Analyzing GDPR Fines – who are largest violators?

Fines from the GDPR have been rolling in since its inception in 2018. This article investigates who are the largest penalty recipients by country, the amounts, and private individuals.

By Joe Robinson, Cybersecurity Researcher.

Since its implementation in May 2018, European data protection authorities have issued over 200 fines relating to GDPR. The offences range from unlawful monitoring of employees to improperly handling user data and inadequate technological measures for avoidance of data breaches.

New research from PrivacyAffairs collates official data from national data protection bodies into an up-to-date dashboard that monitors the application of GDPR fines.

Notably, some authorities tend to jump at the opportunity to issue fines, whereas others seem content in keeping the number to a bare minimum. The Spanish Data Protection Authority shows a particularly zealous application of the regulations and has issued more fines than any other national body, at 60 and counting.


Number of GDPR fines by country:

  • Spain: 60
  • Romania: 22
  • Germany: 21
  • Bulgaria: 16
  • Hungary: 14
  • Czech Republic: 11
  • Austria: 8
  • Cyprus: 8
  • Italy: 7
  • Belgium: 6

EU countries by number of GDPR fines.

The second highest number of fines comes from Romania. The National Supervisory Authority for Personal Data Processing has issued 22 fines to date, with €3000 issued to Legal Company & Tax Hub SRL for Failure to implement sufficient measures to ensure information security, and €80,000 issued to ING Bank N.V. Amsterdam for failure to implement adequate technical measures to ensure the protection of personal data.

UK organisations have been issued just five fines, totaling €640,000, by the Information Commissioner. The average penalty within the UK is €160,000. This does not include two potentially massive fines that are pending review.

British Airways could face a fine of €204,600,000 for a data breach in 2019 that resulted in the loss of personal data of 500,000 customers.

Similarly, Marriott International suffered a breach that exposed 339 million people’s data. The hotel group faces a fine of €110,390,200, but is fighting to avoid it being issued.

The reason that these massive fines are still pending is that the UK ICO issued a notice of intent to issue a fine, as opposed to an actual fine. This gives the organisation the opportunity to return with lawyers and drag the case out for as long as possible, probably years, and drain the resources of the national authority.

Another key detail about GDPR enforcement is that the regulations are applicable to each European Union nation, but also that each nation is able to interpret the rules, and punishments for breaking them, differently.


Breakdown of GDPR fines by amount:

  • France: €51,100,000
  • Italy: €39,360,000
  • Germany: €25,085,725
  • Austria: €18,070,100
  • Bulgaria:  €3,198,460
  • Spain: €1,882,670
  • Netherlands: €1,410,000
  • Poland: €934,330
  • Greece: €735,000
  • UK: €640,000

Top 10 countries by amount of GDPR fines.

The largest GDPR fine to date was issued by French authorities to Google in January 2019. The €50 Million was issued on the basis of “lack of transparency, inadequate information, and lack of valid consent regarding ads personalization.”

In Romania, the ING Bank N.V. Amsterdam was fined €80,000 for not implementing adequate technical measures to ensure the protection of personal data, whereas 1&1 Telecom GmbH was fined €9,550,000 by The Federal Commissioner for Data Protection and Freedom of Information in Germany for a similar technical problem.

While the exact nature of the two offences is different, the fact remains that there is a huge difference in the level of fine issued.

In Spain, Amador Recreativos, S.L was issued a €3,600 fine for improper use of surveillance footage, and Vodafone España, S.A.U., was fined €75,000 for a technical error resulting in invoices being sent to a former customer. Vodafone Spain was also previously fined €75,000 for transferring a phone contract to a third party without the account holders' knowledge or consent.


Private individuals issued GDPR fines:

8 private individuals have also been fined a total of €46,921 including:

  • €11,000 issued to a soccer coach in Austria who was found to be secretly filming female players while they were taking showers.
  • €300 issued to a car owner in Austria for unlawful use of a dash-cam.
  • €2,200 issued to a person in Austria for having unlawfully filmed public areas using a private CCTV system. The system filmed parking lots, sidewalks, a garden area of a nearby property, and it also filmed the neighbours going in and out of their homes.
  • €800 issued to a person in Spain who created a fake profile of a female colleague on an erotic website. The profile contained the affected person’s contact details and pictures as well as information of sexual nature.
  • €2,500 issued to a person in Germany who sent emails to several recipients, where each could see the other recipient's email addresses. Over 130 email addresses were visible.

Bio: Joe Robinson has been working in the cybersecurity field for over seven years and has a passion for analysis and debate. He loves learning new technologies and software, and regularly uses everything from Kali Linux to Pro-tools. When not writing about digital security, Joe helps businesses improve their website usability and spends his free time playing guitar and reading about data science, IoT, and philosophy.