Home / Publications / GDPR Enforcement Tracker Report / Industry and Commerce

Industry & Commerce

In the industry and commerce sector, DPAs from 26 different countries (+2 in comparison to the 2022 ETR) have so far imposed 372 fines (+139 in comparison to the 2022 ETR) on a variety of different enterprises including utility companies, global retailers, grocery store chains and food-delivery services, with a total fine volume of EUR 857 million (+81 million in comparison to the 2022 ETR).

Measured by the number of registered cases, companies in the industry and commerce sector remain highly affected by the imposition of GDPR fines. The sector is mainly characterised by the single highest fine ever imposed under GDPR (EUR 746 million against Amazon in 2021) and the most registered cases amongst all sectors. While the number of fines kept rising significantly in 2022 (+139), the increase of the total fine volume to now EUR 857 million mainly resulted from four cases of different supervisory authorities against Clearview AI Inc. The average fine amount decreased compared to the 2022 ETR from EUR 3.53 million to approximately EUR 2.39 million now.

Most companies in this sector were fined due to an insufficient legal basis for data processing (93), insufficient fulfilment of information obligations (86) and insufficient technical and organisational measures (TOMs – 57). The Spanish DPA (aepd) remains the most active DPA imposing more than 40% of all fines in this sector (aepd: 154), followed by the authorities of Italy (Garante: 48) and Romania (ANSPDCP: 41).

Let's take a closer look


  • A total of four fines were imposed against Clearview AI Inc. by different DPAs in 2022 totalling EUR 69 million worth of fines (ETid-1098, ETid-1190, ETid-1268 and ETid-1448). The French, Italian and Hellenic DPAs each imposed fines of EUR 20 million and the UK DPA an additional fine of EUR 9 million. Clearview AI operates a database of more than 20 billion facial images from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals to be identified based on the biometric data extracted from the images. Individuals' profiles can be enriched with information associated with those images, such as image tags and geolocation. Investigations revealed that the personal data contained in the company's database had been processed without a valid legal basis. In addition, the DPAs found that Clearview AI restricted the exercise of data subjects' rights. For instance, data access requests were not or not adequately answered, and requests had to be submitted several times before being answered. Finally, the DPAs criticized Clearview AI's lack of cooperation as it did not or not properly respond to investigation forms.
  • In early 2022 the Austrian DPA imposed a fine of EUR 8 million on REWE International AG (ETid-988). In the summer of 2021, the subsidiary 'Unser Ö-Bonus Club GmbH' received a fine of EUR 2 million. According to the 'Salzburger Nachrichten' newspaper, the fine is based on various violations of the GDPR. Further details about the incident are not known to date.
  • The British DPA fined the construction group Interserve Group Limited roughly EUR 5 million (ETid-1461). The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. Interserve had suffered a cyber-attack in which the attackers sent a phishing mail to the mailbox of Interserve's accounting team. The mail was opened by an employee who also downloaded and opened an attached zip file. This allowed the attackers to install malware and siphon off personal data from 113,000 employees. The siphoned data inter alia contained bank account information, social security numbers, ethnicity, sexual orientation and religion of the data subjects. The DPA's investigation found that inadequate security measures allowed the attack to occur. Interserve employees, for example, had not been adequately trained on data privacy. In addition, Interserve processed personal data on unsupported operating systems that were no longer subject to security updates to address vulnerabilities in the system. Interserve had also not conducted adequate vulnerability scans. Finally, Interserve's information security team had not sufficiently investigated the attack as antivirus software reported that the malware had been removed.
  • Although there have been a few 7 and even 8-figure fines in 2022 the standout fine and by far the highest fine amongst all sectors is still the EUR 746 million penalty imposed on Amazon Europe Core S.a.r.l. (ETid-778) by the Luxembourg DPA (CNPD) in 2021.

Main takeaways

In particular, non-compliance with general data protection principles and insufficient data security measures resulted in severe fines for companies in the industry and commerce sector. DPAs have shown that they are willing to impose 6 or even 7-figure fines for insufficient TOMs, especially when large amounts of personal data are exposed to public access. In terms of general data protection principles, authorities are closely examining the necessity of data processing and the length of storage periods. The Clearview AI case shows that DPAs from different countries are willing to investigate and severely fine a single violation if it affects data subjects under their respective jurisdictions.