Home / News / GDPR fines exceed EUR 1.5 billion in Europe

GDPR fines exceed EUR 1.5 billion in Europe

01/06/2022

The total amount of published fines in Europe in 2021 for non-compliance with the General Data Protection Regulation (GDPR) has risen to EUR 1.581 billion since the implementation of the GDPR in 2018, according to the third edition of the annual Enforcement Tracker Report by global law firm CMS. The significant increase is largely due to a record EUR 746 million fine in Luxembourg and a EUR 225 million fine in Ireland.

The report by CMS contains an analysis of all publicly available information in relation to GDPR fines across all of Europe. It shows an additional 500 new fines were imposed between March 2021 and March 2022.

Erik Jonkman, head of Privacy & Cybersecurity at CMS in the Netherlands:

"In the Netherlands we also reflect on an extraordinarily interesting year for the GDPR enforcement practice. Never before has the Dutch Data Protection Authority (DPA) imposed this many fines in a single year. Furthermore, the DPA has used its authority to impose fines of several million euros for the first time. We expect the DPA to continue to enforce more and stricter in the coming year."

Insufficient legal basis for data processing most common violation

The processing of personal data without sufficient legal basis continues to be the most common violation and was responsible for eight of the ten highest fines thus far. Non-compliance with data protection principles took the second spot, followed by insufficient information security.

Enforcement differs per member state, new fine policies

On a European level, more than one third of all fines issued were from the Spanish DPA, followed by Italy, Romania and Hungary. GDPR enforcement by DPAs is still significantly shaped by national laws and local practice, despite the overall aim of the GDPR to establish a fully harmonised regulatory framework. New EU-wide "Guidelines on calculation of fines" recently published by the European Data Protection Board (EDPB) aim to create more consistency in the fine policy of European DPAs. This new policy will likely lead to higher fines, particularly for larger organisations with a high revenue.

The full Enforcement Tracker Report is available here:

https://cms.law/en/deu/publication/gdpr-enforcement-tracker-report

The CMS Enforcement Tracker fine database is available here:

https://enforcementtracker.com/

Related people

Portrait ofErik Jonkman
Erik Jonkman
Advocaat
Amsterdam