Numbers and Figures

A look back at the last few years suggests that the authorities initially mainly monitored developments in the market or dealt with legacy cases that were not yet covered by the GDPR. With the exception of a fine of EUR 400,000 against a hospital in 2018, this initial period of reflection was rather moderate, both in terms of fines and number of fines. After this initial "orientation phase", DPAs have intensified their enforcement efforts in 2019, 2020, 2021 and 2022. While massive fines were already imposed on "Big Tech" in 2022, this was trumped in 2023 with the first fine in the billions, bringing the total amount of fines to over EUR 4 billion.

Now, in the 5th edition of the GDPR Enforcement Tracker Report, with a cut-off date of 1 March 2024, a total number of 2,086 fines (+510 in comparison to the GDPR Enforcement Tracker Report 2023) have been recorded in the CMS Enforcement Tracker database (2,225 if fines with limited information on amount or date are also counted) amounting to a sum of fines of around EUR 4.48 billion (+1.71 billion in comparison to the GDPR Enforcement Tracker Report 2023). In the reporting period 2018-2024, the average fine was EUR 2,142,712 across all countries.

A look at the type of violation in the "Top 10 Fines" shows that data processing with insufficient legal basis is most likely to result in significant fines (4 of 10 fines), as is data processing non-compliant with general data processing principles (4 of 10 fines). Unlike last year, where non-compliance with general data processing principles led the "Top 10 fines," this year it is insufficient legal basis for data processing.

The overview illustrates that the highest fine in the amount of EUR 1.2 billion originates from Ireland and has been imposed against Meta Platforms Ireland Limited. This is the first fine in the billions to date. The Irish Data Protection Authority has imposed another substantial fine on TikTok Limited this year, making it the supervisory authority that has imposed the most massive fines to date (six of the top ten highest fines in total).

The data shows that, to date, the highest average fines were levied in the sectors "Media, Telecoms and Broadcasting", "Industry and Commerce", and "Transportation and Energy". Also, the sectors with the highest number of fines to date are the "Media, Telecoms and Broadcasting" and "Industry and Commerce" sectors. While this may be read as an indication that such sectors are particularly inclined to disregard the GDPR requirements, this is not necessarily the case. This may also be due to a comparatively large number of relevant companies in these sectors, the increased exposure of these companies to the public, or simply due to some extraordinary fines in these sectors (e.g. the extraordinary fine in the amount of EUR 746 million in the Industry and Commerce sector) or increased attention or focus by the authorities (e.g. in Spain regarding the Media, Telecoms and Broadcasting sector, where the Spanish authority has already issued over 60 fines against a particular Spanish telecommunications provider).

There were comparatively few fines in the fields of "Accommodation and Hospitality" and "Real Estate". While this is also true for the "Transportation and Energy" sector, the fines in this sector had a high average amount. This may indicate that finable violations in these fields are rare, but if they did occur, they were serious and therefore carried high fines. This trend could also be observed in the previous year.

Thus far, the Spanish Data Protection Authority has shown the most activity in terms of issuing fines/publishing issued fines, with a total of 802 fines (+219 in comparison to the GDPR Enforcement Tracker Report 2022). Other countries with comparatively high fine activity are Italy, Romania and Germany, which have imposed between 74 and 343 (published) fines. Nevertheless, those three countries together have published fewer fines than Spain alone.

The reasons for this are not evident from the data. The difference could, for example, be due to differences in the publication method of fines: while some countries also publish smaller fines of a few hundred euros, other countries seem to limit publication to larger fines. Another reason for the differences between the countries could be the number of staff involved in evaluating cases and handing down fines. This may either be because countries with more fines allocated more staff to their authorities in total or the staff within the authority are more focused on pursuing violations than is the case in other countries.

Another potential explanation could be that the focus of the authorities varies: while some may put more emphasis on consultation before issuing fines, others may issue fines directly.

A look at the following average fines shows that the average fine in Spain is much lower than in most other countries:

We have also analysed the DPAs' justifications for the fines. Each fine in the GDPR Enforcement Tracker Report and on the GDPR Enforcement Tracker Website is attributed to one of the following nine categories:

• Insufficient legal basis for data processing
• Insufficient technical and organisational measures to ensure information security
• Non-compliance with general data processing principles
• Insufficient fulfilment of data subjects' rights
• Insufficient fulfilment of information obligations
• Insufficient cooperation with supervisory authority
• Insufficient fulfilment of data breach notification obligations
• Lack of appointment of data protection officer
• Insufficient data processing agreement

Within these categories, the most fines were issued for processing activities which had an insufficient legal basis. The second most frequent reason for fines was data processing activities that were subject to non-compliance with general data processing principles, followed by fines for insufficient technical and organisational measures to ensure information security, insufficient fulfilment of information obligations and insufficient fulfilment of data subject rights.

While non-compliance with general data processing principles was not only the second most common reason for fines, the extraordinarily high fines imposed against Amazon, Meta and TikTok resulted in the average amount of fines in this type being significantly higher than for any other type of violation. 

So far, only very few fines have been imposed for lack of cooperation with the supervisory authority, for cases of violations of obligations in the context of data breaches, insufficient involvement of a data protection officer or missing data processing agreements. This trend could also be observed in the previous year.

DPAs across Europe appear to be mindful of their role not only as supervising and penalising institutions, but also as advisors. It appears that in 2018, authorities allowed an initial phase to get acquainted with the new data protection regime under the GDPR for both data controllers and themselves. During that phase, relatively few fines were handed down. This phase is over, and the number of fines has been increasing since 2019. Since 2022, in particular "Big Tech" has been in the focus of regulators and in 2023, the first billion-euro fine under the GDPR was levied, marking a significant milestone in data protection enforcement. Moreover, there was another massive fine in the hundreds of million range, further emphasizing the strict enforcement of data protection regulations.

Data protection will continue to be under close supervision of the authorities and data controllers are best advised to continuously monitor and improve their processes and security measures.

Read more

• Numbers and figures 
• Enforcement Insights per country
• Enforcement Insights by business sector
• Methodology and contacts
• Enforcement Tracker