GDPR Fines Totalling €158 Million Issued in 340 Cases, Study by PrivacyAffairs Finds
July 22, 2020 GDPR
LONDON, July 15, 2020 /PRNewswire/ — Since rolling out in May 2018, there have been 340 GDPR fines issued by European data protection authorities. Every one of the 28 EU nations, plus the United Kingdom, has issued at least one GDPR fine.
A GDPR tracking dashboard from PrivacyAffairs displays official data from national data protection bodies to monitor the status of GDPR fines.
Whilst GDPR sets out the regulatory framework that all EU countries must follow, each member state legislates independently and is permitted to interpret the regulations differently and impose their own penalties to organisations that break the law.
Nations with the highest fines:
- France: €51,100,000
- Italy: €39,452,000
- Germany: €26,492,925
- Austria: €18,070,100
- Sweden: €7,085,430
- Spain: €3,306,771
- Bulgaria: €3,238,850
- Netherlands: €3,490,000
- Poland: €1,162,648
- Norway: €985,400
Nations with the most fines:
- Spain: 99
- Hungary: 32
- Romania: 29
- Germany: 28
- Bulgaria: 21
- Czech Republic: 13
- Belgium: 12
- Italy: 11
- Norway: 9
- Cyprus: 8
The second-highest number of fines comes from Hungary. The National Authority for Data Protection and Freedom of Information has issued 32 fines to date. The largest being €288,000 issued to an ISP for improper and non-secure storage of customers’ personal data.
UK organisations have been issued just seven fines, totalling over €640,000, by the Information Commissioner. The average penalty within the UK is €160,000. This does not include the potentially massive fines for Marriott International and British Airways that are still under review.
British Airways could face a fine of €204,600,000 for a data breach in 2019 that resulted in the loss of personal data of 500,000 customers.
Similarly, Marriott International suffered a breach that exposed 339 million people’s data. The hotel group faces a fine of €110,390,200.
The largest GDPR fine to date was issued by French authorities to Google in January 2019. The €50 million was issued on the basis of “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.”
Highest fines issued to Private individuals:
- €20,000 issued to an individual in Spain for unlawful video surveillance of employees.
- €11,000 issued to a soccer coach in Austria who was found to be secretly filming female players while they were taking showers.
- €9,000 issued to another individual in Spain for unlawful video surveillance of employees.
- €2,500 issued to a person in Germany who sent emails to several recipients, where each could see the other recipients’ email addresses. Over 130 email addresses were visible.
- €2,200 issued to a person in Austria for having unlawfully filmed public areas using a private CCTV system. The system filmed parking lots, sidewalks, a garden area of a nearby property, and it also filmed the neighbours going in and out of their homes
For questions regarding the research or more information about the team behind the report, contact Joe Robinson at email@example.com or visit PrivacyAffairs.