Home / Publications / GDPR Enforcement Tracker Report

GDPR Enforcement Tracker Report

What a year for GDPR enforcement: 2021/2022 saw various landmark cases including: a new record fine of EUR 743 million; the total amount of all fines since May 2018 exceeding the EUR 1 billion mark in summer 2021; and the total number of cases passing 1,000 in early 2022. Landmark cases were widely reported, obviously drawing a lot of public attention and increasing overall awareness for data protection law. However, there is a GDPR enforcement reality beyond record fines and it may be worth taking a closer look: focussing solely on severe fines could lead to fear and even reluctance or ignorance on compliance issues.

We still believe that facts are better than fear.

Our continuously updated list of publicly known GDPR fines in the GDPR Enforcement Tracker is our 24/7 remedy against fear: in contrast, the annual GDPR Enforcement Tracker Report (“ET Report”) is our deep dive approach and permits greater insight into the world of GDPR fines.

We are pleased that our analysis for this third edition of the ET Report is based on a larger overall data set with more than 1,031 cases.

Numbers & Figures and Enforcement Insights per Business Sector

The third edition again kicks off with the statistical analysis of the existing fines in the “Numbers and Figures” section followed by the tried and tested “Enforcement Insights per Business Sector”

  • Finance, insurance, and consulting
  • Accommodation and hospitality
  • Health care
  • Industry and commerce
  • Real estate
  • Media, telecoms, and broadcasting
  • Public sector and education
  • Transportation and energy
  • Individuals and private associations

as well as the overarching Employment category.

Your takeaways

The Enforcement Insights permit first conclusions to be drawn as to which business sectors attracted particularly hefty fines. We have also analysed the DPAs’ reasoning for the fines. These aspects together allow us to provide you with key takeaways for each business sector. Apart from the lawfulness of each data processing operation, bolstering data security should remain in the spotlight for every organisation. There are already relevant indications for data protection litigation - in particular, data subjects’ claims for material or immaterial damages according to Art. 82 GDPR are on the rise. This trend is unlikely to stop, in particular supported by collective redress mechanisms and legal tech offerings already now increasing the risks of, and resources needed for, data protection claims management.

Local law and practice matter – Enforcement Insights per country

After four years of applying GDPR, we are not the only ones to have learned that, despite the GDPR “full harmonisation” approach, there is virtually no other area that has been shaped more by national laws and official practice than that of GDPR fines. This may be the reason why Spain tops the list of countries with the most fines again this year. Whereas an extended in depth-analysis of the reasons for local deviations would exceed our capacities, we have asked fellow privacy professional in various jurisdictions to provide some background information on the local data protection enforcement landscape (Editor’s note: the United Kingdom remains in the ET Report and the Enforcement Tracker as the UK General Data Protection Regulation ensures, at least for now, regulatory consistency regardless of Brexit). An “Enforcement Insights per country” section will be added to the ET Report by the end of June – so stay tuned to learn more about this relevant topic.

What’s next?

Both the ET Report and the Enforcement Tracker are living projects. We highly appreciate any form of feedback (of course, constructive is preferred…) and want to thank everybody who has reached out over the last year.

We have received interesting thoughts, hints on forgotten fines (hidden deep in remote corners of a supposedly completely captured world), and recommendations for additional features (our bucket list is growing steadily), as well as relevant contributions from stakeholders outside the EU. These last demonstrate that the data protection landscape is quickly evolving on a global scale and interfaces between national/regional concepts are developing even in the absence of a global data protection law. We have interacted with peers from the legal profession, and privacy professionals with an advanced tech background, as well as researchers from various disciplines.

We urge you to continue this dialogue. And we apologize in advance if our feedback takes a little time: the world of data protection is not a quiet one right now.

Read more less

 Executive Summary

GDPR Enforcement Tracker Report - Executive Summary
As we are aware that privacy professionals are unlikely to have a peaceful job in these challenging times, the second edition kicks off with an executive summary for the quick reader (including overall takeaways, in addition to sector-specific observations). Having intentionally opted for an online-only publication, the ET Report's ExecSum is the only part that you can conveniently download.

Go to Executive Summary

Download PDF version

Executive summary | GDPR Enforcement Tracker Report
PDF 942.4 kB

Numbers & Figures

This section contains our statistical analysis of existing fines.

Go to Numbers & Figures  

Enforcement Insights by business sector

Enforcement Insights per country

Despite the GDPR's full harmonisation approach, there is hardly another regulatory area still shaped more by local laws and official practice than GDPR enforcement. CMS data protec-tion lawyers from various jurisdictions have provided background information on their respec-tive local 'enforcement landscape'. In line with the 'living project' concept of the Enforcement Tracker and the ET Report, we are already working to shed further light on the local differ-ences aspect in particular. More on this in the next edition of the ET Report in May 2023 at the latest - if we notice something important, we may ring some bells sooner.

Methodology & Contacts

Every prescription drug comes with a leaflet containing dire warnings about risks and side effects (Beipackzettel in German). We regret that there is also some small print for the ET Report.

Go to Methodology & Contacts 


GDPR Enforcement Tracker

circuit logique

Our online database contains all publicly known GDPR fines imposed by data protection authorities in EU member states and the UK since 25 May 2018.

Go to GDPR Enforcement Tracker


Key contacts

More information on the people behind the ET Report and details of all CMS Data Protection Contacts in the Executive Summary (PDF version).

Previous 1 / 27 Next