Top 10 biggest GDPR fines

For a few months now, there’s been a flood of penalties because of the supervisory authorities. No more excuses for not applying the GDPR!


The GDPR… These four letters that can either make a CEO’s ears burn or make him say “the GD-what?”. If you just had the second reaction, I strongly advise you to get out of your cave and catch up on civilization with our previous articles.

Many companies think that they’ve been spared by the General Data Protection Regulation, generally due to lack of knowledge about that topic (but we forgive you). As a basic reminder, I can already tell you this: EVERY public or private organization is subjected to the GDPR. If you want to get away with the Regulation, you must belong to a very specific niche category: you must work on your own, with no customer data, with no employees, no website… basically, with nothing.

If after what I just said you don’t think you are subjected to the GDPR, I suggest you fill out this quiz which will tell you if the regulation applies to you and if you’re compliant. Give it a shot, it doesn’t hurt to try.

dog with meat and beer
Random transition picture.

Since the GDPR came into force, the supervisory authorities imposed loads of fines. And unlike a popular belief: no, the Big Four are not the only ones being supervised and punished. To prove it to you, I’m going to make a list of the biggest fines imposed on this beautiful fall day (November 20th, 2019), and you’ll see that every organization caught hell! Besides, you might learn a few vocabulary words with the original name of the supervisory authorities.

After reading this article, you’ll have no more excuses to not comply with the GDPR!

Let’s go!

10. An accident-prone hospital

On July 16th, 2019, the Dutch supervisory authority (the Autoriteit Persoonsgegevens for purists) punished the Haga hospital with an administrative penalty of €460,000. To deserve such a penalty, the hospital didn’t implement serious technical and organizational measures, i.e. the patients’ medical data were easily accessible for any staff member of the hospital.

To make this story more spicy, the supervisory authority wrote in its report that the doctors and nurses took advantage of this lack of security to access the medical record of Dutch celebrities.

doctor handshake
A Dutch doctor warmly welcoming his next celebrity.

If you’re the kind of person who needs to “learn a valuable lesson from a story”, just remember this:

  • no public organization is spared by the GDPR, even more when they collect sensitive data;
  • yes, the supervisory authority works during summer.

9. Have you ever heard of paczki?

If I say “Urząd Ochrony Danych Osobowych”, do you know which supervisory authority I’m talking about? Congrats, it’s Poland (let’s pretend you knew the answer)!

But why did the authority have to intervene? In fact, on a sunny day of September 2019, the Polish supervisory authority proudly stated that the website got a penalty of more than 2,8 million of zlotys. Two questions should immediately pop up in your mind:

  • What’s
  • What’s a zloty? is a pretty popular e-commerce website in Poland, and they thought that they could bypass the GDPR. After a cyberattack, hackers collected about 2,2 millions of people’s personal data! Understandably, the wrongdoers wanted to make a fortune out of these newly stolen data. In order to do this, they sent an SMS to every phone number that they collected to launch a phishing campaign. Unfortunately, some people fell into that trap and the Polish supervisory authority got wind of this misfortune. Consequently, the latter punished the online shopping website Morele with a fine of 2,8 million zlotys.

And so, what’s a zloty? It’s only the official currency in Poland. Changed into euros, the fine equals about €640,000. It’s not that impressive compared to zlotys, but it’s big enough to get the merchant to comply with the GDPR.

8. Our first Big Four!

You probably heard about the Cambridge Analytica case, which deeply affected the image of Facebook across the world. As a reminder, in March 2018, the media revealed that the personal data of 50 million Facebook users ended up in the hands of Cambridge Analytica, in order to influence the American presidential campaign in 2016.

Apart from the outrage in the media and Mark Zuckerberg’s face during his hearing in front of the Congress, the European supervisory authorities also decided to grill Facebook.

barbecue fire
What’s left of Facebook.

To this end, the ICO, the UK supervisory authority, imposed a £500,000 fine to Facebook for failing to secure its users’ data. Converted to euros, it’s about €575,000.

For a Big Four like Facebook, this penalty seems like a drop in the bucket in comparison with the 4% of the worldwide annual turnover stated by the GDPR. The reason for this “low” penalty is quite simple: the offense was committed before the regulation came into force, so the ICO couldn’t punish Facebook on that basis. Nevertheless, since this story first broke exactly when the GDPR came into force, the UK supervisory authority wanted to set an example by punishing Facebook anyway.

But that’s not all. A few months after being punished by the UK supervisory authority, here we go again for Facebook! The “Garante per la protezione dei dati personali”, the Italian supervisory authority, also decided to punish Facebook with a €1 million fine. Among the data handed to Cambridge Analytica, some of them belonged to Italian users. Good thing that this event happened before the GDPR, otherwise you can bet it would’ve cost much more for Facebook under the new regulation.

7. “A day without orange juice is a day without sunshine”

Still in Italy, the supervisory authority decided once again to hit hard by punishing a company called VinCall. In fact, the electricity provider Edison Energia resorted to VinCall to make cold calls and get new customers.

The problem is that Edison Energia gave all of its customers’ personal data to close on the sale… and of course, no processing contract was concluded between the two companies, unlike what’s stated in Article 28 of the GDPR.

