Iubenda logo
Start generating

Documentation

Table of Contents

The Biggest GDPR Fines to date

GDPR fines: you’ve surely heard about companies that have been fined millions because they weren’t GDPR-compliant. In fact, these sanctions can pose serious consequences for businesses of all sizes. 

It’s not only about the monetary value of the sanction, but also about the reputational damage that comes with it.

In this post, we’ll go over the biggest GDPR fines issued so far, to help you understand which are the criteria that European Data Protection Authorities take into consideration when evaluating GDPR breaches.

gdpr fines

But first, let’s quickly recap…

How are GDPR fines calculated?

Fines for non-compliance can go up to 20 million euros, or 4% of the annual worldwide turnover (whichever is greater).

Users have the right to file a complaint with a supervisory authority if they feel that the processing of their data wasn’t GDPR-compliant, and ask for compensation for any damages.

Moreover, these sanctions can also include official reprimands (for first-time violations), periodic data protection audits and liability damages.

Top 10 GDPR fines by amount

Let’s go over the largest GDPR fines issued so far.

Top 10 GDPR fines
Image credit: GDPR Enforcement Tracker

1. Amazon Europe, €746 million

The biggest GDPR fine was issued by the Luxembourg DPA on July 16th, 2021. The DPA fined Amazon Europe 746 million euros, after a series of 10,000 complaints filed by the French group La Quadrature du Net

The Authority found that Amazon was showing targeted advertising without the users’ proper consent

2. Meta Platforms, Inc., €405 million

On September 5th, 2022, Ireland’s Data Protection Commission issued a 405 million euro fine to Meta Platforms, Inc.

The DPC investigated the processing of children’s personal data and found that the company was publicly disclosing email addresses and/or phone numbers of children using the Instagram business account feature.

👉 Want more details on this story? Check our blog!

3. Meta Platforms Ireland Limited, €390 million

On January 4th, 2023, Ireland’s Data Protection Commission (DPC) issued another 390 million euro fine against Meta Ireland Limited.

After NOYB filed three different complaints, the DPC concluded that the processing on the basis of a contract for personalized ads is not GDPR-compliant. Meta was relying on a consent clause in their Terms of Service to show its users personalized ads.

👉 This story is way more complicated than this. We tried to shed some light in our article here.

4. Meta Platforms Ireland Limited, €265 million

On November 25th, 2022, Ireland’s DPC fined Meta 265 million euros

The DPA launched an investigation in April 2021, after media reports discovered that Facebook’s dataset had been made available on the internet. This data breach affected the personal information of 533 million users. 

Meta was fined because it wasn’t complying with the principles of Privacy by Design and Privacy by Default stated in the GDPR.

Do you even really need to comply with the GDPR?

5. WhatsApp Ireland Ltd., €225 million

On September 2nd, 2021, Ireland’s Data Protection Commission issued a 225 million euro fine against WhatsApp Ireland, in conclusion to an investigation that had started in 2018.

WhatsApp wasn’t complying with the GDPR principle of transparency, not giving users enough information about its processing activities and the legal basis it was using.

UPDATE

On January 19th, 2023, the DPC issued a further €5.5 million fine.

👉 Learn more here

6. Google LLC., €90 million

On December 31, 2021, the CNIL issued a 90 million euro fine to GOOGLE LLC, because it wasn’t complying with the French Data Protection Act.

In particular, the CNIL found that YouTube users couldn’t reject cookies as easily as they could accept them. Besides the fine, Google LLC was given three months to change the look and functioning of its cookie banner.

youtube cookie banner
YouTube cookie banner after the CNIL sanction

7. Google Ireland Ltd., €60 million

A smaller fine of 60 million euros was issued by the CNIL to Google Ireland Ltd. 

The reason was always the same as above, but it referred to the website google.fr

8. Facebook Ireland Ltd., €60 million

On the same day, December 31, 2021, the CNIL also fined Facebook Ireland 60 million euros

The reason was the same: Facebook users couldn’t reject cookies as easily as they could accept them

9. Google LLC, €50 million

On January 19th, 2019, CNIL fined Google LLC 50 million euros after a series of complaints by NOYB and La Quadrature du Net.

The main reason for this fine was a lack of transparency, unsatisfying information and lack of valid consent. Users didn’t have enough information about the processing of their personal data.

This was one of the first big fines issued under GDPR.

10. H&M Hennes & Mauritz, €35.2 million

On October 1st, 2020, the Hamburg Commissioner for Data Protection and Freedom of Information issued a 35.2 million euros fine to H&M. 

Since at least 2014, parts of the employees were subject to an extensive recording of details about their private lives. These details – such as vacation experiences, but also symptoms of illness and diagnoses – were then recorded, stored, and used to make decisions about their employment.

The DPA became aware of this violation only because, due to a technical error, the data was accessible to everyone in the company for a few hours.

Which European countries have issued the highest number of fines?

GDPR fines
Image credit: GDPR Enforcement Tracker

While these sanctions are huge, there are also smaller fines that are issued every day. European DPAs are very active in monitoring GDPR compliance.

Here is the top 10 EU countries with the highest number of GDPR fines issued so far:

  1. Spain
  2. Italy
  3. Romania
  4. Germany
  5. Hungary
  6. Greece
  7. Norway
  8. Poland
  9. Belgium
  10. France

Can small businesses be fined for GDPR non-compliance?

Yes, it can happen. Of course, your small business won’t probably receive a fine as huge as the ones above, but even a smaller amount can really impact your processes. 

Also, don’t forget that a monetary sanction isn’t the only consequence of non-compliance: official reprimandsperiodic data protection audits and liability damages can be as scary as a fine. Not to mention the reputational damage a GDPR sanction can cause.

But don’t worry! GDPR compliance doesn’t have to be difficult. 

🚀
In fact, you can get started in under 5 minutes!

See how 👉 5-minute compliance for your website

About us

iubenda

GDPR compliance for your site, app and organization

www.iubenda.com