transparent information and not checking if the adult who 'paired' with the child in the 'family pairing' scheme was, in fact, a parent or guardian.

Furthermore, the DPC found that TikTok didn't take into account the risk posed to underage users who gained access to the platform.

4. Criteo - €40m fine

GDPR breaches - Art. 7 (1), (3), Art. 12, Art. 13, Art. 15 (1), Art. 17 (1), Art. 26

French Data Protection Authority (CNIL) has fined Criteo, an online advertising specialist, €40 million in response to complaints from non-profit organisations Privacy International and None of Your Business (NOYB).

CNIL's decision cites Criteo's failure to ensure that its partners, such as publishers, obtained user consent for using Criteo's cookies. Although partners are primarily responsible for obtaining consent from users, CNIL still holds Criteo responsible for verifying this consent.

The €40 million penalty amounts to approximately 2% of the company's global revenue, reduced from an initial proposal of €60 million by CNIL rapporteurs.

More on Small Business GDPR

5. TikTok - £12.7m fine

GDPR breaches - Art. 5 (1) a), Art. 12, Art. 13

The Information Commissioner's Office (ICO) has fined TikTok £12.7m for a number of breaches, which include illegally processing the data of 1.4m children under the age of 13. The regulator found that TikTok didn't do enough to prevent under-13s from accessing the platform, and they failed to conduct adequate checks.

Furthermore, the ICO identified that TikTok failed to ensure personal data belonging to UK users was lawfully processed in a fair and transparent manner. Following the investigation, the ICO has published a Children's Code to help protect children in the digital world.

6. Axpo Italia Spa - €10m fine

GDPR breaches - Art. 5 (1) a), d), Art. 5 (2), Art. 24 (2)

Axpo Italia, a renewable energy producer and trader, received a €10m penalty from the Italian data protection authority (Garante) under the GDPR. The fine was imposed following complaints from customers who discovered unauthorised activation of Axpo electricity and gas contracts in their names.

Garante's investigation revealed that Axpo acquired contracts through a network of 280 door-to-door sellers, lacking adequate procedures to verify the accuracy of customer data. More than 5,000 users were affected by the unlawful processing of personal data, leading to violations of various GDPR articles.

In addition to the fine, Garante mandated Axpo to implement corrective measures, including an alert system for detecting misconduct, mechanisms to verify communications during the contracting phase, and enhanced audit activities for its agents. Axpo expressed cooperation with the investigation and reserved the right to appeal the ruling.

Free DSAR Preparation Checklist

7. TIM SpA - €7.6m fine

GDPR breaches - Art. 5 (2), Art. 6, Art. 7, Art. 12 (2), (3), Art. 13, Art. 14, Art. 15 (1), Art. 32 (1) b)

Italian Data Protection Authority issued a €7.6m fine to telemarketing company TIM SpA for inadequate supervision of abusive call centres. The company has been the subject of previous investigations and still has room for improvement when it comes to data processing.

The investigation found that the company inadequately responded to requests from individuals to exercise their data subject rights and published personal data in public telephone directories without getting consent.

8. WhatsApp Ireland Ltd. - €5.5m fine

GDPR breaches - Art. 6 (1), Art. 12, Art. 13 (1) c)

The Irish watchdog has fined WhatsApp Ireland Ltd an amount of €5.5m for forcing users to consent to allow personal data to be used for "service improvements and security". This case is similar to the one against Meta Platforms Ireland Ltd., which also dates back to May 2018.

In addition to the fine, WhatsApp Ireland Ltd has also been ordered to bring its data processing operations into compliance with EU privacy rules within six months.

Free GDPR Personal Data Awareness Poster

9. EOS Matrix - €5.47 fine

GDPR breaches -  Art. 5 (2), Art. 6 (1), Art. 12 (1), Art. 13 (1), Art. 32 (1) b)

The Croatian Supervisory Authority (SA) fined EOS Matrix, a debt collection agency, €5.47 million for violating GDPR regulations. The breach included unauthorised data processing, insufficient technical measures, and a lack of transparency.

