Home / GDPR Enforcement Tracker Report

GDPR Enforcement Tracker Report - 2nd edition 2021

Introduction

When the GDPR was already in force, but not yet applicable (and not a single fine had been imposed yet), much attention was paid to the formidable fine framework. For many company officers, this caused fear: if I violate the GDPR, I have one foot in jail (or at least my organisation has to pay EUR 20 million or 4% of its global annual turnover, calculated for the whole group, if the company is part of one).

We believe that facts are better than fear.

The continuously updated list of publicly known GDPR fines in the GDPR Enforcement Tracker is our 24/7 remedy against fear, while the annual Enforcement Tracker Report is our deep dive and permits more insights into the world of GDPR fines.


We are pleased that our analysis for this second edition of the ET Report is based on a larger overall data set of more than 570 fine cases, 526 of which made it into the editorial team's worksheet.

More international

We are even more pleased that more international colleagues supported us this time and provided detailed input on enforcement practice, in particular for EU member states in the new member state interviews (Editor's note: the United Kingdom remains part of the Enforcement Tracker Report and the Enforcement Tracker as the UK General Data Protection Regulation ensures regulatory consistency regardless of Brexit).

Local law and practice matter

After almost three years of GDPR application, we are not the only ones to have learned one thing: despite the GDPR's full harmonisation approach, hardly any other area is shaped more by national laws and official practice than GDPR fines. This may be a reason why Spain still tops the list of countries with the most fines this year.

Executive Summary

As we are aware that privacy professionals are unlikely to have a peaceful job in these challenging times, the second edition kicks off with an executive summary for the quick reader (including overall takeaways, in addition to sector-specific observations). Having intentionally opted for an online-only publication, the ET Report's ExecSum is the only part that you can conveniently download (or even print out for bedtime reading without a digital device).

Numbers & figures and sector approach

We have put together an overall summary of the existing fines in the "Numbers and Figures" section, followed by tried-and-tested analysis for the following business sectors:

  • Finance, insurance and consulting
  • Accommodation and hospitality
  • Health care
  • Industry and commerce
  • Real estate
  • Media, telecoms and broadcasting
  • Public sector and education
  • Transportation and energy
  • Individuals and private associations
    plus the overarching category
  • Employment

Your takeaways

This in-depth analysis permits first conclusions to be drawn as to which business sectors attracted particularly hefty fines. We also analysed the DPAs' reasonings for the fines. These aspects together allow us to provide you with key takeaways for each business sector. Apart from the lawfulness of each data processing operation, bolstering data security should remain in the spotlight for every organisation. There are already relevant indications in terms of data protection litigation – in particular, data subjects' claims for material or immaterial damages under Art. 82 of the GDPR are on the rise. This trend is unlikely to stop, being in particular supported by collective redress mechanisms and legal tech offerings that are already increasing the risks of and resources needed for data protection claims management.

Methodology

We do not resort to witchcraft nor do we have preferential access to GDPR fine information (at least in most cases, but we are still working on that…) when working in the Enforcement Tracker engine room and preparing the Enforcement Tracker Report. In addition to our necessary focus on publicly available fines, there are some other inherent limits to the data behind this whole exercise. For the "small print", please see our more detailed remarks on methodology. On a more general level, although we have done our best to break down a complex topic into neat pieces, we have resisted the temptation to follow SEO recommendations for the whole content package and would ask you to consider it a "long read" format if you decide to read it in full.

What's next?

The Enforcement Tracker Report and the Enforcement Tracker are a work in progress. We highly appreciate any form of feedback (preferably constructive…) and would like to thank everybody who has reached out over the last year. 

We received interesting ideas, information about forgotten fines (hidden deeply in remote corners of a supposedly completely captured world) and recommendations for additional features (our bucket list is growing steadily), as well as relevant contributions from stakeholders outside the EU – demonstrating that the data protection landscape is evolving rapidly on a global scale and interfaces between national/regional concepts are developing even in the absence of a global data protection law. We have engaged with peers from the legal profession, privacy professionals with a more advanced tech background as well as researchers from various disciplines. 

We strongly encourage you to continue engaging with us. And we apologise in advance if our feedback may take some time; the data protection world is not a quiet one right now.

Stay safe – and keep on fighting,
Christian Runte, Michael Kamps, editors and the enforcement tracking and reporting team

more less

Executive summary

As we are aware that privacy professionals are unlikely to have a peaceful job in these challenging times, the second edition kicks off with an executive summary for the quick reader (including overall takeaways, in addition to sector-specific observations). Having intentionally opted for an online-only publication, the ET Report's ExecSum is the only part that you can conveniently download.

more less
Read more

GDPR Enforcement Tracker

This website contains a list and overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR, DSGVO).

more less
Go to GDPR Enforcement Tracker

How can we help you?

Write us a message and we will get in contact.

Your message was sent. Thank you for contacting us. We will get back to you soon.

Please check these fields.

By including your personal data on this form you agree to it being used in accordance with our Privacy Policy

sending...

Key contacts

Contact
Christian Runte
Christian Runte
Partner
Rechtsanwalt
T +49 89 23807 163
Michael Kamps
Michael Kamps
Partner
Rechtsanwalt
T +49 221 7716 372
Publication
GDPR Enforcement Tracker Report 2021 - Executive Summary
Download
PDF 1.9 MB