Consequently, the Italian supervisory authority imposed a €2,018,000 fine to the VinCall company. This shows how important it is to conclude processing clauses if you want to transfer some personal data to a third-party.

6. No one’s safe anymore! Even the IRS has to pay!

In late August 2019, the Commission for Personal Data Protection – the Bulgarian supervisory authority – imposes its biggest fine on the basis of the GDPR. The offender’s identity is pretty surprising: the Bulgarian National Revenue Agency (commonly called “NRA”… which can be confusing for American people), which is like the IRS in the United States or HMRC in the UK.

The reason for this punishment is simple: the NRA website had a huge security breach which let every user access all the Bulgarian population’s tax return. Inevitably, the supervisory authority’s reaction was not long coming: a 5,1 million leva fine (about €2,61 million)!

So the bottom line is that the IRS is not spared by the GDPR, so no one is…

scream mask with knife
The supervisory authority at your doorstep.

5. You’d like to acquire real estate?

You want to find a rare gem in downtown Berlin? Good, because we know the right spot to avoid…

In early November 2019, a German real estate company got busted by the German supervisory authority. It seems that the company saved personal data on some storage medium without checking their lawfulness or necessity of storage. Moreover, the data stored could not be deleted… which is useful especially when the GDPR requires companies to delete, anonymize or pseudonymize your data when they no longer need them.

Anyway, total amount of the punishment: €14,5 million. Something for the company to remember the GDPR by…

4. The day Austria went postal on its people…

Just a few days before Germany, Austria also decided to enter the big league by imposing a €18 million fine to the Austrian post.

The facts around this punishment are morally controversial and could have had an international impact if it was about one of the Big Four. Earlier this year, the Austrian media exposed terrible news: the Austrian post supposedly collected its customers’ personal data, including their postal address and their political opinion, to sell them to third-party companies. In total, the post services allegedly created a profile for about 3 million Austrians… while there are only 8,8 million citizens in the country.

Therefore, the supervisory authority conducted an investigation on this case, which was also the perfect chance to take stock of the GDPR compliance. It turns out the authority noticed that the Austrian post really did create a profile for millions of people to sell them to third-parties, and moreover, that they collected data to know the number of deliveries made for everyone and the number of redeliveries… always in order to sell their information.

This punishment really leads us to reflect: did the supervisory authority send the fine to the post by mail?

3. Oh, another GAFA!

This fine has been getting a lot of publicity since the French supervisory authority (the Commission Nationale de l’Informatique et des Libertés) went after a big fish: Google.

Heron with fish
The French authority all proud for catching Google.

In total, the web giant got a €50 million fine. The French supervisory authority wanted to send a strong message to show that no one gets special treatment regarding the GDPR.

This punishment is the result of complaints filed by many users. Therefore, the French supervisory authority carried out an investigation and noticed that Google didn’t apply the principles of transparency and information regarding the customers’ right on their personal data. Moreover, Google supposedly used some personal data for marketing purposes without asking for the users’ consent. In short, Google has been a very naughty kid.

Of course, Google didn’t want to be pushed around by the French authority, so they appealed to contest the fine before the French Council of State in order to get a discount.

2. Here comes the first epic bill

In September 2018, about four months after the GDPR came into force, the hotel group Marriott went through a massive cyberattack. Personal data of over 500 million customers worldwide were stolen, including bank details and IDs. Even if these data were encrypted, the group couldn’t guarantee that the hackers found a way to decrypt all the stolen information.

Consequently, the UK supervisory authority carried out an investigation and considered that the attack resulted from the hotel group’s negligence. Because of this, Marriott International may get a €110 fine! That’s the huge amount suggested by the supervisory authority as a punishment for the group. However, since the investigation has been carried out by the ICO in association with other State Members of the European Union, all the supervisory authorities involved must accept a such amount. All we have to do is wait and see…

1. And the winner is…

Congratulations to British Airways for getting to the top of the ranking! Thanks to their hard negligence with their customers’ personal data, the airline got a monumental €200 million fine by the UK supervisory authority.

According to the ICO, the airline underwent a cyberattack which impacted over 500,000 customers who got their bank details stolen.

This fine was imposed the same week as the hotel group Marriott. The ICO must’ve really rubbed their hands that week…

Any last words?

We’d like to thank every competing company for neglecting the GDPR so much. Without you, we couldn’t have done this ranking, so thank you for making this possible!

And also thank you so much to those who took part in this competition and didn’t make it to the top. So our hearts go out to the Spanish soccer league for trying to record its users through its app thanks to their phone microphone. Lastly, a big shout-out to the Czech car rental company for tracking all the cars rented by its customers. Even if you didn’t enter this ranking, your efforts didn’t go unnoticed!

kid screaming
You inner reaction when someone tells you: “It’s the taking part that counts.”

Joking aside, you probably noticed that the GDPR is not another regulation to take lightly. It takes a thorough compliance work. If you don’t do it, the punishment can hurt badly: up to 4% of your worldwide annual turnover or €20 million. The supervisory authorities already proved it: they won’t hesitate to punish with millions of euros.

Therefore, if you don’t want to enter our next top 10, you know what to do: get compliant! If you don’t know where to start, you can contact us. The Ziwit Consultancy legal and technical experts will guide you all the way until you become GDPR compliant.



Your email address will not be published.