We have bad news and good news for you.

The bad news is that you are under the threat of GDPR fines and penalties because the GDPR likely applies to your business.

The good news is that GDPR compliance does not require too much effort and resources to avoid penalties.

We help companies comply with the European Union's General Data Protection Regulation (GDPR) and avoid GDPR penalties, so we closely follow developments in data privacy worldwide and the activities of data protection authorities. We notice that:

• The awareness around data privacy rights increases, which...
• Leads to an increased number of GDPR complaints, which...
• Leads to an increased number of GDPR penalties, but...
• These penalties could have been avoided easily with some education and measures.

It is great that you are aware of the scrutiny of GDPR fines - that’s the first big step to avoiding them. The next step would be to get an idea of the threat and how to deal with it. This article will answer the questions you have, such as:

• What are the GDPR fines?
• What are the most common reasons for GDPR penalties?
• What is the process of getting fined?
• How much are the GDPR fines?
• Who can be fined?
• Can individuals get GDPR penalties?
• Can non-EU businesses get GDPR fines?
• Has anyone been fined for GDPR infringements? (Hint: yes)
• How to avoid GDPR fines

By the end of the article, you’ll know what you need to do to avoid being fined by a data protection authority or a court and how to protect EU users' data as well as your business’s finances and reputation.

What are the GDPR fines and penalties?

One of the five things a supervisory authority can do to you if you don’t follow the GDPR is to fine you.

If you violate the law, five measures can be imposed on you:

• Warnings and reprimands. You can get away with a notice or a reprimand for minor violations that do not cause significant harm to data subjects.
• Temporary or permanent ban on your processing of personal data. If your data processing activities are unlawful, the data protection authority can ban your processing. The ban could be temporary or permanent.
• Bring data processing into compliance. The supervisory authority can also oblige you to make your data processing compliant. It usually comes with directions on how to do so.
• Data erasure. This is usually done when the person in charge of the data doesn’t follow a request to delete it or when personal information is collected without a legal basis or consent.
• Administrative fines. This is what scares businesses. Administrative fines are monetary and can be significant, depending on how severe the violation is. Again, there is no minimum, but only an upper cap set at 4% of the annual turnover or EUR 20 million, whichever is greater.

You can get one, two, or more penalties for the same violations if the authorities find it necessary. For example, you may get a monetary fine, be ordered to erase customer data, and get a temporary data processing ban. Or you could be reprimanded and asked to bring your processing into compliance. It’ll depend on the circumstances of your case.

Aside from being fined, organizations that violate the law may also pay damage compensation. If the violation damages the people affected by the infringement, you’ll also be responsible for paying for those.

For example, if you suffer a data breach where your users’ browsing history is exposed, which leads to personal life issues, you’ll be responsible for paying for the damages. Or you may be using automated decision-making, which affects the services and products you access. If that violates their consumer rights and they suffer some damage, you’ll be liable to pay.

What are the most common reasons for GDPR penalties?

If you look at the information that is available to the public about GDPR cases, you can see that some of the most common reasons for GDPR penalties are:

• Processing personal data without obtaining a valid consent
• Failure to respond to data subject’s requests to exercise their data privacy rights
• Not implementing adequate data security measures to prevent data breaches and protect personal information
• Not implementing adequate technical and organizational measures for data protection
• Not checking out data processors before hiring them (you are responsible if your data processor doesn’t follow the rules).
• International data transfers to third countries that are not compliant
• Using video surveillance systems without a legal basis
• Processing more than the bare minimum of personal data
• Publishing other people’s data without a lawful basis

Remember that this is not an exhaustive list. Any GDPR infringement can lead to GDPR sanctions.

What is the process of getting fined?

You know you are not compliant, and you know that you may be fined. If no one knows about your violation (except you) and it can be cured easily, go ahead and make your privacy practices compliant as soon as possible. No one will know that you have not been compliant in the past, and you’ll avoid GDPR fines.

If your data management has been audited by the supervisory authority or a data subject has complained to you, this is where things become complicated. This process goes as follows:

• The supervisory authority learns about your GDPR infringement. That may happen either by conducting an audit on your business or by a user who has submitted a complaint;
• The supervisory authority investigates the violations. The authorities will investigate all your data privacy practices - not just those related to the complaint. This means that if only one of your users complains about only one violation from your side, the data protection agency will investigate everything you do with personal data, possibly reveal many more violations, and fine you for all the breaches. At this point, you still have the opportunity to avoid fines. A decision by the Austrian DPA says that you can still fix the problems before the end of the process with the data protection authority;
• The supervisor makes a decision based on the investigation findings. If you violated the GDPR, this is the phase where you get fined or get another penalty for your violations.
• You can appeal to the Court. If you are not happy with the DPA decision, you can submit an appeal to the courts of the country of origin of the DPA. The court will either confirm the DPA’s decision or overturn it.
• The data subject may file a lawsuit for damages and compensation. If the data subject lost wages, got sick, saw a counselor, or did something else because of the violations, you’ll have to pay for that.
  

