GDPR fines pass the €1bn mark

Some 755 fines have so far been issued since the General Data Protection Regulation was introduced in 2018, totalling more than €1bn, according to data compiled by cyber security specialists ESET. The UK has handed out almost £6.9m in penalties - the second highest average in Europe, according to the data.

Spain received the most fines, with 273 – representing just under a third of all fines given for GDPR violations. Italy and Romania received 75 and 60 fines respectively. Despite receiving the most fines, Spain ranks sixth for the total amount fined (€32,440,810). Luxembourg are out in front with €746,060,300 and the UK second with a total of €44,250,000.

The study found that the most common reason for GDPR fines in Europe is “insufficient legal basis for data processing” – the reason stated for 276 incidences of GDPR non-compliance. The total fines for this violation stand at €173,226,043, with an average fine costing €627,361.

The second and third most common reasons for GDPR fines are “insufficient technical and organisational measures to ensure information security” (155) and “non-compliance with general data processing principles” (149) – totalling nearly €850m in fine payments between the two.

Jake Moore, cyber security specialist at ESET, commented on the findings: “In today’s data-driven world, there is only so much that people can do to limit the information they share – whether it is online, through mobile communications, or in person. This means it is vital for organisations to be responsible with the data they gather and store. GDPR was introduced for precisely this reason, providing guidelines for good practices and enforcing consequences for bad.

“Some of Europe’s biggest companies have fallen foul of GDPR for various reasons. Most of the priciest fines have been given due to an insufficient legal basis for data processing, which is when an organisation is unable to prove that there is a lawful basis that makes their processing of customers’ data ‘necessary’. While the penalties can be huge, it unfortunately doesn’t seem that this acts as a sufficient deterrent, as fines have been issued as recently as September 2021.

“It is always interesting to see how different countries interpret and enforce the same legislation in different ways. With Spain issuing 230 fines compared to Germany’s 30, it is clear that GDPR penalties are not necessarily cut and dry. However, what should remain the same throughout each region is a dedicated focus on what really matters – ensuring individuals are in control of their own data and that it is not exploited for profit.”

Amazon received the largest ever fine (of €746,000,000; in 2021) for non-compliance with general data processing principles. Google and H&M were fined €50,000,000 and €35,258,708 respectively for their GDPR violations. Grupo TIM and BA received penalties of €27,800,000 and €22,046,000 respectively.

Table: The countries with the highest number of GDPR fines (Source: ESET)

    Share Story:


Cyber physical risks
Property damage as a consequence of cyber attack is often excluded from standard property policies, but as the industrial internet of things expands, so too do the risks. This podcast examines the evolving threat landscape. Published October 2021

Financial institutions were early adopters of cyber security and insurance. Are they still on top of the game?
Managing huge amounts of sensitive data online makes financial institutions a prime target for hackers. As such, the sector was an early cohort for insurers in creating cyber cover. Since then, the market has evolved almost beyond recognition. It continues to challenge itself to this day, complying with rigorous regulatory demands and implementing avant-garde enhancements to keep abreast of the ever-changing risks. Published June 2021