Home / GDPR Enforcement Tracker Report / Numbers and figures

Numbers and figures

GDPR Enforcement Tracker Report - Numbers and Figures
  1. Overall Top 10 Fines 
  2. Business Sectors – Summary
  3. Countries - Top 10
  4. Type of Violation
  5. Chronology
  6. Outlook

Overall Top 10 Fines

Controller/Processor

Country

Fine [€]

Type

Date

British Airways*

United Kingdom

204,600,000

Insufficient technical and organisational measures to ensure information security

08 July 2019

Marriott International, Inc*

United Kingdom

110,390,200

Insufficient technical and organisational measures to ensure information security

09 July 2019

Google Inc.

France

50,000,000

Insufficient legal basis for data processing

21 January 2019

TIM (telecommunications operator)

Italy

27,800,000

Insufficient legal basis for data processing

15 January 2020

Austrian Post

Austria

18,000,000

Insufficient legal basis for data processing

23 October 2019

Deutsche Wohnen SE

Germany

14,500,000

Non-compliance with general data processing principles

30 October 2019

Telecoms provider (1&1 Telecom GmbH)

Germany

9,550,000

Insufficient technical and organisational measures to ensure information security

09 December 2019

Eni Gas e Luce

Italy

8,500,000

Insufficient legal basis for data processing

11 December 2019

Google LLC

Sweden

7,000,000

Insufficient fulfilment of data subjects' rights

11 March 2020

Eni Gas e Luce

Italy

3,000,000

Insufficient legal basis for data processing

11 December 2019

*Please find additional information about these fines below.

A look at the type of violation in the "Top 10 Fines" shows that data processing with an insufficient legal basis and insufficient technical and organisational measures are most likely to result in significant fines.

The overview illustrates that to date the highest fines have been levied in the United Kingdom. However, in both cases the underlying deficiencies affected a large number of data subjects, therefore also warranting higher fines. Additionally, it should be noted that in these two instances, at the time of writing the United Kingdom's DPA the ICO has only handed down a notice of intent to fine the respective companies, but no fines have been imposed yet. For this reason, we have excluded these two cases from the further statistical and sector-specific analysis. It therefore appears too early to draw any conclusions as to which countries tend to impose particularly high fines.

Business Sectors – Summary

The data shows that as of today, the highest average fines have been levied in the media, telecoms and broadcasting and transportation and energy sectors. Not only were the highest average fines imposed in the media, telecoms and broadcasting sector, but the number of fines was also higher than in any other sector. While this might be read as indicating that the media, telecoms and broadcasting sector is particularly inclined to disregard GDPR requirements, that may not necessarily be the case. Other factors could also have led to this result. In particular, it may be due to a comparatively large number of relevant entities in this area, the higher exposure to the public of the entities or just greater attention or a stronger sector focus by the authorities.

There were comparatively few fines in transportation and energy, but the fines involved a relatively high average amount. This may indicate that finable violations in this field are rare, but when they occur they are severe and therefore subject to high fines.

In the health care sector – and thus in the area of particularly sensitive health data – the authorities seem to have had to sanction only a small number of cases so far, fortunately. The imposed fines were also comparatively low. This may indicate that the underlying GDPR violations were comparatively light.

Countries – Top 10

Thus far, the Spanish data protection authority has been most active with regard to issuing fines, with a total of 73 instances. Other countries with comparatively high fining activity include Hungary, Germany and Romania, which are all at roughly the same level of around 20 fines. Nevertheless, these three countries together issued fewer fines than Spain alone.

The reasons for this are not evident from the data. It could be due to differences in the number of staff tasked with evaluating cases and handing down fines, for example. This may either be because countries with more fines allocated more staff to their authorities in total or the staff within the authority focus more on pursuing violations than is the case in other countries. Another potential explanation could be that the focus of the authorities varies: while some may put more emphasis on providing advice before issuing fines, others may combine the approaches and directly issue fines.

A look at the average fines below shows that the average fine in Spain is lower than in Germany, for example.

 

Type of Violation

We also analysed the DPA's justifications for the fines. Each fine is attributed to one of the following 10 categories:

  • Insufficient technical and organisational measures to ensure information security
  • Insufficient legal basis for data processing
  • Noncompliance with general data processing principles
  • Insufficient fulfilment of data subjects' rights
  • Insufficient fulfilment of information obligations
  • Lack of appointment of data protection officer
  • Insufficient fulfilment of data breach notification obligations
  • Insufficient data processing agreement
  • Insufficient cooperation with supervisory authority
  • Insufficient fulfilment of data breach obligations

Out of these categories, the largest number of fines (and also the highest fines) were issued for processing activities having an insufficient legal basis. The second most frequent reason for fines were data processing activities that featured insufficient technical and organisational measures to ensure information security, followed by fines for disregarding general processing principles and for insufficient fulfilment of the data subjects' rights.

So far, only very few fines have been imposed for cases of violations of obligations in the context of data breaches, for lack of cooperation with the supervisory authority, missing processing agreements or failure to appoint a data protection officer. In each of these cases, fewer than 10 fines were imposed. Data relating to this area should therefore be treated particularly carefully.

Chronology

The data on the number of fines issued each month shows that the authorities started out by mainly surveying developments in the market. We can see a relatively steady number of fines over the course of the year, with the absolute number of fines per month increasing from month to month. After the initial "orientation phase", data protection authorities appear to have been ramping up their enforcement efforts.

The relative peak in December may be down to statistical reasons, since fines from the respective year without a specific month are attributed to December.

Up to March 2020, a total of 239 penalty notices had been issued and recorded in our database, totalling around EUR 152.6 million (again, this excludes two significant penalties in the United Kingdom). In the period covered by the survey, the average fine was approximately EUR 638,000 across all countries.

Outlook

DPAs across Europe appear to be aware of their role not only as supervising and penalty-imposing institutions but also as advisors. It seems that authorities allowed both data controllers and themselves an initial period to get acquainted with the new data protection regime under the GDPR. During that phase, relatively few fines were handed down. This phase is over now and fines are increasing in number.

The size of the fines is determined by individual circumstances. Therefore, fines currently vary largely from case to case and no clear trend is apparent. However, authorities across Europe are working on frameworks to ensure consistent and comparable fines for comparable cases.

With best practices being established for data processing and data protection authorities ramping up their staff, a further increase in the number of fines is to be expected. Data protection will continue to be closely scrutinised by the authorities, and data controllers are best advised to continuously monitor and improve their processes and security measures.

All business sectors have been affected by the COVID‑19 pandemic. Authorities may therefore show some leniency towards companies facing economic difficulties, but no enterprise should rely on such leniency. They should be as prepared as ever to ensure GDPR compliance.

Key contacts

Contact