2 min read

These Are the Highest Penalties under GDPR - Including Fines Issued to Private Individuals


July 16, 2020

Promo Protect all your devices, without slowing them down.
Free 30-day trial
These Are the Highest Penalties under GDPR - Including Fines Issued to Private Individuals

PrivacyAffairs, a leading source of data privacy and cybersecurity research, has issued a report tallying fines issued under the 2018 General Data Protection Regulation (GDPR). It also lists the countries where the highest fines were dealt, as well as the nations with the most punishable incidents.

According to the research firm, since its rollout in May 2018, the GDPR has claimed 340 “victims” for unlawful data protection practices. The report notes that every single one of the 28 EU nations, including the now Brexited United Kingdom, has issued at least one penalty under the new data protection legislature.

“Whilst GDPR sets out the regulatory framework that all EU countries must follow, each member state legislates independently and is permitted to interpret the regulations differently and impose their own penalties to organisations that break the law,” according to PrivacyAffairs.

The report breaks down the nations with the highest fines and those with the most fines as follows:

Nations with the highest fines:

France: €51,100,000

Italy: €39,452,000

Germany: €26,492,925

Austria: €18,070,100

Sweden: €7,085,430

Spain: €3,306,771

Bulgaria: €3,238,850

Netherlands: €3,490,000

Poland: €1,162,648

Norway: €985,400

Nations with the most fines:

Spain: 99

Hungary: 32

Romania: 29

Germany: 28

Bulgaria: 21

Czech Republic: 13

Belgium: 12

Italy: 11

Norway: 9

Cyprus: 8

GDPR Fines Tracker by PrivacyAffairs

France tops the list of highest fines because of a €50 million fine issued by French authorities to Google in January 2019 on the basis of “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.” By contrast, the smallest fine to date under the GDPR is a €90 penalty issued to a Hungarian hospital on November 18, 2019.

UK organizations have been issued seven fines by the Information Commissioner”s Office, totaling over €640,000.Two potentially massive fines, for Marriott International (€204,600,000) and British Airways (€110,390,200) are still under review.

The report also tracks the highest fines issued to private individuals, including a €20,000 penalty issued to an individual in Spain for unlawful video surveillance of employees and an €11,000 penalty issued to a soccer coach in Austria who was found secretly filming female players while they were taking showers. It also mentions a €2,500 fine issued to a Germany resident who sent emails to several recipients where each could see the other recipients’ email addresses.

Readers interested in learning more about the fines dealt under the GDPR in the past two years can access the full research here.




Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.

View all posts

You might also like