How much are the GDPR fines?

The GDPR sets only an upper cap for administrative fines. The cap is set at either EUR 20 million or 4% of the annual turnover - whichever is greater.

GDPR prescribes two tiers of penalties:

1. Tier 1 - for less severe violations, capped at EUR 10 million or 2% of the annual turnover, whichever is greater. Tier 1 penalties are for companies that wouldn’t appoint a DPO, do not keep data processing records, do not process data based on data processing agreements, and so on. These are less severe violations. Generally, these infringements are formal and do not have negative consequences. For example, not having appointed a DPO or not having a data processing agreement in place does not pose a significant risk to data privacy. It is just non-compliance with the formal requirements of the law, and that’s quite different from the Tier 2 violations and penalties;
2. Tier 2 - of severe violations, capped at EUR 20 million or 4% of the annual turnover, whichever is greater. You could get a fine like this if you violate the rights of data subjects by not responding to their requests, processing personal data without consent or another legal basis, not deleting users’ data when asked, making international data transfers that don’t follow GDPR rules, letting data leak, breaking any of the basic GDPR rules, or something similar.

If you compare Tier 1 and Tier 2 violations, you’ll notice that the Tier 2 violations are substantial and affect online privacy significantly. Non-compliance with the GDPR mostly leads to hefty Tier 2 fines. Tier 1 fines are for minor infringements of the law that wouldn’t affect privacy very much.

Is there a minimum fine under the GDPR?

No, there is no minimum. You may get a fine of a few hundred euros for less severe violations.

However, the amount you’ll need to pay depends on your current income. The fine tiers have been designed to make individuals and businesses feel fine. It is never insignificant.

How much is the GDPR fine for data breaches?

Data breaches are Tier 2 violations, so the maximum fine would be EUR 20 million or 4% of the company’s annual revenue, whichever is higher.

It is important to note that not all data breaches end up in fines. Sometimes breaches happen despite the significant efforts of the data controller. In such a case, the authorities may be mild with you or not fine you financially.

However, authorities never forgive a person for not reporting a breach. If you don’t tell them within 72 hours and they find out about it somewhere else, you’ll get into legal and financial trouble.

Who can be fined by GDPR?

Any business or individual to whom the GDPR applies can be fined.

The GDPR applies to:

• All businesses and individuals from the European Union. If your business is incorporated in any EU country, GDPR applies to your business. If you run an online project, such as a blog, newsletter, or something similar, and you live in the EU, GDPR also applies.
• Non-EU businesses and individuals who process EU citizens’ data. If your company is not incorporated in the EU, or if you run your unincorporated project from outside the EU, the GDPR only applies when you process data about Europeans. As a result, if you are a US company processing data from US residents, GDPR does not apply to you, and no penalties threaten you. If you are a US business processing data for Europeans, GDPR applies only when you process their data, and you could be fined for violations.

As long as one of these two categories describes you, the GDPR applies to you, and you are under the scrutiny of GDPR fines.

Can individuals get GDPR penalties?

Yes, individuals can be fined under the GDPR. The law doesn’t make a difference between individuals or businesses. If you process data as an individual without a registered business or organization, you are the data controller as an individual and must comply with the GDPR.

Bloggers, business owners, and teams who haven’t yet incorporated as creators, independent app developers, newsletter writers, and others often use their websites or apps to collect and process the personal information of their users.

Their website may use Google Analytics data, Facebook pixel tracking, or email addresses to send a newsletter. The data controller is the individual who operates the website, newsletter, or app. Hence, she has duties under the GDPR.

In addition to online solopreneurs, individuals who expose personal data to other people may also violate the GDPR and be penalized for that. For example, a person in Austria was fined EUR 600 for telling an employer about the health information of a coworker.

Can non-EU businesses get GDPR fines?

Yes, businesses can get GDPR fines even if they are not based in the European Union. The fines for non-EU companies are the same as for companies from the EU member states. Data protection laws do not care where you are from. If the GDPR applies to you and you don’t comply, you are threatened with a fine.

Has anyone been fined for a GDPR violation?

Thousands of businesses, government institutions, and individuals have been fined for GDPR infringements. Media doesn’t bother small companies, and they do not let the world know they’ve been punished either, but it doesn’t mean that data protection authorities let them get away with non-compliance.

