GDPR Fines Structure and the Biggest GDPR Fines to Date
The General Data Protection Regulation (GDPR) is a law enacted by the European Union in 2018 to handle data protection and privacy. This regulation affects all companies that process and hold the personal data of individuals residing in the European Union, regardless of the company’s location. A critical aspect of GDPR is the hefty fines that can be imposed if businesses fail to comply with its regulations.
Related content: This is part of an extensive series of guides about GDPR compliance.
Structure of GDPR Fines
Maximum Fine Limits
The GDPR sets forth maximum limits for fines, which are quite substantial. The upper limit depends on the tier of the violation. For the lower tier, the maximum fine can go up to 10 million Euro or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.
For the upper tier, the maximum fine can reach 20 million Euro or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. These significant amounts underscore the seriousness with which the EU takes data protection and privacy.
It’s worth noting that these are maximum limits. The actual fine will depend on the specific circumstances of each case. Thus, not every infringement will lead to millions of euros in fines. However, the potential for such high fines clearly signifies the importance of complying with the GDPR.
Two-Tiered Fine System
Here is how the GDPR defines the two tiers:
- Lower-tier infringements mostly relate to technical aspects of the GDPR, such as failing to adequately document processing activities, not conducting a required impact assessment, and not designating a data protection officer when required.
- Upper-tier infringements pertain to violations of the fundamental principles of the GDPR, such as processing personal data without sufficient legal basis, infringing on the rights of data subjects, and transferring personal data to a third country or an international organization in violation of the GDPR.
The two-tiered system ensures that the fines correspond to the severity of the violation, preventing minor technical infringements from leading to excessive fines.
Related content: Read our guide to GDPR requirements.
Criteria Used to Determine GDPR Fines and Violations
1. Nature, Gravity, and Duration of Infringement
The nature, gravity, and duration of the infringement play a significant role in determining the fines. For instance, a minor violation that did not lead to any substantial damage may attract a lesser fine compared to a massive data breach that exposed sensitive personal data of thousands of users. Similarly, the duration of the infringement also matters. A one-off violation might be treated differently from a recurring or persistent breach.
Additionally, the number of people affected by the violation and the level of damage they suffered are also taken into account. If an infringement led to serious damage like identity theft or financial loss, the GDPR fines imposed could be hefty. In contrast, if the breach resulted in minimal harm, the fines may be less severe.
2. Intentional or Negligent Character of the Infringement
Another important aspect considered when determining GDPR fines is whether the violation was intentional or due to negligence. If an entity deliberately violated GDPR rules, it would likely face a higher fine. On the other hand, if the breach occurred due to negligence, the fine might be lower, especially if the entity can demonstrate that it took all reasonable measures to prevent such an occurrence.
This aspect of GDPR enforcement emphasizes that organizations must be fully aware of their responsibilities and take appropriate measures to ensure data protection. If negligence leads to a data breach, the organization might still face a significant fine.
3. Actions Taken by the Data Controller or Processor to Mitigate Damage
The actions taken by the data controller or processor to mitigate the damage caused by the violation are also taken into account. If the entity took swift and effective measures to contain the breach, notify the affected individuals, and minimize the damage, this could potentially reduce the amount of the fine.
This factor underscores the importance of having a robust data breach response plan in place. By responding promptly and effectively to a breach, organizations can not only limit the harm caused to individuals but also potentially lessen the financial penalties they might face.
4. Degree of Responsibility of the Controller or Processor
The degree of responsibility of the data controller or processor is another crucial factor in determining GDPR fines. The GDPR holds controllers and processors accountable for ensuring data protection. If they fail in their responsibilities and it can be proven that they were deliberately negligent, they can face significant fines.
The degree of responsibility is evaluated based on several factors, including the technical and organizational measures implemented by the entity to ensure data protection, the entity’s compliance with its obligations under the GDPR, among others. If the entity can demonstrate that it took all necessary steps to protect personal data and comply with GDPR rules, this could potentially reduce the amount of the fine.
