Who has been fined for GDPR violations?

Aug 06 | 2024

As we commemorate the sixth anniversary of the European Union's General Data Protection Regulation (GDPR), network security company NordLayer takes a look at the importance of this legislation for businesses.

Who has been fined for GDPR violationsThe European Union's General Data Protection Regulation (GDPR) has affected the business landscape since its 25 May, 2018 enforcement. Designed to strengthen data protection and privacy rights for individuals within the EU, and with €4.5 billion in fines levied against companies for non-compliance, the GDPR has reshaped how organisations handle and protect personal data.

NordLayer recently investigated that during the six years of the GDPR’s existence, individual data protection authorities (DPAs) have issued 2,072 violations, accumulating €4.5 billion in fines. The threat of penalties, reaching up to 4% of a company's global annual revenue, has served as a reminder to take data protection practices seriously.

"We've witnessed businesses across industries change their data handling practices and invest in security measures to achieve compliance,” said Carlos Salas, cybersecurity expert at NordLayer. “While full compliance has been challenging for many companies, the GDPR's impact in empowering individuals and holding organisations accountable for data mishandling cannot be overstated. It has reshaped the digital landscape, forcing a much-needed prioritisation of privacy rights."

Countries where businesses are fined the most 

Spanish businesses violated GDPR 842 times and have paid €80 million in fines since 2018. Italy is second on this list, and the country's organisations guilty of half as many GDPR violations than Spain, but paying nearly three times as much in fines. Companies in Italy were issued 358 fines and paid nearly €229 million.

German organisations have the third most number of fines with 186, resulting in €55 million worth of penalties. Romanian businesses are not far behind with 179 fines, but, interestingly, they have paid only €1.1 million due to non-compliance with the GDPR. Poland closes out the top five, with companies receiving 73 fines, resulting in nearly €4 million losses.

When looking at countries where businesses have paid the most for their violations, Ireland stands out among others. Since 2018, organisations in Ireland have paid €2.8 billion in fines. The primary reason is that multiple big tech companies such as Meta and TikTok have registered their European subsidiaries there and have been hit with massive million-dollar fines.

Biggest ‘criminals’ and their violations

The largest GDPR violator is Meta. Of the top 10 most significant fines, it is responsible for six (four as Meta, one as Facebook, and one as WhatsApp). Its biggest violation cost it €1.2 billion for insufficient legal basis for data processing in 2023. Twice more it had to pay about €400 million for non-compliance with general data processing principles.

In 2021, Amazon also had to pay €746 million to Luxembourg’s data protection authorities. Last year, TikTok paid €345 million for GDPR violations. Google was punished twice in 2021 for insufficient legal basis for data processing and paid €90 million and €60 million for separate violations.

Companies are most commonly fined for insufficient legal basis for data processing. Since 2018, there have been 635 cases of such violations, which cost companies €1.6 billion. For non-compliance with general data processing principles, organisations were fined 578 times and paid over €2 billion.

"Achieving and maintaining GDPR compliance is an ongoing journey, not a one-time destination," said Salas. "Data protection regulations evolve, and cyber threats become more sophisticated, so businesses must remain proactive in their data privacy and security approach. Solutions such as NordLayer can help organisations stay ahead of the curve and foster a culture of compliance that meets regulatory requirements and upholds the trust of their customers and stakeholders."

Methodology 

The statistics mentioned above were acquired by analysing aggregated data gathered on the GDPR Enforcement Tracker database from 16 May. CMS, an international law firm, tracked all of the numbers provided on the website.