To get an idea of what type of penalties DPAs impose on companies, check out the following examples.

Examples of GDPR fines

Here are some examples of GDPR penalties:

• The Belgian DPA fined Roularta Media Group EUR 50,000 for using cookies without users’ permission and not having a policy on how long to keep them.
• The Danish Datalysnet ordered a dating website to bring its data processing into compliance because they bundled the consent request and the Terms and Conditions under the same checkbox.
• The Romanian DPA fined a person EUR 150 for putting personal information about other people on their website without a legal reason to do so.
• The Belgian Data Protection Authority (DPA) reprimanded a website owner because the cookie consent software they had installed on their site didn’t work and didn’t get free consent.
• The French CNIL fined a company EUR 300,000 because it didn’t respond to requests for access to data and other requests for data subject rights.
• The Belgian DPA also fined a company EUR 50,000 because they obtained personal data from their target audience - pregnant mothers - without valid consent and then transferred the data to their network of companies and sold it to third parties.
• The Belgian DPA fined a website operator EUR 15,000 for using cookies without obtaining prior consent.
• The Italian Garante gave a company a fine of EUR 5,000 because it made unwanted calls to phone numbers found on the internet without a legal reason and didn’t follow requests for access and deletion.
• The Spanish AEPD fined a company EUR 24,000 for relying on implied consent instead of explicit consent.
• A tech company in Malta was fined EUR 24,000 by the Maltese Data Protection Authority (DPA) for not telling anyone about a data breach, not following privacy notices, and using personal data without a legal reason (which was found during the investigation of the data breach).
• The Spanish AEPD fined Conseguridad EUR 50,000 for not having appointed a DPO.
• Klarna, a financial technology company, settled with Sweden’s Data Protection Authority in the amount of $733,000 for failing to inform users about how their personal data was being processed, a violation of GDPR transparency requirements.
• The Austrian Data Protection Authority fined the Austrian Postal Service €18 million for collecting and selling personal data, including political preferences of approximately three million individuals, without their consent.
• The Spanish Data Protection Authority (AEPD) fined Caixabank €6 million for failing to provide clear information about how it processed personal data and obtaining consent in a non-transparent manner. The company also bundled consent for different data processing purposes, which violated GDPR requirements.
• Vodafone Spain was fined €8.15 million for aggressive telemarketing practices that included contacting users without consent and failing to honor requests to opt out of marketing communications. The company was found to have multiple breaches related to GDPR consent requirements.
• TikTok was fined €750,000 by the Dutch Data Protection Authority for failing to provide an adequate privacy policy for children in the Dutch language, violating GDPR requirements regarding transparency and the processing of minors’ data.
• The Spanish Data Protection Authority fined Glovo €550,000 for failing to comply with GDPR requirements regarding data subject rights. Glovo was found to be inadequately processing requests from users to access, rectify, or delete their data.
• Fastweb was fined €5,3 million by the Italian Data Protection Authority for unauthorized marketing practices, including sending unsolicited communications to individuals who had not consented to receive them. The company also failed to adequately respond to users’ requests to exercise their data rights.
• Amazon was fined €746 million for using customer data for targeted advertising without obtaining proper consent, violating GDPR’s transparency and consent requirements. The fine highlighted issues with Amazon’s processing of user data for personalized marketing.
• The Austrian Data Protection Authority (DPA) fined REWE International €8 million for violations of GDPR due to improper handling of customer data in their jö Bonus Club loyalty program. REWE collected and used personal data for marketing purposes without obtaining proper consent from users, breaching GDPR’s transparency and data processing regulations. Despite REWE’s argument that the subsidiary operating the program was responsible, the DPA held REWE accountable as the parent company.

The 6 biggest GDPR fines enforced by regulators so far

The GDPR affects the world’s largest companies. They make billions, so the EUR 20 million does not affect them. That’s why the GDPR introduced the 4% of the (gross) annual turnover - to make them feel affected by the penalties.

That’s how companies such as Meta, Amazon, WhatsApp, British Airways, and others ended up paying huge fines.

Meta - EUR 1.2 billion (Ireland, 2023)

In May 2023, in a groundbreaking decision within the past five years of GDPR enforcement, the Irish Data Protection Commission (DPC) imposed a historic fine of EUR 1.2 billion on US tech giant Meta. The fine stemmed from a DPC investigation into Meta's transfer of personal data of European users to the United States. The DPC found that Meta had violated the GDPR by failing to provide adequate safeguards for the data during these transfers.

The DPC's decision was the culmination of a two-year investigation into Meta's data transfer practices. The investigation found that Meta had violated the GDPR by transferring the personal data of European users to the United States without adequate data protection mechanisms.

