GDPR fines pass the €1bn mark

Some 755 fines have so far been issued since the General Data Protection Regulation was introduced in 2018, totalling more than €1bn, according to data compiled by cyber security specialists ESET. The UK has handed out almost £6.9m in penalties - the second highest average in Europe, according to the data.

Spain received the most fines, with 273 – representing just under a third of all fines given for GDPR violations. Italy and Romania received 75 and 60 fines respectively. Despite receiving the most fines, Spain ranks sixth for the total amount fined (€32,440,810). Luxembourg are out in front with €746,060,300 and the UK second with a total of €44,250,000.

The study found that the most common reason for GDPR fines in Europe is “insufficient legal basis for data processing” – the reason stated for 276 incidences of GDPR non-compliance. The total fines for this violation stand at €173,226,043, with an average fine costing €627,361.

The second and third most common reasons for GDPR fines are “insufficient technical and organisational measures to ensure information security” (155) and “non-compliance with general data processing principles” (149) – totalling nearly €850m in fine payments between the two.

Jake Moore, cyber security specialist at ESET, commented on the findings: “In today’s data-driven world, there is only so much that people can do to limit the information they share – whether it is online, through mobile communications, or in person. This means it is vital for organisations to be responsible with the data they gather and store. GDPR was introduced for precisely this reason, providing guidelines for good practices and enforcing consequences for bad.

“Some of Europe’s biggest companies have fallen foul of GDPR for various reasons. Most of the priciest fines have been given due to an insufficient legal basis for data processing, which is when an organisation is unable to prove that there is a lawful basis that makes their processing of customers’ data ‘necessary’. While the penalties can be huge, it unfortunately doesn’t seem that this acts as a sufficient deterrent, as fines have been issued as recently as September 2021.

“It is always interesting to see how different countries interpret and enforce the same legislation in different ways. With Spain issuing 230 fines compared to Germany’s 30, it is clear that GDPR penalties are not necessarily cut and dry. However, what should remain the same throughout each region is a dedicated focus on what really matters – ensuring individuals are in control of their own data and that it is not exploited for profit.”

Amazon received the largest ever fine (of €746,000,000; in 2021) for non-compliance with general data processing principles. Google and H&M were fined €50,000,000 and €35,258,708 respectively for their GDPR violations. Grupo TIM and BA received penalties of €27,800,000 and €22,046,000 respectively.

Table: The countries with the highest number of GDPR fines (Source: ESET)

    Share Story:


Cyber risk in the transportation industry
The connected nature of the transport and logistics industries makes them an attractive target for hackers, with potentially disruptive and costly consequences. Between June 2020 and June 2021, the transportation industry saw an 186% increase in weekly ransomware attacks. At the same time, regulations and cyber security standards are lacking – creating weak postures across the board. This podcast explores the key risks. Published April 2022.

Political risk: A fresh perspective
CIR’s editor, Deborah Ritchie speaks with head of PCS at Verisk, Tom Johansmeyer about the confluence of political, nat cat and pandemic risks in a world that is becoming an increasingly risky place in which to do business. Published February 2022.