GDPR fine tracker

It’s been more than two years since the much vaunted launch of the GDPR and in that time we’ve seen the ICO flex its powers with increasingly heavy-duty penalties against high-profile companies here in the UK.

Read on to find out how the numbers compare across different incidents, and how the top fines imposed on UK companies compare to its EU counterparts.


Fines in the UK…

In total 17 fines were issued in 2020 totalling over £42m and averaging £2.5m. However, this is, of course, not representative of the year in its entirety, as it includes the two extraordinary fines issued to Marriott (£18.4m) and BA (£20m). Excluding these fines from our calculations, this means the average fine in 2020 totalled £267,733 due to fines against Cathay Pacific, CRDNN Ltd and DSG Retail between Jan-March of £500,000 each. 

Comparatively, so far in 2021 there have been 12 fines issued so far, none of which have reached the max of £500,000. One possible explanation for this is that the ICO are issuing more fines (in the same 4-month period between Jan-Apr, the ICO issued 4 fines – an increase of 3x year on year) but they appear to be smaller/lower value fines (i.e. Seafish Importers were fined only £10,000). Then again, we are only 4 months into 2021 so who is to say that the trend will continue!

The largest issued in the UK under GDPR is the British Airways fine issued in 2020 for a data breach that occurred in 2018 – this was considerably less than the £183m fine that the ICO said it intended to issue in 2019.

If you’d like to read more about it – see our blog post here.

Fines from further afield…

In 2019, the CNIL fined Google Fr €50m for unsatisfactory data consent policies that weren’t easily accessible or transparent.

The second largest fine was imposed by the Data Protection Authority of Hamburg for the widespread monitoring of employees violating the GDPRs principle of data minimisation.

Thirdly, Garante, the Italian DPA, fined TIM (Telecom Italia) for a series of unlawful actions mostly stemming from an overly aggressive marketing strategy which included millions of unsolicited communications and promotional calls.

The cumulative value of all UK and EU GDPR fines exceeded 303m in 2020.

The Italian Data Protection Authority, Garante, fined Italian companies the most of any European DPA – levying €58,162,000 worth of fines in 34 fines. The Spanish DPA, on the other hand, issued the most fines, 128 in the last calendar year.

According to research from DA Piper, between January 2020 and January 2021, GDPR fines rose by nearly 40% with data protection authorities recording 121,165 data breach notifications (19% more than the previous 12-month period).

Top 10 EU fines

  1. Google €50m (Cookies & consent)
  2. H&M €35m (Breach of data minimisation principle)
  3. TIM €22m (Marketing)
  4. British Airways €22m (Data Breach)
  5. Marriott €20m (Data Breach)
  6. Österreichische Post AG €18m (Marketing)
  7. Wind €17m (Marketing)
  8. Deutsche Wohnen SE €14.5m (Data retention)
  9. €10.4m (Breach of data minimisation principle – CCTV)
  10. 1&1 Telecom €9.55m (Data Security)

Fines to note…

Fines for invalid DPO

  • The Belgian DPA fined a company €50,000 for improperly appointing the head of the compliance, risk management, and audit departments to serve as its DPO which violates the requirement for an independent DPO.
  • The AEPD fined Glovo €25,000 for appointing a Data Protection Committee (rather than DPO) and failing to notify the relevant DPA.
  • The Belgian DPA fined Proximus €50,000 for having a DPO with a conflict of interest and failing to involve the DPO in the processing of personal data breaches (see link here).

Fine for not appointing a GDPR Representative

In May 2021 a Canadian company was fined €525,000 for having failed to appoint an EU Representative, (with an additional €20,000 for each two-week period during which they remain uncompliant, up to a maximum of €120,000).

The company admitted that it had no establishment in the EU. Accordingly, the obligation under EU GDPR Article 27 – to appoint a Representative in the EU – applied.

The company was unable to rely on the “occasional processing” exemption, even though there was only a small volume of EU personal data being processed, because the regulator decided that the processing was a usual part of the website’s operation.

This decision implies that it will be difficult, in practice, for any website operator to successfully claim that its processing is only ‘occasional’ because the volume of data being process is low.

norm files