5. Relevant Previous Infringements
Previous infringements are also taken into account when determining GDPR fines. If the entity has a history of violations, it could face a higher fine. This is because repeat violations indicate a disregard for data protection rules and a lack of commitment to rectify past mistakes.
However, it’s not just the number of previous violations that matters, but also their nature and severity. A single severe violation could be viewed more seriously than multiple minor infringements. Therefore, organizations should not only strive to prevent violations but also take swift action to rectify any violations that do occur.
6. Degree of Cooperation with the Supervisory Authority
The degree of cooperation with the supervisory authority is another factor that can influence GDPR fines. If the entity cooperates fully with the supervisory authority, this could potentially reduce the amount of the fine. Cooperation could include promptly reporting the violation, providing all necessary information to the authority, assisting in the investigation, among others.
By contrast, if the entity tries to conceal the violation or obstruct the investigation, it could face a higher fine. Thus, it’s in the best interest of organizations to cooperate fully with the supervisory authority in the event of a data breach.
7. Categories of Personal Data Affected by the Infringement
The categories of personal data affected by the infringement can also influence the amount of the GDPR fines. If sensitive personal data such as financial information, health records, or other special category data are exposed in a data breach, the entity is likely to face a higher fine.
This is because the exposure of such data can lead to serious harm to individuals, including identity theft, financial loss, damage to reputation, among others. Therefore, organizations must take extra care to protect sensitive personal data to avoid hefty fines.
8. Manner in Which the Infringement Became Known to the Supervisory Authority
The manner in which the infringement became known to the supervisory authority can also impact the GDPR fines. If the entity reported the violation promptly and voluntarily, this could potentially reduce the amount of the fine. Conversely, if the infringement was discovered through a third-party complaint or an audit, the entity could face a higher fine.
This factor underscores the importance of transparency and prompt reporting in the event of a data breach. By reporting the breach promptly, organizations can not only comply with their legal obligations but also potentially mitigate the financial penalties they might face.
9. Compliance with Measures Against the Controller or Processor
Compliance with measures ordered against the controller or processor is another factor that can influence GDPR fines. If the entity complies promptly and fully with the measures ordered by the supervisory authority, this could potentially reduce the amount of the fine. On the other hand, if the entity fails to comply with the measures, it could face a higher fine.
This factor highlights the importance of complying with all legal obligations under the GDPR. By complying with the measures ordered by the supervisory authority, organizations can not only rectify the violation but also potentially lessen the financial penalties they might face.
10. Adherence to Codes of Conduct or Approved Certification Mechanisms
Lastly, the adherence to codes of conduct or approved certification mechanisms can also impact GDPR fines. If the entity adheres to such codes or mechanisms, this could potentially reduce the amount of the fine. This is because such adherence demonstrates the entity’s commitment to data protection and compliance with GDPR rules.
Therefore, organizations should strive to adhere to relevant codes of conduct or certification mechanisms to demonstrate their commitment to data protection and potentially mitigate the financial penalties they might face.
Examples of the Biggest GDPR Fines So Far
Meta
Formerly known as Facebook, Meta was hit with one of the largest GDPR fines to date. In July 2021, Luxembourg’s National Commission for Data Protection (CNPD) fined Meta €746 million for violating GDPR. The fine was levied due to the company’s failure to satisfactorily protect user data and misuse of personal data for advertising purposes.
In 2023, Meta received an even larger fine of €1.2 billion by the Irish Data Protection Commission for transferring personal data of European users to the United States without adequate data protection mechanisms
Amazon
In July 2021, Amazon received the highest GDPR fine to date. The Luxembourg National Commission for Data Protection (CNPD) fined the e-commerce giant €746 million. The fine was issued due to Amazon’s non-compliance with GDPR regulations in its advertising practices.
