GDPR Fines: Who are the Biggest Culprits
GDPR has already been put to work if the number of enforcement actions taken by various EU data protection agencies is anything to go by.
Since its implementation in May 2018, GDPR has already been put to work if the number of enforcement actions taken by various EU data protection agencies is anything to go by.
In this article, I outline the major GDPR fines that have been enforced so far. However, I will not cover the light penalties in the region of thousands of Euros that do not even make regional news.
How Many GDPR Fines have been enforced so far?
Major fines applied so far;
Total Amount of Penalties in Euros
- 2018:424, 800
- 2019: 358, 780, 500
It is important to note that these figures are according to the latest update, which was on August 5, 2019.
Major GDPR Enforcement Actions in 2019
Marriot, UK - 99,000,000 Pounds
In a bizarre turn of events, Marriot discovered that a central reservation database belonging to Starwood, the main competitor whom it had acquired earlier, was hacked. This breach comprised 5 million encrypted passcodes and 8 million credit card records. It was discovered that this hack was ongoing from 2014 to 2018. Up to 30 million EU residents were affected.
Hotel GDPR Compliance: more on the Marriot GDPR fine.
Haga Hospital, Netherlands – 460,000 Euros
This fine was enforced as a result of this Dutch hospital having slack controls over logging and access to patient information. For example, there was a case where 197 employees managed to access the medical records of a certain Dutch celebrity.
British Airways, UK – 183,000,000 Pounds
This fine came after a malicious third party hacked the airline’s webpage and extracted 500,000 consumer records.
The British data protection body claimed that BA's website was breached due to lax cybersecurity structures. This penalty represents the biggest fine enforced as a result of GDPR so far.
La Liga Soccer League, Spain – 250,000 Euros
The Spanish football league was accused of eavesdropping for piracy through its smartphone application. Essentially, the football body turned on user microphones to listen for sounds of a football game and match it to any pirated stream using geolocation.
After obtaining this information, La Liga utilized it to open cases against 600 restaurants for pirating soccer matches.
Sergic, France – 400,000 Euros
Reports indicate that this real estate firm had lax restrictions regarding access to other people's data. All you needed to do was change the URL, and you could access a person's ID cards, tax notices, and other crucial documents. The absence of user validation attracted the penalty.
MisterTango UAB, Lithuania – 61, 500 Euros
This firm exposed a website with records of customer payments and details, inclusive of personal data by mistake for two days. The subsequent investigations revealed that the organization gathered too much data and held it for too long.
Another factor that attracted the fine was the fact that the firm had only a single individual in charge of its IT infrastructure.
Unknown Data Processor, Poland – 220,000 Euros
A Polish data processor faced retributive action after it scraped the internet for public contacts and carried out business outreach to over 90,000 individuals, out of which 12,000 denied consent to the use of their information.
Taxa 4X35, Denmark – 1, 200,000 DKK
This fine was enforced after a random audit revealed that this Danish taxi firm had over 9 million personal records that it did not need to have. Therefore, they were fined for failing to get rid of this unused data. Learn about the Danish DPA cookie guidelines.
Google, France – 50,000,000 Euros
The French data regulation body penalized the tech giant for lacking transparency and permission in ad personalization, as well as having a pre-checked option to personalize advertisements.
Google, France - 150,000,000 Euros
French CNIL fined Facebook 60 Million EUR for failing to provide the users with the ability to withdraw previously given consent as easily as it was given. For the same reasons as Facebook, the French CNIL fined Google 150 million EUR.
Major GDPR Enforcement Actions in 2018
A hospital near Lisbon, Portugal – 400,000 Euros
Employees at this facility used bogus accounts to access patient data.
Knuddels.de, Germany – 20, 000 Euros
The German social media and chatting platform notified authorities about a data breach. However, following investigations, the local data protection body established that the platform had been keeping user passwords in plaintext without encryption. Fundamentally, the fine was enforced as a result of illegal data storage practices, as opposed to the breach itself.
Update: Germany's 1&1 Telecom Fined $10.6 Million for a GDPR Violation.
Small local company, Austria – 4,800 Euros
A local enterprise had a CCTV camera taking footage of too much public space.
Here are more of the highest GDPR fines enforced by regulators so far.
How can you Avoid GDPR Fines?
As a business owner or a Chief Executive Officer, the last thing you want is to be fined for failing to comply with this regulation as the companies highlighted found out the hard way. Secure Privacy offers software solutions that can help you make your company and website compliant with GDPR. Request a demo or try these solutions for free to avoid being penalized for violation of GDPR requirements.
Our free GDPR e-book provides a simplified step-by-step breakdown of the two laws to help you understand what you need to become compliant with the GDPR.
Want to try
Get your free cookie banner up and running today!
The Ultimate Guide to GDPR Data Breach Responses
If you think that data breaches only happen to someone else, think again. Data breaches have happened to all types of businesses - from small ecommerce stores to large corporations such as Microsoft and it could happen to you as well. Read about GDPR Data Breach Responses here.
What Is a Data Protection Officer and Do You Need One?
When a business operator realizes they need to comply with the GDPR or any other data protection law, one of the first questions to pop up in their head is - Do I need a DPO? Learn all about DPOs here.
- Data Protection
How to implement an Online Data Protection Strategy
When a company operates online within the European Union, or when its website visitors come from the EU, the company must comply with the General Data Protection Regulation (GDPR). The GDPR was created to protect citizens' personal data and restrict abuses.
- Data Protection