GDPR: The 6 Biggest Fines Enforced by Regulators So Far
After the General Data Protection Regulation (GDPR) came into effect in May 2018, companies operating in the EU were required to change their data processing practices or face the possibility of heavy fines for non-compliance.
However, about 30% of companies in the EU are yet to comply with GDPR, more than a year after this law came into effect. Furthermore, research data shows that over 200,000 cases of GDPR non-compliance have been lodged since this law came into effect.
On their part, authorities have also shown their commitment to upholding the GDPR with some of the biggest companies receiving hefty fines for their data protection violations.
So far, the six biggest GDPR fines are;
- British Airways - 204.6m Euros
- Marriot International Hotels - 110.3m Euros
- Google Inc. - 50m Euros
- Austrian Post - 18.5m Euros
- Deutsche Wohnen SE - 14.5m Euros
- 1&1 Telecom GmbH - 9.5m Euros
How GDPR Fines are Determined
Before examining the fines in detail, it is important to provide context on how GDPR penalties work. Regulators consider ten crucial factors to determine the severity of a GDPR fine. They include:
The type of violation; authorities examine aspects such as the number of affected parties, the level of damage, and the duration of the infringement
Intention; in this case, investigators assess whether the violation was purposeful or an outcome of unpreparedness
Mitigation; this aspect focuses on the measures adopted to minimize the damage caused to data subjects
Preventive Measures; this context involves an evaluation of the preparedness of the affected organization to avoid GDPR violations
Track record; A company’s history when it comes to both the EU Directive and the GDPR is examined
Cooperation; Authorities consider the degree of cooperation exhibited by the affected company in remediating the infringement
Data Type; Another crucial consideration in the determination of a GDPR fine is the kind of personal information involved during a violation
Notification; Whether an infringement was proactively reported or is another core criterion used in the determination of a GDPR fine.
Certification; GDPR regulators also examine whether the affected company adhered to the statutory codes of conduct or is qualified under appropriate certifications
Other; In some instances, authorities may apply relevant criteria apart from the ones listed above such as the financial impact the company experienced as a result of the violation
Find out more about GDPR fines here.
Types of GDPR Fines
Penalties under the GDPR fall into two broad categories:
Lower Level
companies can incur fines of up to 10 million Euros or 2% of the previous year’s global revenue, whichever value is greater, for such violations.
Lower level GDPR fines are enforced as a result of either a data breach or the failure to implement a Data Protection Impact Assessment (DPIA).
To avoid this type of fine, companies are required to institute an enhanced level of security, show cooperation with authorities, carry out a DPIA, and possibly recruit a Data Protection Officer (DPO). See some common problems GDPR DPOs face.
Upper Level
Such infringements can cost up to 20 million Euros or 4% of the company’s global revenue, whichever is higher.
These kinds of fines encompass consent to process personal information, inclusive of consent to handle special categories of data. The scope also extends to compliance with the eight data subject privileges that consumers enjoy under the GDPR.
The Biggest GDPR Fines So Far
British Airways (204.6M Euros)
The UK’s Information Commissioner’s Office (ICO) announced its plan to fine the Airline after users of British Airways’ website were diverted to a fraudulent site.
Through this dubious site, data belonging to around 500,000 consumers was harvested by the hackers.
According to the ICO, the incident is believed to have started in June 2018 and different categories of personal information were compromised as a result of negligent arrangements at the company.
The affected data included in login and travel booking details, names, addresses, as well as credit card information including card numbers, expiry dates, and the three-digit CVV code.
Read the latests blog posts about the ICO.
Marriott International Hotels (110.3M Euros)
In another GDPR penalty involving a British firm, the Information Commissioner’s Office (ICO) fined Marriot after the international hotel chain after a hack dating back to 2014 was discovered at the tail end of 2018.
The hack exposed sensitive personal information including credit card details, passport numbers, as well as dates of birth belonging to over 300 million clients of which 30 million were EU residents.
After investigations were concluded, the ICO found that Marriott failed to perform adequate due diligence when it bought Starwood. Additionally, it should also have done more to safeguard its systems.
Google Inc. (50M Euros)
Google holds the unwanted tag of being the first victim of the first biggest GDPR fine. This fine is unique in the sense that it does not involve a data breach as is the case with both Marriott Hotels and British Airways.
Instead, Google was fined by the French regulator for failing to make their consumer data processing statements easily accessible to users and employing obscure language.
Additionally, Google was found guilty of not seeking consent from consumers to use their data for its ad targeting campaigns, which is illegal under the GDPR.
Austrian Post (18.5M Euros)
At the beginning of 2019, the Austrian Data Protection Authority announced that it had enforced a fine on the country’s Post for illegally selling consumer data in violation of GDPR requirements.
Investigators established that the Austrian Post had reviewed consumer information to determine whom would vote for which political party they may support and traded that data.
Although it is not illegal under the GDPR, the Austrian Post was also found to have processed information on package frequency and the rate of relocations for direct marketing objectives.
Deutsche Wohnen SE (14.5M Euros)
In October 2019, the largest GDPR fine was issued against a real estate company, Deutsche Wohnen SE by the Berlin Commissioner for Data Protection and Freedom of information.
The company was fined for violating Article 25 and Article 5 of the GDPR whereby the company lacked legitimate reasons to hold sensitive consumer data longer than necessary.
The severity of the fine was compounded by the firm’s track record as Deutsche Wohnen SE had already faced compliance issues in 2017.
1&1 Telecom GmbH (9.5M Euros)
At the beginning of December 2019, 1&1 Telecommunications was fined 9.5 million Euros by Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI).
The penalty was handed out as a result of the company failing to establish adequate technical and organizational measures to safeguard consumer information in its call center environments.
According to the BfDI, the fine was enforced after it was discovered that callers to the firm’s call center could retrieve consumer data by simply providing their name and date of birth.
these requirements were deemed insufficient for authentication and protection of consumer information as required by article 32 of the GDPR.
Google (150M Euros)
French CNIL fined Facebook 60 Million EUR for failing to provide the users with the ability to withdraw previously given consent as easily as it was given. For the same reasons as Facebook, the French CNIL fined Google 150 million EUR.
How to Avoid GDPR Fines
These fines show that, although maintaining data security is vital, the GDPR also focuses on individual data privacy rights and transparency. Furthermore, this regulation has a wide reach, even outside of the European union
Be proactive and avoid GDPR fines by booking a call with us today for a complete demo of our GDPR compliance solution that will be customized to your unique business needs.
Additional Resources:
Check out more articles on the subject:
- GDPR Fines: Who are the Biggest Culprits
- Google and Amazon Fined a Total of $162 Million for Cookie Use Violations in France

Automating CCPA Risk Assessments and Cybersecurity Audits: Complying with Draft Regulations
The issued draft regulations on CCPA risk assessments and cybersecurity audits by the California Privacy Protection Agency (CPPA) give you an idea of how to comply with imminent obligations
- Data Protection
- USA

India Digital Personal Data Protection Act 2023 - All You Need to Know
Discover the India Digital Personal Data Protection Act (DPDPA) 2023 – India's first comprehensive data protection law. Learn how it affects businesses, data principals, and more. Stay informed about the latest data privacy regulations.
- Data Protection

International Privacy Authorities Issue Joint Statement on Data Scraping
Learn about the joint statement issued by global privacy authorities on August 24, 2023, addressing the risks of data scraping to privacy. Discover its implications for businesses and mitigation strategies
- Data Protection