The case emerged from an anonymous petition in March 2023, revealing EOS Matrix's unauthorised processing of personal data, supported by a USB stick containing information on over 180,000 people with outstanding debts. The company's inadequate processing system failed to detect unusual activities, and it processed data of individuals without a legal basis.

EOS Matrix recorded health-related comments and tracked diagnoses despite claiming not to process health data in their privacy policies.

10. Clearview AI Inc. - €5.2m penalty

GDPR breaches - penalty for failure to comply with privacy orders

Clearview AI Inc. is in hot water again after failing to comply with the French regulator's orders. Following the issued fine of €20m and an order to not collect and process the data of individuals in France without any legal basis, Clearview AI has failed to cooperate after two months.

The French regulator, CNIL, has therefore imposed a penalty payment of €5.2m to be paid in addition to the outstanding fine amount.

Conducting a GDPR Audit

11. Spotify - €4.9m fine

GDPR breaches - Art. 12 (1), Art. 15 (1), (2)

Music streaming platform Spotify has been issued with a fine of SEK 58 million (€4.9m) in Sweden for breaching the data access rights of its users. The Swedish Authority for Privacy Protection (IMY) found that Spotify was not transparent in how it collected data on its users.

Since Spotify is used in many countries, the ruling was made with other data protection authorities in the EU. Spotify rejects the IMY's findings and intends to appeal the decision.

12. Trygg-Hansa - €3m fine

GDPR breaches - Art. 5 (1) f), Art. 32 (1)

The Swedish Data Protection Authority (IMY) issued a fine of SEK 35 million (approximately €2,915,316) to Tryg Forsikring A/S (Trygg-Hansa) for breaching the General Data Protection Regulation (GDPR) following a complaint.

IMY received a complaint in December 2020 alleging that Trygg-Hansa had allowed unauthorised access to its customers' sensitive personal data. Upon investigation, IMY found that Trygg-Hansa processed the personal data of approximately 650,000 individuals, including names, contact details, health information, social security numbers, financial data, insurance records, event details, and property information.

This data breach exposed sensitive health information and this was accessible on the internet without requiring authentication. IMY noted that 202 customers' data was affected, and this unauthorised access occurred from October 2018 to February 2021.

13. B2 Kapital - €2.2m fine

GDPR breaches - Art. 6 (1), Art. 13 (1), Art. 28 (3), Art. 32 (1) b), d), Art. 32 (2)

Data controller B2 Kapital has been fined €2.2m for the unauthorised processing of personal data. The Personal Data Protection Agency ('AZOP') in Croatia found that B2 Kapital had failed to inform data subjects about the processing of their data. The lack of transparency is a breach of GDPR.

Furthermore, the data controller didn't conclude a contract with the data processor for the service of monitoring simple consumer bankruptcy, which rendered the personal data at risk. The investigation found that B2 Kapital failed to apply appropriate technical and organisational protection measures.

GDPR Training Presentation

What can we learn from these GDPR fines?

In some instances, the only conclusion is that the companies involved seemed to have forgotten that the GDPR existed. However, amongst the other penalties, there are some common themes to be learned from:

  1. Always make proper disclosures to individuals (in contracts and privacy notices) about what personal data you process and your lawful basis for doing so.
  2. Never use personal information in unfair, detrimental, unexpected, or misleading ways.
  3. Ensure personal information is promptly deleted or securely destroyed once the purpose for which it was collected no longer applies.
  4. Set up procedures and enforce rules to keep personal data secure - don't underestimate the inconvenience, worry or distress to individuals if their personal data is lost or stolen.
  5. Appoint a Data Protection Officer (DPO), someone with overall responsibility who can ensure proper governance and accountability across your company.

GDPR Course Library

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.

GDPR Training Presentation

The fines for GDPR breaches represent up to 4% of your global annual turnover or EUR 20 million, whichever is the highest. So it is critical to ensure your organisation understands and adheres to GDPR.

Our free GDPR Training Presentation is fully editable, presents the key points in plain English and is packed with practical activities to accelerate learning.

Download your free training aid