Amazon - EUR 746 million (Luxemborg, 2021)

On July 16, 2021, the Luxembourg National Commission for Data Protection (CNDP) issued a record-breaking fine of EUR 746 million (USD 888 million) to Amazon.com Inc. for violating the GDPR. The fine was the largest ever imposed under the GDPR, and it was a significant blow to Amazon's business.

The fine was the result of a complaint filed by 10,000 people against Amazon in May 2018. The complaint alleged that Amazon was violating the GDPR by targeting users with personalized ads without their consent.

The CNDP's investigation found that Amazon was indeed violating the GDPR. The investigation found that Amazon was using a variety of methods to collect personal data about its users, including their browsing history, purchase history, and search history. Amazon was then using this data to target users with personalized ads, often without their consent.

Meta - EUR 405 million (Ireland, 2022)

The Irish Data Protection Commission slapped Meta with a EUR 405 million fine in September 2022 for violating the GDPR. The fine was the result of an investigation into Instagram's handling of children's personal data.

The DPC found that Instagram had violated the GDPR by:

• Allowing users under the age of 13 to create business accounts
• Making it easy for adults to contact children on Instagram
• Failing to provide children with adequate information about how their data was being used
  

Meta - EUR 265 million (Ireland, 2022)

The Irish DPC gave Meta a EUR 265 million GDPR fine in November 2022 for data protection violations. The fine was the result of a data breach that exposed the personal information of approximately 533 million Facebook users worldwide.

The DPC found that Meta had violated the GDPR by failing to take adequate measures to protect users' personal data from unauthorized access. The DPC also found that Meta had failed to notify users of the data breach in a timely manner.

WhatsApp - EUR 225 million (Ireland, 2021)

The Irish Data Protection Commission fined WhatsApp EUR 225 million in September 2021 for its violations of the GDPR. The binding decision was issued after the European Data Protection Board (EDPB) intervened and required the DPC to reassess the initially proposed fine regarding infringements of transparency in the calculation of the fine as well as the timeframe for WhatsApp to comply.

The DPC found that WhatsApp had violated the GDPR by failing to obtain valid consent from users before sharing their data with other Meta companies. The DPC also found that WhatsApp had failed to provide users with adequate information about how their data was being shared.

British Airways - EUR 204.6 million (UK, 2019)

In July 2019, the UK's Information Commissioner's Office (ICO) announced that it intended to fine British Airways EUR 204.6 million for violating the GDPR. The fine was the largest ever proposed by the ICO under the GDPR.

The ICO's investigation found that British Airways had failed to take adequate measures to protect its customers' personal data. In September 2018, British Airways suffered a data breach that exposed the personal information of approximately 500,000 customers, including their login and travel booking details, names, addresses, as well as credit card information including card numbers, expiry dates, and the three-digit CVV code.

The ICO found that British Airways had violated the GDPR by:

• Failing to implement adequate security measures to protect its customers' personal data
• Failing to detect the data breach for over two months
• Failing to notify its customers of the data breach in a timely manner
  

How to avoid GDPR fines and penalties

The GDPR requires a proactive approach by businesses. You must put your data privacy practices in order - that’s how you’ll avoid GDPR fines.

The actual measures you need to take depend on the nature of your business. No two businesses are the same. Hence, every business requires a tailored approach.

However, all businesses would benefit from some or all of the following:

• GDPR training. Educate yourself and your employees about data protection, privacy, and the GDPR. We have data privacy and GDPR courses that everyone can understand. You can sign up here.
• Assess your data flows. Make sure you know how each piece of personal data flows from when you collect it to when you delete it.
• Conduct data protection impact assessments. Assessing data flows can be part of a more extensive data protection impact assessment. It will show you your company’s privacy vulnerabilities and clear the way to compliance. If you don’t know where to start, check out our guide on these three DPIA templates and how to complete them.
• Use privacy-enhancing technologies. Secure Privacy consent management platform is just one example of a privacy-enhancing technology. Take advantage of what is available and protect your business from fines.
• Implement privacy-by-design. Privacy by design means making your products, services, and business operations so that they use the least amount of data processing and protect the data needed for them to work well.
• Have technical and organizational measures in place. What steps need to be implemented depends on the specifics of each business. If you don’t know where to start, seek advice from a professional.
• Take care of data security. Self-explanatory. You must secure your data. An important aspect of this is securing yourself against data breaches.
• Have a data breach response procedure in place. Be prepared for data breaches at all times. You should have a response procedure in place to determine who will do what and how in the case of a violation. Read our comprehensive data breach response guide to learn what you need to do.