Numbers & Figures

Overall Top 10 Fines

Controller/ProcessorCountryFine [€]TypeDate
Amazon Europe Core S.à.r.l.Luxembourg746,000,000Non-compliance with general data processing principles16.07.2021
WhatsApp Ireland Ltd.Ireland225,000,000Insufficient fulfilment of information obligations02.09.2021
Google LLCFrance90,000,000Insufficient legal basis for data processing31.12.2021
Facebook Ireland Ltd.France60,000,000Insufficient legal basis for data processing31.12.2021
Google Ireland Ltd.France60,000,000Insufficient legal basis for data processing31.12.2021
Google LLCFrance50,000,000Insufficient legal basis for data processing21.01.2019
H&M Hennes & Mauritz Online Shop A.B. & Co. KGGermany35,258,708Insufficient legal basis for data processing01.10.2020
TIM (telecommunications operator)Italy27,800,000Insufficient legal basis for data processing15.01.2020
Enel Energia S.p.AItaly26,500,000Insufficient legal basis for data processing16.12.2021
British AirwaysUnited Kingdom22,046,000Insufficient technical and organisational measures to ensure information security16.10.2020

A look at the type of violation in the "Top 10 Fines" shows that data processing with insufficient legal basis is most likely to result in significant fines (7 of the top 10 fines). Unlike in recent years, however, Non-compliance with general data processing principles and Insufficient fulfilment of information obligations lead the "Top 10 Fines".

The overview illustrates that, so far, the highest fine originates from Luxembourg. The fine against Google Inc. in France in the amount of EUR 50 million, which led the "Top 10 Fines" last year, now ranks 6th.

Business Sectors – Summary

Fines by sector

The data shows that, to date, the highest average fines were levied in the sectors "Industry and Commerce", "Media, Telecoms and Broadcasting" and "Transportation and Energy". Also, the sectors with the highest number of fines to date are the "Industry and Commerce" and "Media, Telecoms and Broadcasting" sectors. While this may be read as an indication that such sectors are particularly inclined to disregard the GDPR requirements, this is not necessarily the case. Other factors could also have led to this result: This may be specifically due to a comparatively large number of relevant entities in these sectors, the increased exposure of the entities to the public, or simply to some extraordinary fines in these sectors (e.g. the extraordinary fine in the amount of EUR 746 million in the Industry and Commerce sector) or increased attention or focus by the authorities (e.g. in Spain regarding the Media, Telecoms and Broadcasting sector, where the Spanish authority has already issued 60 fines against a particular Spanish telecommunications provider).

There were comparatively few fines in the fields of "Accommodation and Hospitality" and "Real Estate". While this is also true for the "Transportation and Energy" sector, the fines in this sector had a high average amount. This may indicate that finable violations in these fields are rare, but if they did occur, they were serious and therefore carried high fines.

Countries – Top 10

Number of fines per country

Please note that fines for which we have incomplete data (fine amount or date) have been disregarded.

Thus far, the Spanish data protection authority has shown the most activity in terms of issuing fines/publishing issued fines, with a total of 379 fines (+207 in comparison to the 2021 GDPR Enforcement Tracker Report). Other countries with comparatively high fine activity are Italy, Romania and Hungary, which have imposed between 46 and 123 (published) fines. Nevertheless, those three countries together have published fewer fines than Spain alone.

The reasons for this are not evident from the data. The difference could, for example, be due to differences in the publication method of fines: While some countries also publish smaller fines of a few hundred Euros, other countries seem to limit publication to larger fines. Another reason for the differences between the countries could be the number of staff involved in evaluating cases and handing down fines. This may either be because countries with more fines allocated more staff to their authorities in total or the staff within the authority are more focused on pursuing violations than is the case in other countries. Another potential explanation could be that the focus of the authorities varies: while some may put more emphasis on consultation before issuing fines, others may combine the approaches and issue fines directly.

A look at the following average fines below shows that the average fine in Spain is much lower than in most other countries:

Average fine by country

Sum of fines by country

Type of violation

Fines by type of violation 2021/2022

Please note that fines for which we have incomplete data (fine amount or date) have been disregarded.

We have also analysed the DPAs' justifications for the fines. Each fine in the GDPR Enforcement Tracker Report and on the GDPR Enforcement Tracker Website is attributed to one of the following nine categories:

  • Insufficient legal basis for data processing
  • Insufficient technical and organisational measures to ensure information security
  • Non-compliance with general data processing principles
  • Insufficient fulfilment of data subjects' rights
  • Insufficient fulfilment of information obligations
  • Insufficient cooperation with supervisory authority
  • Insufficient fulfilment of data breach notification obligations
  • Lack of appointment of data protection officer
  • Insufficient data processing agreement

Out of these categories, the most fines (and at the same time the second highest fines) were issued for processing activities which had an insufficient legal basis. The second most frequent reason for fines was data processing activities that were subject to non-compliance with general data processing principles, followed by fines for insufficient technical and organisational measures to ensure information security and for insufficient fulfilment of the data subjects' rights. While insufficient fulfilment of information obligations was only the fifth most common reason for fines, the extraordinary fine imposed on WhatsApp in the amount of EUR 225 million results in the average amount of fines in this type being significantly higher than for insufficient fulfilment of data subjects' rights or for insufficient technical and organisational measures to ensure information security.

So far, only very few fines have been imposed for lack of cooperation with the supervisory authority, for cases of violations of obligations in the context of data breaches, insufficient involvement of a data protection officer or missing data processing agreements.

Chronology

The data on the number of fines issued per month shows that in 2018 the authorities started out by mainly surveying the developments in the market. We can see a relatively steady number of fines over the course of the year, with the absolute numbers of fines per month increasing from month to month. After the initial "orientation phase", data protection authorities appear to have been ramping up their enforcement efforts in the years 2019, 2020 and 2021. While 2020 already ended with some high fines, these fines were again trumped by the massive fines in 2021 against "Big Tech", which catapulted the total sum of fines far beyond the value of EUR 1 billion.

Total sum of fines

Up to March 2022, a total number of 1031 fines (+505 in comparison to the 2021 GDPR Enforcement Tracker Report), overall 1088 including fines with limited information on amount or date, were issued and recorded in our database, amounting to a sum of fines of around EUR 1.581 billion (+1.319 billion in comparison to the 2021 GDPR Enforcement Tracker Report). In the reporting period 2018-2022, the average fine was around EUR 1,533,910 across all countries.

Outlook

DPAs across Europe appear to be mindful of their role not only as supervising and penalising institutions, but also as advisors. It appears that in 2018, authorities allowed an initial phase to get acquainted with the new data protection regime under the GDPR for both data controllers and themselves. During that phase, relatively few fines were handed down. This phase is over and the number of fines has been increasing since 2019. In 2021, in particular "Big Tech" has been in the focus of regulators and unprecedented fines have been imposed.

Data protection will continue to be under close supervision of the authorities and data controllers are best advised to continuously monitor and improve their processes and security measures.