It did not take long after the entry into force of GDPR on 25th May 2018 for many companies to revise their positions and business priorities following their initial scepticism towards the penalties that were to be imposed by the new regulation.

The reality of the number of financial sanctions enforced by European institutions on companies after barely one year of application of the European General Data Protection Regulation has made it clear that the EU pays close attention to the respect of its citizens data security and privacy rights.


📚 The educational approach to GDPR compliance

Member States dispose of national data protection cells or independent supervisory bodies (FIU) responsible for ensuring compliance with the fundamental principles of the protection of personal data at a national level.

They can carry out verifications at the organisation's premises or online. Checks are carried out based on annual programs, complaints received, or information in the media. For some countries where data privacy regulation is historically strict, fundamental principles of data protection remain mostly unchanged (data security, fair processing, retention period, etc.), and therefore continue to be rigorously checked by the data protection authorities.
GDPR

On the other hand, the new obligations and rights resulting from GDPR are subject to investigation and remediation controls that are commonly non-punitive. The goal is to help organisations understand the issues and operational implementation of the new provisions and the benefits of compliance.

During the first months of the existence of the new legal European privacy framework, the national privacy authorities have accomplished a tremendous pedagogical work. Educating companies and delivering GDPR awareness in the various sectors of activity, publishing concrete fact sheets on privacy rights, and guides on safety or impact assessment methodologies.

In Belgium, since 25 May 2018, the Data Protection Authority (DPA) has been the successor to the Commission for the Protection of Privacy (better known as the "Privacy Commission")



⚖️ What are the latest sanctions and warnings under GDPR ?

Except the cases of serious data breaches or deliberate bad faith, national privacy supervisory bodies rather alert, support and accompany companies to GDPR compliance than imposing radical fines up to 4% of the company's turnover.
These additional powers, such as issuing warnings of non-compliance, carrying out audits, requiring specific remediation within a specified time frame, ordering erasure of data, and suspending data transfers to a third country, are easily accessible to the data protection supervisory authorities and supplement the new sets of penalties.
GDPR2
Nonetheless, some precedents have already broke records in the number of fines imposed for transgressing data protection principles.Among the numerous pending national complaints and fine proceedings, sanctions have already been imposed. The following table provides a non-exhaustive regularly updated list of sanctions imposed by national European jurisdictions and authorities against non-compliant organisations.


Biggest GDPR fines of 2023

Date
Company
Country
Info
Sanction
EU DPA
22/05
Meta
Ireland
Mishandled the transfer of personal data between the EU and the U.S..
€1.2 billion
04/01
Meta
Ireland
Changes in the legal basis for their data processing from consent to fulfilment of a contract
390.000.000€
01/09
TikTok
Ireland
How TikTok handled the personal information of children under 13.
345.000.000€
15/06
Criteo
France
Failed to ensure that data subjects were provided with opt-in consent for the processing of their data.
40.000.000 €
04/04
TikTok
UK
Collecting personal data of children without their parent’s consent
14.500.000 €


Biggest GDPR fines of 2022

Date
Company
Country
Info
Sanction
EU DPA
28/07
Instagram
Ireland
Violation of rules on the processing of children's data without a legal basis.
405.000.000€
19/01
Enel Energia
Italy
Unlawful use of customers data.
26.500.000€
10/02
Clearview AI
Italy
Processed personal data, including biometric and geolocation information, without an appropriate legal basis.
20.000.000€
13/07
Meta Platforms Ireland Limited
Ireland
Meta failed to implement adequate technical and organizational measures to demonstrate the measures it had in place to protect user data.
17.000.000 €
18/05
Google LLC
Spain
Google was unlawfully transferring data collected from EU citizens to the Lumen Project, a research project based in the United States, without obtaining the necessary consent.
10.000.000 €


Biggest GDPR fines of 2021

Date
Company
Country
Info
Sanction
EU DPA
16/07
Amazon
Luxembourg
Non-compliance with advertising practices and free consent. The largest GDPR fine to date.
746.000.000€
20/08
Whatsapp
Ireland
Multiple complaints from users and non-users concerning various transparency breaches.
225.000.000€
08/01
notebooksbilliger.de
Germany
Non-compliance video monitoring on employees for 2 years.
10.400.000€
28/09
Austrian Post
Austria
Failure to allow individuals to make inquiries on their personal data via email.
9.500.000 €
12/03
Vodafone Spain
Spain
International data transfer were made without taking into account GDPR requirements & customers were contacted without their consent.
8.150.000 €