TikTok
Popular, China-owned social media platform TikTok was also on the receiving end of a GDPR fine. In July 2021, the Dutch Data Protection Authority (DPA) fined TikTok €750,000 for violating GDPR regulations. The violation was due to TikTok’s failure to provide a privacy statement in Dutch, leaving many young users unable to understand the company’s data processing methods. Then, in 2023, TikTok received a fine of £12.7 million for illegally processing the data of 1.4 million children under the age of 13 without parental consent
WhatsApp, the popular messaging service, was fined €225 million by Ireland’s Data Protection Commission (DPC) in September 2021. The fine was issued due to WhatsApp’s lack of transparency about how it processes user data. This case shows that even companies that primarily offer free services can face significant GDPR fines if they fail to comply with data protection laws.
Google LLC
In March 2020, the Swedish Data Protection Authority (DPA) fined Google LLC €7 million for failing to comply with GDPR’s right to be forgotten. The fine was issued because Google did not adequately remove two search result listings that individuals requested to be deleted, demonstrating the importance of respecting user requests for data deletion.
CRITEO
In December 2020, The French Data Protection Authority (CNIL) fined CRITEO €225,000 for violating GDPR’s rules on consent for cookies. The company was found guilty of continuing to place advertising cookies on users’ computers after they had refused consent.
H&M
In one of the largest GDPR fines related to employee data, H&M was fined €35 million by the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) in October 2020. The fine was issued due to H&M’s unlawful surveillance of several hundred employees at its Nuremberg service center.
Clearview AI
In a landmark case, Clearview AI, a facial recognition company, was fined €20 million by the Italian Data Protection Authority (Garante) in January 2022. The company was found to have violated GDPR by collecting biometric data without users’ consent. This case demonstrates that GDPR fines can be levied against companies that misuse sensitive biometric data.
Are GDPR Fines On the Rise?
In short, yes, GDPR fines have been marked by a gradual escalation in both the frequency and size of penalties.
Initially, after its implementation in May 2018, the focus of GDPR enforcement was more on awareness and compliance. However, by 2019 and 2020, there was a noticeable increase in enforcement actions, highlighted by significant fines such as the €50 million penalty against Google by France’s CNIL for inadequate data consent policies.
This trend continued to accelerate in 2021, exemplified by Amazon’s €746 million fine for non-compliance with data processing standards, and in 2022 with several substantial fines against Meta, including a €225 million penalty for WhatsApp’s privacy policy issues.
The year 2023 marked a turning point in GDPR enforcement, witnessing record-breaking fines that pushed the total to over €1.6 billion. A notable example is the unprecedented €1.2 billion fine imposed on Meta by the Irish Data Protection Commission. This dramatic increase in both the size and total amount of fines underscores a more aggressive approach to GDPR enforcement, signaling the European Union’s strong commitment to data protection.
GDPR Compliance with Exabeam
While the task of updating data protection policies and practices might appear daunting, employing tools specifically designed to improve ecosystem vigilance gets organizations a long way towards securing sensitive assets and information. By equipping Data Protection Officers with the ability to more effectively monitor and respond to all data access activities, Exabeam Security Operations Platform helps organizations to meet both technological and operational requirements of GDPR.
- External Threat Reduction: Exabeam works alongside existing security solutions, using AI-driven behavioral analytics to identify unusual activity that may be indicative of a hacker’s attempt to find and access data.
- Internal Threat Reduction: Exabeam works alongside identity and access management solutions to prevent security incidents resulting from the accidental or malicious abuse of allocated permissions. By flagging activity that falls outside the norm for a given user, Exabeam helps to detect potential data theft.
- Oversight and Timely Notification: In addition to acting as a central point of intelligence in the customer’s security ecosystem, Exabeam provides forensics and accurate visualization of activity for better compliance reporting.
As part of Exabeam compliance with GDPR, Exabeam aligns its security measures with commercially-accepted certifications. More about certifications and GDPR compliance are available on the Exabeam Trust Center page.