Home / GDPR Enforcement Tracker Report / Numbers and figures

Numbers and figures

GDPR Enforcement Tracker Report - Numbers and Figures

Overall Top 10 Fines


Controller/Processor

Country

Fine [€]

Type

Date

Google Inc.

France

50,000,000

Insufficient legal basis for data processing

21/01/2019

H&M Hennes & Mauritz Online Shop A.B. & Co. KG

Germany

35,258,708

Insufficient legal basis for data processing

01/10/2020

TIM (telecommunications operator)

Italy

27,800,000

Insufficient legal basis for data processing

15/01/2020

British Airways

United Kingdom

22,046,000

Insufficient technical and organisational measures to ensure information security

16/10/2020

Marriott International, Inc

United Kingdom

20,450,000

Insufficient technical and organisational measures to ensure information security

30/10/2020

Wind Tre S.p.A.

Italy

16,700,000

Insufficient legal basis for data processing

13/07/2020

Vodafone Italia S.p.A.

Italy

12,251,601

Non-compliance with general data processing principles

12/11/2020

notebooksbilliger.de 

Germany

10,400,000

Insufficient legal basis for data processing

08/01/2021

Eni Gas e Luce

Italy

8,500,000

Insufficient legal basis for data processing

11/12/2019

Caixabank S.A.

Spain

6,000,000

Insufficient legal basis for data processing

13/01/2021

A look at the type of violation in the "Top 10 Fines" shows that data processing with insufficient legal basis and insufficient technical and organisational measures are most likely to result in significant fines.

The overview illustrates that, so far, the highest final fine originates from France. The 2 UK fines (against British Airways and Marriott International, Inc.), whose fine notices topped the top 10 list in the 2020 GDPR Enforcement Tracker, have now been finally imposed in a reduced amount, also taking into account Covid-19-related factors, as airlines and hotels are among the industries hardest hit by the pandemic.

 

Business Sectors – Summary



The data shows that, to date, the highest average fines were levied in the sectors "Accommodation and Hospitality", "Transportation and Energy", "Employment" and "Media, Telecoms and Broadcasting". The sector with the highest number of fines to date is the "Industry and Commerce" sector, followed by "Media, Telecoms and Broadcasting". While this may be read as an indication that the Media, Telecoms and Broadcasting sector is particularly inclined to disregard the GDPR requirements, this is not necessarily the case. Other factors could also have led to this result. This may be due in particular to a comparatively large number of relevant entities in this sector, the increased exposure of the entities to the public, or simply to increased attention or focus on the sector by the authorities (e.g. in Spain, where the Spanish authority has already issued over 30 fines against a particular Spanish telecommunications provider).

There were comparatively few fines in the fields of "Accommodation and Hospitality" and "Transportation and Energy" but the fines had a relatively high average amount. This may indicate that finable violations in these fields are rare, but if they did occur, they were serious and therefore carried high fines.

 

Countries – Top 10



Thus far, the Spanish data protection authority has shown the most activity in terms of issuing fines/publishing issued fines, with a total of 172 fines (+99 in comparison to the GDPR Enforcement Tracker Report 2020). Other countries with comparatively high fine activity are Italy, Romania and Hungary, which have imposed between 38 and 51 (published) fines. Nevertheless, those three countries together have published fewer fines than Spain alone.

The reasons for this are not evident from the data. The difference could, for example, be due to differences in the publication method of fines: While some countries also publish smaller fines of a few hundred euros, other countries seem to limit publication to larger fines. Another reason for the differences between the countries could be the number of staff involved in evaluating cases and handing down fines. This may either be because countries with more fines allocated more staff to their authorities in total or the staff within the authority are more focused on pursuing violations than is the case in other countries. Another potential explanation could be that the focus of the authorities varies: while some may put more emphasis on consultation before issuing fines, others may combine the approaches and issue fines directly.

A look at the following average fines below shows that the average fine in Spain is much lower than, for example, in Germany:



 

Type of Violation



We have also analysed the DPAs' justifications for the fines. Each fine in the GDPR Enforcement Tracker Report and on the GDPR Enforcement Tracker Website is attributed to one of the following nine categories:

  • Insufficient legal basis for data processing
  • Insufficient technical and organisational measures to ensure information security
  • Non-compliance with general data processing principles
  • Insufficient fulfilment of data subjects' rights
  • Insufficient fulfilment of information obligations
  • Insufficient cooperation with supervisory authority
  • Insufficient fulfilment of data breach notification obligations
  • Lack of appointment of data protection officer
  • Insufficient data processing agreement

Out of these categories, the most fines (and at the same time the highest fines) were issued for processing activities which had an insufficient legal basis. The second most frequent reason for fines was data processing activities that were subject to insufficient technical and organisational measures to ensure information security, followed by fines for disregarding general processing principles and for insufficient fulfilment of the data subjects' rights. While fines for insufficient fulfilment of information obligations were only the fifth most common reason for fines, the average amount of fines in this type was higher than fines for insufficient fulfilment of data subjects' rights.

So far, only very few fines have been imposed for cases of violations of obligations in the context of data breaches, for lack of cooperation with the supervisory authority, missing processing agreements or failure to appoint a data protection officer.

 

Chronology


The data on the number of fines issued per month shows that in 2018 the authorities started out by mainly surveying the developments in the market. We can see a relatively steady number of fines over the course of the year, with the absolute numbers of fines per month increasing from month to month. After the initial "orientation phase", data protection authorities appear to have been ramping up their enforcement efforts in the years 2019 and 2020. 2020 ended with some massive fines which catapulted the total amount of fines to over EUR 200 million (December 2020 being the month with the most fines so far: 51 fines). However, the relative peak in December may also have statistical reasons, as fines from the respective year without a specific month are attributed to December.



Up to March 2021, a total of 526 penalty notices (+287 compared to the GDPR Enforcement Tracker Report 2020) – out of 570 overall if one includes fines with limited information on the amount or date – had been issued and recorded in our database, comprising total fines of around EUR 261.67 million (+109.07 million compared to the GDPR Enforcement Tracker Report 2020). In the reporting period, the average fine was around EUR 497,500 across all countries.

 

Outlook


DPAs across Europe appear to be mindful of their role not only as supervising and penalising institutions, but also as advisors. It appears that in 2018, authorities allowed an initial phase to get acquainted with the new data protection regime under the GDPR for both data controllers and themselves. During that phase, relatively few fines were handed down. This phase is over and the number of fines has been increasing since 2019.

Regarding the amount of the fines, the individual case is decisive. Therefore, fines currently vary greatly from case to case and no clear trend is visible. However, authorities across Europe are working on frameworks to ensure consistent and comparable fines for comparable cases (e.g. see for Germany and Netherlands).

With best practices being established for data processing and with data protection authorities ramping up their staff, a further increase in the number of fines is to be expected. Data protection will continue to be under close supervision of the authorities and data controllers are best advised to continuously monitor and improve their processes and security measures.

All business sectors were affected by the Covid‑19 pandemic. Authorities might therefore show some further leniency towards companies facing economic difficulties (as was already the case with the fines against British Airways and Marriott International, Inc.). But no company should rely on such leniency and they should be as prepared as possible to ensure compliance with the GDPR.

Please note that we have excluded the top 3% of fines and the bottom 3% of fines from the calculation of average values in order not to distort the overall results.