After the General Data Protection Regulation (GDPR) came into effect in May 2018, companies operating in the EU were required to change their data processing practices or face the possibility of heavy fines for non-compliance.
However, about 30% of companies in the EU are yet to comply with GDPR, more than a year after this law came into effect. Furthermore, research data shows that over 200,000 cases of GDPR non-compliance have been lodged since this law came into effect.
On their part, authorities have also shown their commitment to upholding the GDPR with some of the biggest companies receiving hefty fines for their data protection violations.
So far, the six biggest GDPR fines are;
- British Airways – 204.6m Euros
- Marriot International Hotels – 110.3m Euros
- Google Inc. – 50m Euros
- Austrian Post – 18.5m Euros
- Deutsche Wohnen SE – 14.5m Euros
- 1&1 Telecom GmbH – 9.5m Euros
How GDPR Fines are Determined
Before examining the fines in detail, it is important to provide context on how GDPR penalties work. Regulators consider ten crucial factors to determine the severity of a GDPR fine. They include:
The type of violation; authorities examine aspects such as the number of affected parties, the level of damage, and the duration of the infringement
Intention; in this case, investigators assess whether the violation was purposeful or an outcome of unpreparedness
Mitigation; this aspect focuses on the measures adopted to minimize the damage caused to data subjects
Preventive Measures; this context involves an evaluation of the preparedness of the affected organization to avoid GDPR violations
Track record; A company’s history when it comes to both the EU Directive and the GDPR is examined
Cooperation; Authorities consider the degree of cooperation exhibited by the affected company in remediating the infringement
Data Type; Another crucial consideration in the determination of a GDPR fine is the kind of personal information involved during a violation
Notification; Whether an infringement was proactively reported or is another core criterion used in the determination of a GDPR fine.
Certification; GDPR regulators also examine whether the affected company adhered to the statutory codes of conduct or is qualified under appropriate certifications
Other; In some instances, authorities may apply relevant criteria apart from the ones listed above such as the financial impact the company experienced as a result of the violation
Types of GDPR Fines
Penalties under the GDPR fall into two broad categories:
- Lower Level
companies can incur fines of up to 10 million Euros or 2% of the previous year’s global revenue, whichever value is greater, for such violations.
Lower level GDPR fines are enforced as a result of either a data breach or the failure to implement a Data Protection Impact Assessment (DPIA).
To avoid this type of fine, companies are required to institute an enhanced level of security, show cooperation with authorities, carry out a DPIA, and possibly recruit a Data Protection Officer (DPO)
- Upper Level
Such infringements can cost up to 20 million Euros or 4% of the company’s global revenue, whichever is higher.
These kinds of fines encompass consent to process personal information, inclusive of consent to handle special categories of data. The scope also extends to compliance with the eight data subject privileges that consumers enjoy under the GDPR.
The Biggest GDPR Fines So Far
- British Airways (204.6M Euros)
The UK’s Information Commissioner’s Office (ICO) announced its plan to fine the Airline after users of British Airways’ website were diverted to a fraudulent site.
Through this dubious site, data belonging to around 500,000 consumers was harvested by the hackers.
According to the ICO, the incident is believed to have started in June 2018 and different categories of personal information were compromised as a result of negligent arrangements at the company.
The affected data included in login and travel booking details, names, addresses, as well as credit card information including card numbers, expiry dates, and the three-digit CVV code.
- Marriott International Hotels (110.3M Euros)
In another GDPR penalty involving a British firm, the Information Commissioner’s Office (ICO) fined Marriot after the international hotel chain after a hack dating back to 2014 was discovered at the tail end of 2018.
The hack exposed sensitive personal information including credit card details, passport numbers, as well as dates of birth belonging to over 300 million clients of which 30 million were EU residents.
After investigations were concluded, the ICO found that Marriott failed to perform adequate due diligence when it bought Starwood. Additionally, it should also have done more to safeguard its systems.
- Google Inc. (50M Euros)
Google holds the unwanted tag of being the first victim of the first biggest GDPR fine. This fine is unique in the sense that it does not involve a data breach as is the case with both Marriott Hotels and British Airways.
Instead, Google was fined by the French regulator for failing to make their consumer data processing statements easily accessible to users and employing obscure language.
Additionally, Google was found guilty of not seeking consent from consumers to use their data for its ad targeting campaigns, which is illegal under the GDPR.
- Austrian Post (18.5M Euros)
At the beginning of 2019, the Austrian Data Protection Authority announced that it had enforced a fine on the country’s Post for illegally selling consumer data in violation of GDPR requirements.
Investigators established that the Austrian Post had reviewed consumer information to determine whom would vote for which political party they may support and traded that data.
Although it is not illegal under the GDPR, the Austrian Post was also found to have processed information on package frequency and the rate of relocations for direct marketing objectives.
- Deutsche Wohnen SE (14.5M Euros)
In October 2019, the largest GDPR fine was issued against a real estate company, Deutsche Wohnen SE by the Berlin Commissioner for Data Protection and Freedom of information.
The company was fined for violating Article 25 and Article 5 of the GDPR whereby the company lacked legitimate reasons to hold sensitive consumer data longer than necessary.
The severity of the fine was compounded by the firm’s track record as Deutsche Wohnen SE had already faced compliance issues in 2017.
- 1&1 Telecom GmbH (9.5M Euros)
At the beginning of December 2019, 1&1 Telecommunications was fined 9.5 million Euros by Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI).
The penalty was handed out as a result of the company failing to establish adequate technical and organizational measures to safeguard consumer information in its call center environments.
According to the BfDI, the fine was enforced after it was discovered that callers to the firm’s call center could retrieve consumer data by simply providing their name and date of birth.
these requirements were deemed insufficient for authentication and protection of consumer information as required by article 32 of the GDPR.
How to Avoid GDPR Fines
These fines show that, although maintaining data security is vital, the GDPR also focuses on individual data privacy rights and transparency. Furthermore, this regulation has a wide reach, even outside of the European union
Be proactive and avoid GDPR fines by booking a call with us today for a complete demo of our compliance solution that will be customized to your unique business needs.
Get your Frequently Asked Questions (FAQ) about GDPR answered with our detailed summary
Download your GDPR and ePrivacy Regulation e-book directly into your inbox now