GDPR Fines: Who are the Biggest Culprits

Since its implementation in May 2018, GDPR has already been put to work if the number of enforcement actions taken by various EU data protection agencies is anything to go by.

In this article, I outline the major GDPR fines that have been enforced so far. However, I will not cover the light penalties in the region of thousands of Euros that do not even make regional news.

How Many GDPR Fines have been enforced so far?

Major fines applied so far;

• 2018:3
• 2019:9

Total Amount of Penalties in Euros

• 2018:424, 800
• 2019: 358, 780, 500

It is important to note that these figures are according to the latest update, which was on August 5, 2019.

Major GDPR Enforcement Actions in 2019

Marriot, UK - 99,000,000 Pounds

In a bizarre turn of events, Marriot discovered that a central reservation database belonging to Starwood, the main competitor whom it had acquired earlier, was hacked. This breach comprised 5 million encrypted passcodes and 8 million credit card records. It was discovered that this hack was ongoing from 2014 to 2018. Up to 30 million EU residents were affected.

Hotel GDPR Compliance: more on the Marriot GDPR fine.

Haga Hospital, Netherlands – 460,000 Euros

This fine was enforced as a result of this Dutch hospital having slack controls over logging and access to patient information. For example, there was a case where 197 employees managed to access the medical records of a certain Dutch celebrity.

British Airways, UK – 183,000,000 Pounds

This fine came after a malicious third party hacked the airline’s webpage and extracted 500,000 consumer records.

The British data protection body claimed that BA's website was breached due to lax cybersecurity structures. This penalty represents the biggest fine enforced as a result of GDPR so far.

La Liga Soccer League, Spain – 250,000 Euros

The Spanish football league was accused of eavesdropping for piracy through its smartphone application. Essentially, the football body turned on user microphones to listen for sounds of a football game and match it to any pirated stream using geolocation.

After obtaining this information, La Liga utilized it to open cases against 600 restaurants for pirating soccer matches.

Sergic, France – 400,000 Euros

Reports indicate that this real estate firm had lax restrictions regarding access to other people's data. All you needed to do was change the URL, and you could access a person's ID cards, tax notices, and other crucial documents. The absence of user validation attracted the penalty.

MisterTango UAB, Lithuania – 61, 500 Euros

This firm exposed a website with records of customer payments and details, inclusive of personal data by mistake for two days. The subsequent investigations revealed that the organization gathered too much data and held it for too long.

Another factor that attracted the fine was the fact that the firm had only a single individual in charge of its IT infrastructure.

Unknown Data Processor, Poland – 220,000 Euros

A Polish data processor faced retributive action after it scraped the internet for public contacts and carried out business outreach to over 90,000 individuals, out of which 12,000 denied consent to the use of their information.

Taxa 4X35, Denmark – 1, 200,000 DKK

This fine was enforced after a random audit revealed that this Danish taxi firm had over 9 million personal records that it did not need to have. Therefore, they were fined for failing to get rid of this unused data. Learn about the Danish DPA cookie guidelines.

Google, France – 50,000,000 Euros

The French data regulation body penalized the tech giant for lacking transparency and permission in ad personalization, as well as having a pre-checked option to personalize advertisements.

Google, France - 150,000,000 Euros

French CNIL fined Facebook 60 Million EUR for failing to provide the users with the ability to withdraw previously given consent as easily as it was given. For the same reasons as Facebook, the French CNIL fined Google 150 million EUR.

In 2022, 81% of French companies are still not compliant with GDPR.

Major GDPR Enforcement Actions in 2018

A hospital near Lisbon, Portugal – 400,000 Euros

Employees at this facility used bogus accounts to access patient data.

Knuddels.de, Germany – 20, 000 Euros

The German social media and chatting platform notified authorities about a data breach. However, following investigations, the local data protection body established that the platform had been keeping user passwords in plaintext without encryption. Fundamentally, the fine was enforced as a result of illegal data storage practices, as opposed to the breach itself.

Update: Germany's 1&1 Telecom Fined $10.6 Million for a GDPR Violation.

Read about Germany's Federal Act on Privacy in Telecommunications and Telemedia (TTSDG).

Small local company, Austria – 4,800 Euros

A local enterprise had a CCTV camera taking footage of too much public space.

Here are more of the highest GDPR fines enforced by regulators so far.

How can you Avoid GDPR Fines?

As a business owner or a Chief Executive Officer, the last thing you want is to be fined for failing to comply with this regulation as the companies highlighted found out the hard way. Secure Privacy offers software solutions that can help you make your company and website compliant with GDPR. Request a demo or try these solutions for free to avoid being penalized for violation of GDPR requirements.

Our free GDPR e-book provides a simplified step-by-step breakdown of the two laws to help you understand what you need to become compliant with the GDPR.