Biggest GDPR fines of 2020

Date
Company
Country
Info
Sanction
EU DPA
05/10
H&M
Germany
The illegal surveillance of its employees who were filmed during special meetings that were available to over 50 managers.
35.300.00€
01/02
Tim Spa
Italy
Hundreds of thousands of unsolicitated communications towards clients who were registered to not receive any kind of marketing.
27.800.000 €
16/10
British Airways
Great Britain
The failure to implement adequate security measures for the protection of personal data of 400.000 customers.
22.000.000 €
30/10
Marriott International Inc
Great Britain
The failure to protect 339 million guest records worldwide due to a cyberattack in 2014 which remained undetected until 2018.
20.000.000 €
14/07
Wind Tre
Italy
Unsolicitated marketing towards clients who did not have the option to opt out of the service.
16.700.000 €


Biggest GDPR fines of 2019

Date
Company
Country
Info
Sanction
EU DPA
21/01
Google
France
Lack of transparency of the information provided by Google: "not easily accessible to users," unsatisfactory information, not "always clear and understandable. "
50.000.000€
29/10
Austrian Post
Austria
The drafting of profiles of over three million Austrians that included personal information such as habits and political affinities which were then sold to private companies and political parties.
18.000.000 €
05/11
Deutsche Wohnen
Germany
In breach of article 5/25 in which personal data should be erased after a number of years. The company had made that data available to employees.
14.500.000 €
05/09
National Revenue Agency
Bulgaria
The breach of the agency's confidential database by part of a hacker who disclosed the personal data of five million Bulgarian citizens. The agency was deemed to have poor technical protection of information security.
2.600.000 €
20/09
Morele.net
Poland
The data breach affected 2.2 million customers through the online retail store's network of website as they failed to respond to the emergence of irregular traffic.
644.780 €


The general obligation of the controller is to always provide appropriate technical and organisational measures to ensure that the processing of European individuals' data is carried out in accordance with the GDPR.

Got your interest ? Don't leave yet !
If you are intersted in learning about our Regulatory Compliance Consultant Services
Browse our journal to find more intersting regulatory news and articles
Oscar Canario da Cunha - Pideeco Network Partner
Oscar Canario da Cunha Managing Director
2 comments
  • Pideeco country: PK
     
    Tuesday 25th of May 2021, 08:34

    Cookies refer to small files that get dropped automatically on your computer, whenever you browse the web. Cookies are harmless bits of texts that are locally stored and can be viewed and deleted quickly. However, they give a great deal of insight into a user’s activity and preferences. They tend to identify a user without explicit content.

  • Pideeco country: Mal
     
    Saturday 13th of April 2024, 03:27

    ivermectin 1.87 paste dosage for goats ivermectin for covid 19 who ivermectin gold horses ivermectin and fenbendazole for e cuniculi scabies ivermectin dosing

Add your comment

Related articles

What is open banking? Learn about how this innovation allows banks to better understand the needs of their retail, SME,...

EU Sun 15 September 2019

What changes with the 6AMLD? Learn about the new rules concerning AML, sanctions, criminal activity, international co-o...

EU Wed 08 May 2019

Discover all the outcomes of the Financial Action Task Force (FATF) Plenary week from 13 to 18 October. Digital identifi...

Financial Sanctions Sun 27 October 2019

Learn what a Data Protection Authority (DPA) is and find the complete compiled list of EU DPAs.

Privacy Tue 05 September 2023
Experts in risk management and regulatory compliance

Pideeco is a consultancy firm providing legal services, business solutions, operational assistance and educational material for professionals in the financial industry.

We are based in Brussels and we specialize in regulatory risk compliance services covering the Eurozone.

Pideeco combines professional Regulatory knowledge and technical expertise to safeguard your business’ reputational and operational risk. Our unique customer-centric approach helps us build strategical and legitimate cost-efficient remedies.

Working with us means reaching out to complementary people, allowing for original thinking and innovative vision.

Our Network Learn more about us