Pennies_web 1

GDPR fine tracker

It’s been more than two years since the much vaunted launch of the GDPR and in that time we’ve seen the ICO flex its powers with increasingly heavy-duty penalties against high-profile companies here in the UK.

Read on to find out how the numbers compare across different incidents, and how the top fines imposed on UK companies compare to its EU counterparts.

Fines in the UK…

Chart of fines by the ICO since the GDPR came into effect

In total 17 fines were issued in 2020 totalling over £42m and averaging £2.5m. However, this is, of course, not representative of the year in its entirety, as it includes the two extraordinary fines issued to Marriott (£18.4m) and BA (£20m). Excluding these fines from our calculations, this means the average fine in 2020 totalled £267,733 due to fines against Cathay Pacific, CRDNN Ltd and DSG Retail between Jan-March of £500,000 each.

Comparatively, so far in 2021 there have been 12 fines issued so far, none of which have reached the max of £500,000. One possible explanation for this is that the ICO are issuing more fines (in the same 4-month period between Jan-Apr, the ICO issued 4 fines – an increase of 3x year on year) but they appear to be smaller/lower value fines (i.e. Seafish Importers were fined only £10,000). Then again, we are only 4 months into 2021 so who is to say that the trend will continue!

The largest issued in the UK under GDPR is the British Airways fine issued in 2020 for a data breach that occurred in 2018 – this was considerably less than the £183m fine that the ICO said it intended to issue in 2019.

Chart of top 10 GDPR fines in the UK

Fines from further afield…

Chart of top ten fines in the EU and UK

In 2019, the CNIL fined Google Fr €50m for unsatisfactory data consent policies that weren’t easily accessible or transparent.

The second largest fine was imposed by the Data Protection Authority of Hamburg for the widespread monitoring of employees violating the GDPRs principle of data minimisation.

Thirdly, Garante, the Italian DPA, fined TIM (Telecom Italia) for a series of unlawful actions mostly stemming from an overly aggressive marketing strategy which included millions of unsolicited communications and promotional calls.

The cumulative value of all UK and EU GDPR fines exceeded 303m in 2020.

The Italian Data Protection Authority, Garante, fined Italian companies the most of any European DPA – levying €58,162,000 worth of fines in 34 fines. The Spanish DPA, on the other hand, issued the most fines, 128 in the last calendar year.

According to research from DA Piper, between January 2020 and January 2021, GDPR fines rose by nearly 40% with data protection authorities recording 121,165 data breach notifications (19% more than the previous 12-month period).

Top 10 total GDPR fines by country 2020 chart

jar web 2

Top 10 EU fines

  1. Google €50m (Cookies & consent)
  2. H&M €35m (Breach of data minimisation principle)
  3. TIM €22m (Marketing)
  4. British Airways €22m (Data Breach)
  5. Marriott €20m (Data Breach)
  6. Österreichische Post AG €18m (Marketing)
  7. Wind €17m (Marketing)
  8. Deutsche Wohnen SE €14.5m (Data retention)
  9. €10.4m (Breach of data minimisation principle – CCTV)
  10. 1&1 Telecom €9.55m (Data Security)
norm_files asterisk web

Fines to note…

Fines for invalid DPO

  • The Belgian DPA fined a company €50,000 for improperly appointing the head of the compliance, risk management, and audit departments to serve as its DPO which violates the requirement for an independent DPO.
  • The AEPD fined Glovo €25,000 for appointing a Data Protection Committee (rather than DPO) and failing to notify the relevant DPA.
  • The Belgian DPA fined Proximus €50,000 for having a DPO with a conflict of interest and failing to involve the DPO in the processing of personal data breaches.

Fine for not appointing a GDPR Representative

In May 2021 a Canadian company was fined €525,000 for having failed to appoint an EU Representative, (with an additional €20,000 for each two-week period during which they remain uncompliant, up to a maximum of €120,000).

The company admitted that it had no establishment in the EU. Accordingly, the obligation under EU GDPR Article 27 – to appoint a Representative in the EU – applied.

The company was unable to rely on the “occasional processing” exemption, even though there was only a small volume of EU personal data being processed, because the regulator decided that the processing was a usual part of the website’s operation.

This decision implies that it will be difficult, in practice, for any website operator to successfully claim that its processing is only ‘occasional’ because the volume of data being process is low.

norm_asterisk_predictable pebble

Legal Framework

The GDPR empowers supervisory authorities such as, in the UK, the Information Commissioner’s office (ICO) to impose fines and establish criteria for their assessment. Art. 83 of the GDPR provides that fines should be proportionate and dissuasive. There is hardly any obligation laid down by the GDPR where non-compliance cannot be sanctioned with a fine.

  Reduce the risk with protection…


Offering practical and cost-effective support for GDPR compliance, this service includes limited access to an independent, lawyer-led DPO team with expertise in data protection law & practice.

If you don’t sell products and services directly to consumers, handle personal data beyond that of your own employees, and don’t require emergency support in the event of a data breach, Basic Cover may be sufficient for your needs.


If your needs are anything other than basic GDPR compliance smartbloc. Premium Cover offers a bespoke service aligned to the requirements and operation of your business.

It delivers all the benefits of a full-time in-house DPO and the support of a UK qualified lawyer who is an expert in data protection law. This service handles all of your data protection and GDPR compliance needs, for around a quarter of the cost of an in-house DPO.