In contrast, it has been a quiet year thus far. That being said, fines have already broken the million euro mark with violations involving unauthorised access to customer personal data and the collection of employee data. We investigate the breaches behind these fines so that your company can avoid similar penalties.
Top GDPR fines in 2024
- Amazon France Logistique - €32m fine
- UniCredit S.p.a. - €2.8m fine
- Verkkokauppa.com - €856k fine
- NTT Data Italia S.P.A - €800k fine
- CTC Externalización - €365k fine
- Santander Bank Polska S.A. - €326k fine
We continuously track the largest data protection fines yearly and have highlighted the biggest GDPR fines of all time.
The biggest 2024 GDPR fines in detail
1. Amazon France Logistique - €32m fine
GDPR breaches - Art. 5 (1) c), Art. 6, Art. 12, Art. 13, Art. 32
Amazon France Logistique has been fined €32m by the French Data Protection Authority (CNIL) for its excessively intrusive monitoring system of employee activity. In addition to this, the company was penalised for video surveillance processing and the failure to ensure the security of personal data.
The company oversees the management of Amazon's large warehouses in France. Employees are equipped with scanners to track tasks like item storage, retrieval, and packaging in real time.
Data from these scans is recorded and utilised to assess employee performance, including metrics on productivity, quality, and downtime. After media reports raised concerns about warehouse practices, the CNIL conducted investigations prompted by both media coverage and employee complaints.
The watchdog concluded that Amazon did not require access to the minor data captured by these scanners to plan work in its warehouses. In addition to not properly informing workers about video surveillance and the system being extremely intrusive, it was found that this put undue stress on its workforce.
2. UniCredit S.p.a. - €2.8m fine
GDPR breaches - Art. 5 (1) f), Art. 32 (1), (2)
The Italian data protection authority, Garante, fined UniCredit S.p.A. €2.8 million for breaching the General Data Protection Regulation (GDPR). UniCredit reported a data breach in October 2018 following a cyberattack on its mobile banking system.
Personal data, excluding bank details, of certain customers were compromised. The breach posed a high risk to customers' rights and freedoms, requiring UniCredit to notify affected individuals.
Garante's investigation showed that UniCredit failed to ensure compliance with data processing standards and implement proper technical measures to limit unauthorised access to personal data. Despite no complaints from affected individuals and immediate security improvements post-breach, UniCredit was fined for GDPR violations and given 30 days to pay the fine.
3. Verkkokauppa.com - €856k fine
GDPR breaches - Art. 5 (1) e), Art. 25 (2)
The Office of Data Protection Ombudsman (Ombudsman) has imposed a fine of €856,000 on Verkkokauppa.com Oyj for breaching the GDPR following a customer complaint.
The investigation stemmed from a customer's complaint about Verkkokauppa's requirement for creating a customer account before online purchases. It was also found that Verkkokauppa was indefinitely storing customer data, relying on customer deletion requests to determine the length of data retention time.
The Ombudsman found Verkkokauppa in violation of GDPR for mandating customer account creation unnecessarily and lacking a defined retention period for customer data. They were fined and instructed to establish a proper data retention policy and revise account creation procedures. Additionally, Verkkokauppa received a notice for violating data protection regulations.
4. NTT Data Italia S.P.A - €800k fine
GDPR breaches - Art. 28 (2), Art. 33 (2)
The Italian data protection authority, Garante, fined NTT Data Italia S.P.A €800,000 for GDPR violations. This fine relates to the above-mentioned Unicredit penalty.
Garante revealed that UniCredit reported a cyber attack in October 2018 involving its mobile banking system, leading to unauthorised access to customers' personal data, excluding bank details. Garante deemed it a high-risk breach and mandated UniCredit to inform affected customers.
Additionally, Garante investigated NTT Data Italia, responsible for UniCredit's security assessments from October 1 to 26, 2018. It found that NTT Data Italia subcontracted assessment tasks without proper authorisation from UniCredit, breaching GDPR Article 28(2).
The Garante noted that NTT DATA Italia received the vulnerability assessment and penetration testing report from the third party they had contracted but failed to inform UniCredit of the findings promptly.
5. CTC Externalización - €365k fine
GDPR breaches - Art. 13, Art. 32, Art. 35
The Spanish Data Protection Authority (AEPD) fined CTC Externalización, S.L. €365,000 for multiple violations of GDPR regulations. CTC, a company offering logistics, industrial services, and other operations in Spain, faced an investigation following a complaint from an individual.
They raised the issue of unauthorised collection of biometric fingerprint data from employees without proper disclosure. The AEPD found that CTC failed to inform its employees adequately about the handling of their biometric data, violating GDPR Article 13.
Additionally, CTC did not provide sufficient assurance regarding the deletion of biometric data post-collection, and the AEPD could not verify the security measures for accessing employee fingerprint hashes and identification data.
CTC also neglected to recognise the processing of biometric data as a special category or consider the associated risks to employees' rights and freedoms, failing to conduct a required Data Protection Impact Assessment (DPIA).
6. Santander Bank Polska S.A. - €326k fine
GDPR breaches - Art. 33 (1), Art. 34 (1)
The Polish data protection authority (UODO) announced a fine of PLN 1.4 million (approx. €326k) on Santander Bank Polska S.A. for GDPR violations related to a data breach. The breach involved personal and sensitive data found in public bank documents left in an abandoned parcel previously stolen from a courier company.
Santander Bank did not report the breach, claiming the parcel was quickly recovered by an individual who returned it to the police without copying the documents. However, UODO found that Santander Bank's actions deprived data subjects of the chance to respond adequately to the breach and failed to assess the risk or take appropriate remedial measures.
UODO emphasised that the breach's severity wasn't diminished by the fact that the data was accessed by only one person, as the breach still occurred. Santander Bank was ordered to notify the people affected by this breach.
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.
