Europe Fintech Insights Latest News Regtech Reports

Top 10 Countries With the Most GDPR-Related Fines

The GDPR (General Data Protection Regulation) came into effect in 2018, and in that time, a large number of organisations have fallen foul of its rules. In fact, over 650 fines have been issued relating to GDPR violations, totalling more than €280million in just over three years. New research from cybersecurity specialists ESET has revealed the countries that have handed out the biggest GDPR related fines, where it was found the UK has only issued five since 2018.

ESET conducted a study that analysed GDPR related penalties, looking at; the biggest fines companies have received, the most common reasons for GDPR fines and the countries handing out the most and largest fines.

When looking at the European countries which have received the most fines, Spain came out on top with 273 – representing just under a third of all fines given for GDPR violations. Spain was followed by Italy and Romania, with 75 and 60 fines issued respectively.

Despite receiving the most fines, Spain ranked sixth for the total amount fined (€32,440,810). Luxembourg was out in front with €746,060,300 and the United Kingdom placed second with a total of €44,250,000.

 

The ten countries that have given out the least amount GDPR-related fines since 2018

RankCountryNumber of finesAverage fineTotal amount fined
1The Netherlands1€450,000€450,000
1Isle Of Man1€13,500€13,500
1Malta1€5,000€5,000
4Slovakia2UnknownUnknown
4Croatia2UnknownUnknown
6Portugal4€106,000€424,000
6Iceland4€21,675€86,700
8United Kingdom5€8,850,000€44,250,000
8Estonia5€60,110€300,548
8Latvia5€48,650€243,250
The ten countries that have given out the most GDPR-related fines
RankCountryNumber of finesAverage fineTotal amount fined
1Spain273€118,831€32,440,810
2Italy75€1,126,584€84,493,770
3Romania60€11,659€699,550
4Hungary43€18,881€811,883
5Norway31€49,527€1,535,350
6Germany28€1,756,673€49,186,833
7Sweden26€697,374€18,131,730
8Belgium25€40,720€1,018,000
9Poland24€86,242€2,069,798
10Bulgaria20€160,535€3,210,690

 

The five biggest GDPR related fines since 2018’s introduction

RankController/ProcessorDateTypeFine
1Amazon Europe Core S.à.r.l.16/07/2021Non-compliance general data processing principles€746,000,000
2Google21/10/2019Insufficient legal basis for data processing€50,000,000
3H&M01/10/2020Insufficient legal basis for data processing€35,258,708
4Gruppo TIM15/01/2020Insufficient legal basis for data processing€27,800,000
5British Airways16/10/2020Insufficient technical and organisational measures to ensure information security€22,046,000

 

Looking at the largest European GDPR-related fines to date, Amazon came out on top when it was fined €746,000,000 for non-compliance with general data processing principles in 2021. Closely following are Google and H&M, who were fined €50,000,000 and €35,258,708 respectively for their highest-costing GDPR violations.

Jake Moore, Cybersecurity Specialist at ESET, commented on the findings: “In today’s data-driven world, there is only so much that people can do to limit the information they share – whether it is online, through mobile communications, or in person. This means it is vital for organisations to be responsible with the data they gather and store. GDPR was introduced for precisely this reason, providing guidelines for good practices and enforcing consequences for bad.

“Some of Europe’s biggest companies have fallen foul of GDPR for various reasons. Most of the priciest fines have been given due to an insufficient legal basis for data processing, which is when an organisation is unable to prove that there is a lawful basis that makes their processing of customers’ data ‘necessary’. While the penalties can be huge, it unfortunately doesn’t seem that this acts as a sufficient deterrent, as fines have been issued as recently as September 2021.

“It is always interesting to see how different countries interpret and enforce the same legislation in different ways. With Spain issuing 230 fines compared to Germany’s 30, it is clear that GDPR penalties are not necessarily cut and dry. However, what should remain the same throughout each region is a dedicated focus on what really matters – ensuring individuals are in control of their own data and that it is not exploited for profit.”

Author

  • Francis is a junior journalist with a BA in Classical Civilization, he has a specialist interest in North and South America.

Related posts

Barclays Finds Trust Is Key for Successful Wealth Transfer in Middle Eastern HNW Families

Polly Jean Harrison

MYPINPAD Launches Global ‘I Love SPoC’ Campaign with Exclusive London Event

Manisha Patel

Business Losses to Cybercrime Data Breaches to Exceed $5 trillion by 2024

Mark Walker