Companies found to be in breach of the General Data Protection Regulation (GDPR) regulations can face fines up to 20 million euros, or 4% of their total global annual turnover for the preceding financial year – whichever is greater.
When determining the size and severity of any fine, the European Data Protection Board (EDPB) will take into consideration several factors, such as: the nature, gravity and duration of the infringement; the intentional or negligent character of the infringement; and any measures taken to mitigate damage sustained by individuals.
In cases of minor infractions, organizations may be asked to provide written commitments that they are working to ensure compliance in the future. In some scenarios, no fines will be imposed if organizations can demonstrate that they have implemented adequate data protection practices before being found to be non-compliant with GDPR regulations.
Organizations should also note that other forms of enforcement action – such as warning letters and orders for organizations to comply – may still apply even if no fine is issued. The EDPB can also order organizations to take specific measures or make changes to their practices in order to ensure compliance.
The GDPR is a powerful set of regulations that is intended to protect the privacy and data security of European citizens. Organizations who fail to comply with its requirements may face serious consequences, including hefty fines and other forms of enforcement action. It is therefore essential for companies operating within the EU to make sure they are fully compliant with GDPR regulations in order to avoid these penalties.
What are the biggest GDPR non-compliance fines?
Here are 5 of the biggest fines recorded so far:
1. Google (€50m)
Google was one of the first companies to be hit by a substantial GDPR fine of €50m in 2019. It was fined after a French regulator ruled that the company had failed to make its consumer data processing statements easily accessible to its users. The tech giant was also found guilty of not seeking the consent of its users to harness their data for targeted advertising campaigns.
2. H&M (€35.3m)
H&M was fined by German regulators in 2020 after it was found to have been secretly monitoring hundreds of its employees. If workers took holiday or sick leave, they were required to attend a meeting with senior staff at the retail giant on their return. These meetings were recorded and made accessible to H&M managers without the knowledge of staff. The data collected from the interviews was used to make a ‘detailed profile’ of workers, which then influenced decisions concerning their employment.
3. Tim – Telecom Italia (€27.8m)
In early 2020, the Italian data protection authorities issued a mammoth €27.8m fine to telecoms firm Tim, formerly known as Telecom Italia. The fine was levied after a large number of complaints about unwanted promotional calls. The regulator said it had received hundreds of complaints from January 2017 to early 2019. It said customers were getting nuisance calls without having given their consent – even if they had registered their telephone numbers on Italy’s ‘do not call’ list or explicitly told callers they were revoking consent for such calls. One person was reportedly called 155 times in a single month. The violations were several and serious, the regulator found, issuing the large fine and 20 ‘corrective measures’ for the firm.
4. British Airways (£20m)
British Airways was fined in 2020 after users of its website were directed to a fraudulent site. Through the data breach, hackers were able to harvest the personal data of about 400,000 people. The leaked data included login and travel booking details, names, addresses and credit card information. Initially, the Information Commissioner’s Office (ICO) said it planned to fine BA £183.4m – which would have been the largest fine issued under GDPR. But more than a year later, it dramatically lowered the fine, saying ‘the economic impact of Covid-19 had been taken into account’. It was still the highest fine issued by the ICO, which found that the hack was the result of British Airways’ negligence.
5. Marriott International Hotels (£18.4m)
British hotel chain Marriott International was fined in 2020 in relation to a hack dating back to 2014, but not uncovered until four years later. The hack exposed the personal details of about 300 million customers including credit card information, passport numbers and dates of birth. Seven million of those guest records related to people in the UK. Similar to the British Airways fine, the ICO initially said it planned to issue a much higher fine of £99m – but lowered the amount later.
Why businesses choose Cassie for complete GDPR compliance
GDPR has dramatically improved the lives of EU citizens, giving them stronger data rights and more protection.
Cassie helps companies achieve compliance without them having to compromise their business goals.
Why Cassie is the best GDPR solution on the market
We are experts at helping global businesses achieve compliance whilst building long-term relationships with their customers – through the use of our Consent Management Platform Cassie.
Most CMP providers offer templated solutions for legislation compliance: you can become ‘compliant’ quickly, but you’ll have to fit your business rules and workflow around the vendor’s template, legal interpretations and assumptions.
Cassie works around you: with our highly configurable CMP, you’re in charge, you make the choices and Cassie will implement them – keeping you compliant.
Go beyond compliance to power growth with Cassie
By going beyond compliance and actively championing protection and respect of customer data, you’ll build long-lasting trust. We believe respected customers spend more and become loyal brand advocates.
Our carefully curated collection of videos provides practical solutions to help you address the challenges associated with consent and preference management, ensuring compliance with GDPR regulations. Watch here.