While penalties haven't quite reached the magnitude of last year, fines have broken the million euro mark with violations involving unauthorised access to customer personal data and the collection of employee data. We investigate the breaches behind these fines so that your company can avoid similar penalties.
Top GDPR fines in 2024
- Enel Energia SpA - €79.1m fine
- Amazon France Logistique - €32m fine
- Avast Software - €13.9m fine
- UniCredit S.p.a. - €2.8m fine
- TikTok - £1.8m fine
- CAIXABANK, S.A - €1.2m fine
- Verkkokauppa.com - €856k fine
- NTT Data Italia S.P.A - €800k fine
- CTC Externalización - €365k fine
- Santander Bank Polska S.A. - €326k fine
We continuously track the largest data protection fines yearly and have highlighted the biggest GDPR fines of all time.
The biggest 2024 GDPR fines in detail
1. Enel Energia SpA - €79.1m fine
GDPR breaches - Art. 5 (1) f), Art. 5 (2), Art. 24 (1), Art. 25, Art. 28, Art. 32
The Italian data protection authority, the Garante, issued its largest GDPR fine of over €79 million against ENEL Energia for telemarketing misconduct. This follows the cancellation of a previous €26.5 million fine due to procedural delays.
The Garante criticised ENEL Energia for not implementing adequate measures to prevent telemarketing abuses but acknowledged the company's efforts to improve security.
The regulator found that Enel Energia violated GDPR Articles 5(1)(f) and 32 by failing to properly assess risks associated with its CRM interface and not implementing adequate measures to secure access credentials, preventing their sharing. This oversight allowed unauthorised agency employees to access and process personal data within Enel Energia's contractual system.
2. Amazon France Logistique - €32m fine
GDPR breaches - Art. 5 (1) c), Art. 6, Art. 12, Art. 13, Art. 32
Amazon France Logistique has been fined €32m by the French Data Protection Authority (CNIL) for its excessively intrusive monitoring system of employee activity. In addition to this, the company was penalised for video surveillance processing and the failure to ensure the security of personal data.
The company oversees the management of Amazon's large warehouses in France. Employees are equipped with scanners to track tasks like item storage, retrieval, and packaging in real-time.
Data from these scans is recorded and utilised to assess employee performance, including metrics on productivity, quality, and downtime. After media reports raised concerns about warehouse practices, the CNIL conducted investigations prompted by both media coverage and employee complaints.
The watchdog concluded that Amazon did not require access to the minor data captured by these scanners to plan work in its warehouses. In addition to not properly informing workers about video surveillance and the system being extremely intrusive, it was found that this put undue stress on its workforce.
3. Avast Software - €13.9m fine
The Czech Republic's Office for Personal Data Protection (ÚOOÚ) fined Avast Software approximately $14.8 million for violating GDPR. The investigation revealed that in 2019, Avast's Czech branch, Jumpshot, INC., processed personal data from Avast antivirus software and browser extensions without authorisation.
Avast transferred data from 100 million users to Jumpshot, which marketed insights into online consumer behaviour to third parties. ÚOOÚ found that Avast misled users about its anonymisation techniques, which allowed some data subjects to be reidentified.
Jiří Kaucký, Chairman of ÚOOÚ, highlighted that Avast, known for its cybersecurity expertise, unexpectedly compromised user data, potentially revealing identities, interests, preferences, and other personal details. Avast disputes the regulator’s findings and is considering further legal action.
Previously, in February, Avast agreed to a $16.5 million settlement with the Federal Trade Commission over similar charges. Avast ceased Jumpshot operations in 2020 and stopped selling browsing data for advertising purposes.
4. UniCredit S.p.a. - €2.8m fine
GDPR breaches - Art. 5 (1) f), Art. 32 (1), (2)
The Italian data protection authority, Garante, fined UniCredit S.p.A. €2.8 million for breaching the General Data Protection Regulation (GDPR). UniCredit reported a data breach in October 2018 following a cyberattack on its mobile banking system.
Personal data, excluding bank details, of certain customers were compromised. The breach posed a high risk to customers' rights and freedoms, requiring UniCredit to notify affected individuals.
Garante's investigation showed that UniCredit failed to ensure compliance with data processing standards and implement proper technical measures to limit unauthorised access to personal data. Despite no complaints from affected individuals and immediate security improvements post-breach, UniCredit was fined for GDPR violations and given 30 days to pay the fine.
5. TikTok - £1.8m fine
GDPR breaches - s368Z10 & s368Y of the Communications Act 2003
The Office of Communications (Ofcom) fined TikTok Information Technologies UK Limited £1.875 million for inaccurately responding to a formal request about its parental controls safety feature.
