The GDPR (General Data Protection Regulation) came into effect in 2018, and in that time, a large number of organisations have fallen foul of its rules. In fact, over 650 fines have been issued relating to GDPR violations, totalling more than €280million in just over three years. New research from cybersecurity specialists ESET has revealed the countries that have handed out the biggest GDPR related fines, where it was found the UK has only issued five since 2018.
ESET conducted a study that analysed GDPR related penalties, looking at; the biggest fines companies have received, the most common reasons for GDPR fines and the countries handing out the most and largest fines.
When looking at the European countries which have received the most fines, Spain came out on top with 273 – representing just under a third of all fines given for GDPR violations. Spain was followed by Italy and Romania, with 75 and 60 fines issued respectively.
Despite receiving the most fines, Spain ranked sixth for the total amount fined (€32,440,810). Luxembourg was out in front with €746,060,300 and the United Kingdom placed second with a total of €44,250,000.
The ten countries that have given out the least amount GDPR-related fines since 2018
| Rank | Country | Number of fines | Average fine | Total amount fined |
| 1 | The Netherlands | 1 | €450,000 | €450,000 |
| 1 | Isle Of Man | 1 | €13,500 | €13,500 |
| 1 | Malta | 1 | €5,000 | €5,000 |
| 4 | Slovakia | 2 | Unknown | Unknown |
| 4 | Croatia | 2 | Unknown | Unknown |
| 6 | Portugal | 4 | €106,000 | €424,000 |
| 6 | Iceland | 4 | €21,675 | €86,700 |
| 8 | United Kingdom | 5 | €8,850,000 | €44,250,000 |
| 8 | Estonia | 5 | €60,110 | €300,548 |
| 8 | Latvia | 5 | €48,650 | €243,250 |
| Rank | Country | Number of fines | Average fine | Total amount fined |
| 1 | Spain | 273 | €118,831 | €32,440,810 |
| 2 | Italy | 75 | €1,126,584 | €84,493,770 |
| 3 | Romania | 60 | €11,659 | €699,550 |
| 4 | Hungary | 43 | €18,881 | €811,883 |
| 5 | Norway | 31 | €49,527 | €1,535,350 |
| 6 | Germany | 28 | €1,756,673 | €49,186,833 |
| 7 | Sweden | 26 | €697,374 | €18,131,730 |
| 8 | Belgium | 25 | €40,720 | €1,018,000 |
| 9 | Poland | 24 | €86,242 | €2,069,798 |
| 10 | Bulgaria | 20 | €160,535 | €3,210,690 |
The five biggest GDPR related fines since 2018’s introduction
| Rank | Controller/Processor | Date | Type | Fine |
| 1 | Amazon Europe Core S.à.r.l. | 16/07/2021 | Non-compliance general data processing principles | €746,000,000 |
| 2 | 21/10/2019 | Insufficient legal basis for data processing | €50,000,000 | |
| 3 | H&M | 01/10/2020 | Insufficient legal basis for data processing | €35,258,708 |
| 4 | Gruppo TIM | 15/01/2020 | Insufficient legal basis for data processing | €27,800,000 |
| 5 | British Airways | 16/10/2020 | Insufficient technical and organisational measures to ensure information security | €22,046,000 |
Looking at the largest European GDPR-related fines to date, Amazon came out on top when it was fined €746,000,000 for non-compliance with general data processing principles in 2021. Closely following are Google and H&M, who were fined €50,000,000 and €35,258,708 respectively for their highest-costing GDPR violations.
Jake Moore, Cybersecurity Specialist at ESET, commented on the findings: “In today’s data-driven world, there is only so much that people can do to limit the information they share – whether it is online, through mobile communications, or in person. This means it is vital for organisations to be responsible with the data they gather and store. GDPR was introduced for precisely this reason, providing guidelines for good practices and enforcing consequences for bad.
“Some of Europe’s biggest companies have fallen foul of GDPR for various reasons. Most of the priciest fines have been given due to an insufficient legal basis for data processing, which is when an organisation is unable to prove that there is a lawful basis that makes their processing of customers’ data ‘necessary’. While the penalties can be huge, it unfortunately doesn’t seem that this acts as a sufficient deterrent, as fines have been issued as recently as September 2021.
“It is always interesting to see how different countries interpret and enforce the same legislation in different ways. With Spain issuing 230 fines compared to Germany’s 30, it is clear that GDPR penalties are not necessarily cut and dry. However, what should remain the same throughout each region is a dedicated focus on what really matters – ensuring individuals are in control of their own data and that it is not exploited for profit.”
