santander fine fca
Europe Fintech Insights Intelligence Regtech Trending

Top 10 Countries With the Most GDPR-Related Fines

The GDPR (General Data Protection Regulation) came into effect in 2018, and in that time, a large number of organisations have fallen foul of its rules. In fact, over 650 fines have been issued relating to GDPR violations, totalling more than €280million in just over three years. New research from cybersecurity specialists ESET has revealed the countries that have handed out the biggest GDPR related fines, where it was found the UK has only issued five since 2018.

ESET conducted a study that analysed GDPR related penalties, looking at; the biggest fines companies have received, the most common reasons for GDPR fines and the countries handing out the most and largest fines.

When looking at the European countries which have received the most fines, Spain came out on top with 273 – representing just under a third of all fines given for GDPR violations. Spain was followed by Italy and Romania, with 75 and 60 fines issued respectively.

Despite receiving the most fines, Spain ranked sixth for the total amount fined (€32,440,810). Luxembourg was out in front with €746,060,300 and the United Kingdom placed second with a total of €44,250,000.


The ten countries that have given out the least amount GDPR-related fines since 2018

RankCountryNumber of finesAverage fineTotal amount fined
1The Netherlands1€450,000€450,000
1Isle Of Man1€13,500€13,500
8United Kingdom5€8,850,000€44,250,000
The ten countries that have given out the most GDPR-related fines
RankCountryNumber of finesAverage fineTotal amount fined


The five biggest GDPR related fines since 2018’s introduction

1Amazon Europe Core S.à.r.l.16/07/2021Non-compliance general data processing principles€746,000,000
2Google21/10/2019Insufficient legal basis for data processing€50,000,000
3H&M01/10/2020Insufficient legal basis for data processing€35,258,708
4Gruppo TIM15/01/2020Insufficient legal basis for data processing€27,800,000
5British Airways16/10/2020Insufficient technical and organisational measures to ensure information security€22,046,000


Looking at the largest European GDPR-related fines to date, Amazon came out on top when it was fined €746,000,000 for non-compliance with general data processing principles in 2021. Closely following are Google and H&M, who were fined €50,000,000 and €35,258,708 respectively for their highest-costing GDPR violations.

Jake Moore, Cybersecurity Specialist at ESET, commented on the findings: “In today’s data-driven world, there is only so much that people can do to limit the information they share – whether it is online, through mobile communications, or in person. This means it is vital for organisations to be responsible with the data they gather and store. GDPR was introduced for precisely this reason, providing guidelines for good practices and enforcing consequences for bad.

“Some of Europe’s biggest companies have fallen foul of GDPR for various reasons. Most of the priciest fines have been given due to an insufficient legal basis for data processing, which is when an organisation is unable to prove that there is a lawful basis that makes their processing of customers’ data ‘necessary’. While the penalties can be huge, it unfortunately doesn’t seem that this acts as a sufficient deterrent, as fines have been issued as recently as September 2021.

“It is always interesting to see how different countries interpret and enforce the same legislation in different ways. With Spain issuing 230 fines compared to Germany’s 30, it is clear that GDPR penalties are not necessarily cut and dry. However, what should remain the same throughout each region is a dedicated focus on what really matters – ensuring individuals are in control of their own data and that it is not exploited for profit.”


  • Francis is a journalist and our lead LatAm correspondent, with a BA in Classical Civilization, he has a specialist interest in North and South America.

Related posts

Spotlight MEA: African Digital Transformation with Axian Group

Polly Jean Harrison

Amazon Web Services Embraces Generative AI to Help Contact Centres Improve Customer Experiences

The Fintech Times

ClauseMatch expands compliance workflow and collaboration platform with a launch in the US

Mark Walker