Ofcom needed this information to assess the feature's effectiveness and produce the Child Safety Report. TikTok initially responded on September 4, 2023, but admitted on December 1, 2023, that the data was inaccurate.
An investigation revealed TikTok's insufficient checks and slow error correction, with accurate but incomplete data submitted over seven months late. Ofcom found TikTok in breach of the Communications Act and imposed the fine, which includes a 25% reduction due to TikTok's acceptance of the findings and case settlement.
6. CAIXABANK, S.A - €1.2m fine
GDPR breaches - Art. 6 (1)
The Spanish Data Protection Authority (AEPD) has fined CaixaBank Payments & Consumer EFC, EP, S.A.U. €2 million, later reduced to €1.2 million, for violating the GDPR following a complaint.
The issue arose when CaixaBank required the complainant to consent to the retrieval of their data from the General Treasury of Social Security (TGSS) as part of a non-negotiable clause in a form, threatening to block the complainant's account if they did not comply.
The AEPD found no legal basis for CaixaBank to demand such data without proper consent and determined that the claimant should have been able to withdraw consent without consequences.
This led to the conclusion that CaixaBank violated Article 6(1) of the GDPR for processing data without a legal basis. The fine was reduced after CaixaBank utilised the voluntary payment procedure and acknowledged its responsibility.
7. Verkkokauppa.com - €856k fine
GDPR breaches - Art. 5 (1) e), Art. 25 (2)
The Office of Data Protection Ombudsman (Ombudsman) has imposed a fine of €856,000 on Verkkokauppa.com Oyj for breaching the GDPR following a customer complaint.
The investigation stemmed from a customer's complaint about Verkkokauppa's requirement for creating a customer account before online purchases. It was also found that Verkkokauppa was indefinitely storing customer data, relying on customer deletion requests to determine the length of data retention time.
The Ombudsman found Verkkokauppa in violation of GDPR for mandating customer account creation unnecessarily and lacking a defined retention period for customer data. They were fined and instructed to establish a proper data retention policy and revise account creation procedures. Additionally, Verkkokauppa received a notice for violating data protection regulations.
8. NTT Data Italia S.P.A - €800k fine
GDPR breaches - Art. 28 (2), Art. 33 (2)
The Italian data protection authority, Garante, fined NTT Data Italia S.P.A €800,000 for GDPR violations. This fine relates to the above-mentioned Unicredit penalty.
Garante revealed that UniCredit reported a cyber attack in October 2018 involving its mobile banking system, leading to unauthorised access to customers' personal data, excluding bank details. Garante deemed it a high-risk breach and mandated UniCredit to inform affected customers.
Additionally, Garante investigated NTT Data Italia, responsible for UniCredit's security assessments from October 1 to 26, 2018. It found that NTT Data Italia subcontracted assessment tasks without proper authorisation from UniCredit, breaching GDPR Article 28(2).
The Garante noted that NTT DATA Italia received the vulnerability assessment and penetration testing report from the third party they had contracted but failed to inform UniCredit of the findings promptly.
9. CTC Externalización - €365k fine
GDPR breaches - Art. 13, Art. 32, Art. 35
The Spanish Data Protection Authority (AEPD) fined CTC Externalización, S.L. €365,000 for multiple violations of GDPR regulations. CTC, a company offering logistics, industrial services, and other operations in Spain, faced an investigation following a complaint from an individual.
They raised the issue of unauthorised collection of biometric fingerprint data from employees without proper disclosure. The AEPD found that CTC failed to inform its employees adequately about the handling of their biometric data, violating GDPR Article 13.
Additionally, CTC did not provide sufficient assurance regarding the deletion of biometric data post-collection, and the AEPD could not verify the security measures for accessing employee fingerprint hashes and identification data.
CTC also neglected to recognise the processing of biometric data as a special category or consider the associated risks to employees' rights and freedoms, failing to conduct a required Data Protection Impact Assessment (DPIA).
10. Santander Bank Polska S.A. - €326k fine
GDPR breaches - Art. 33 (1), Art. 34 (1)
The Polish data protection authority (UODO) announced a fine of PLN 1.4 million (approx. €326k) on Santander Bank Polska S.A. for GDPR violations related to a data breach. The breach involved personal and sensitive data found in public bank documents left in an abandoned parcel previously stolen from a courier company.
Santander Bank did not report the breach, claiming the parcel was quickly recovered by an individual who returned it to the police without copying the documents. However, UODO found that Santander Bank's actions deprived data subjects of the chance to respond adequately to the breach and failed to assess the risk or take appropriate remedial measures.
UODO emphasised that the breach's severity wasn't diminished by the fact that the data was accessed by only one person, as the breach still occurred. Santander Bank was ordered to notify the people affected by this breach.
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.
