GDPR Enforcement in Industry & Commerce

• The highest fine in the industry and commerce sector in 2025 of EUR 150 million was imposed by the French Data Protection Authority (CNIL) against Infinite Styles Services Co. Limited on 9 September 2025 (ETid-2864). After the EUR 746 million fine against Amazon imposed in 2021 was set aside by the Luxembourg administrative court in March 2026, the EUR 150 million against Infinite Styles are now the highest individual fine in this sector. Infinite Styles Services Co. Limited is an Irish company within the Shein group that supports the operation of Shein’s online fashion platform in Europe. Cookies on the website Shein were unlawfully used, meaning that there was no sufficient basis for the processing of users’ personal data. The controller did not obtain users’ consent on the website before placing cookies. Moreover, the cookie banner contained incomplete data. Finally, the website’s mechanism for refusing or withdrawing consent was inadequate. The CNIL justified the high amount of the fine by referring to the very high user traffic on the platform, which resulted in a very large number of affected individuals, as well as the economic size of the Shein group.
   
• Because of GDPR infringements related to a cyberattack in 2023, the UK Information Commissioner’s Office (ICO) imposed fines of EUR 9.18 million (GBP 8 million) against Capita plc (ETid-2898)  and EUR 6.88 million (GBP 6 million) against Capita Pension Solutions Limited (ETid-2899) on 15 October 2025. Capita plc is a UK-based outsourcing and professional services company and provides a wide range of services, including IT services, data management and administrative outsourcing. Capita Pension Solutions Limited is a subsidiary of Capita plc specialising in the administration and operational management of occupational pension schemes. During the cyberattack, the attackers gained access to CPSL’s pension administration system. In addition, the personal data of the 6.6 million people processed by Capita Plc was compromised. The ICO identified inadequate security controls that allowed attackers to escalate privileges and move laterally through internal systems. The authority emphasised that known vulnerabilities had not been remedied in time. The ICO concluded that the personal data was not processed securely enough and that the processor did not implement the protective measures required under the GDPR. The amount of the fine was influenced by the number of affected individuals and the systemic nature of the security deficiencies. The penalty could have been significantly higher, but Capita cooperated with the investigation and implemented new improvements to its cybersecurity.
   
• On 30 December 2025, the French DPA (CNIL) fined an unknown company EUR 3.5 million (ETid-2998). The company transferred personal data from its customer loyalty program to a social media platform for targeted advertising purposes. The personal data included email addresses and telephone numbers to connect their user accounts with the program information. The CNIL concluded that the processing lacked a legal basis under the GDPR and that the obtained consent for processing for the program did not cover the transfer to the platform. The investigation also identified additional infringements, including insufficient transparency toward users, failure to conduct a required Data Protection Impact Assessment, and unlawful placement of cookies without prior consent. The sum of the fine was influenced by the large number of affected individuals (10.5 million) and the fact that the company had engaged in this practice since 2018.

• A closer look at the captured enforcement cases in this sector shows that most penalties originate from a small number of recurring compliance failures. Approximately one quarter of all fines in this sector relate to an insufficient legal basis for processing personal data. Nearly 20% are linked to violations of general data protection principles. These categories are common across multiple sectors. However, failures to properly fulfil information obligations towards data subjects appear particularly frequently in the industry and commerce sector, which accounts for roughly half of all cases in this category.
   
• E-commerce platforms and online retailers face specific enforcement risks. Website architecture, particularly the design of cookie banners and tracking mechanisms, must ensure valid consent before personal data is processed. Another major risk area is cybersecurity. The enforcement action against Capita plc demonstrates how large-scale processing of customer data combined with insufficient technical and organisational measures can lead to substantial fines.

The sharp increase in the number of fines in 2025 compared to 2024 raises the question of which issues supervisory authorities are likely to focus on in the near future. It stands to reason that large and visible players are more likely to be targeted and subject to significant fines. The cross-border data processing structures of large digital retail platforms operating in the EU market may also be subject to increased scrutiny by regulators.

Online tracking technologies and cookie compliance are expected to remain a key enforcement topic in 2026. Authorities are likely to examine whether companies obtain valid consent before deploying tracking technologies and whether users receive clear and complete information about data processing.

Another emerging focus area is the processing of biometric and surveillance data in physical retail environments. The use of identification technologies or behavioural analytics systems in stores may trigger stricter regulatory scrutiny because biometric data falls within special categories of personal data under the GDPR.

Data sharing with third parties, particularly advertising networks, analytics providers and social media platforms, is also likely to remain a key enforcement topic. Supervisory authorities are expected to examine whether customer data used for targeted advertising or audience matching is processed on a valid legal basis and whether the processing is transparent for users.

• French SA: Cookies placed without consent: SHEIN fined 150 000 000 EUR by the CNIL | European Data Protection Board
• Capita fined £14m for cyber-attack which affected millions
• Transmission de données à un réseau social à des fins publicitaires: la CNIL prononce une sanction de 3,5 millions d’euros | CNIL