EN

|

DE
This is some text inside of a div block.

4 years GDPR

Penalties and fines in data protection

EU countries impose more than 1.000 penalties and €1,6 billion in fines in just four years

Since the General Data Protection Regulation came into force in May 2018, the data protection authorities of the EU member states have not only regularly punished smaller and larger data breaches with severe fines, but also punished massive violations of data protection guidelines with many thousands of victims.

In just four years, the responsible state and local authorities covered data protection issues across Europe more than 1.000 data breaches on and imposed as a result Fines totaling 1,6 billion euros. In addition to fines in the millions against some of the top-selling corporations in the world, numerous smaller fines were also imposed, but fines that were quite sensitive for the companies or private individuals affected.

Even small data breaches can be expensive for small and medium-sized companies. Added to this is the reputation-damaging effect and possible claims for damages by those affected. The topic of data protection and the complete fulfillment of the GDPR should therefore not be taken lightly.

Review: data protection violations and fines over time

Violations doubled in pandemic years 2020 and 2021

A look at the data shows that European data protection authorities have been investigating data protection violations from the first day after the GDPR came into force, and have confirmed and punished violations. On average, 24 penalties were imposed per month.

A striking number of data protection violations were reported and punished in the pandemic years 2020 and 2021. From 2019 to 2020, the number of penalized violations increased by 104% and from 2020 to 2021 by another 40%. For the year 2022, however, there may still be various developments.

These are the industries most likely to violate data protection regulations

Even the public sector struggles with GDPR compliance

Countless sensitive, personal data come together in every company. Data protection is therefore relevant for every department. A look back at data breaches by industry shows which sectors of the economy have proven to be particularly lax when it comes to data protection over the past four years.

Industry and trade lead the list with 244 punishable violations. The industry received fines totaling 796 million euros. However, this sum already includes a single violation that has already been punished with a fine of 746 million euros. The retail giant Amazon received the record penalty in 2021. It was followed by the media and telecommunications industry with 178 violations and fines totaling 613 million euros.

The high number of violations in the public service and in education is particularly striking. 141 violations have been reported since 2018 and fined a total of 19 million euros. This shows that even four years after the GDPR came into force, even government agencies still have considerable difficulties with compliance.

The highest fines

Record fines for Amazon, Meta, Google and H&M

  1. Amazon: 746 million euros

In July 2021, the mail order company received the record fine from the data protection authority in Luxembourg. This is the highest fine imposed since the GDPR came into force. The group violated consent requirements as part of its online targeting.

  1. WhatsApp: 225 million euros

After WhatsApp violated transparency requirements under Articles 12-14 GDPR, the Irish data protection authority fined Meta's messaging service in September 2021.

  1. Google: 50 million euros, 60 million euros and 90 million euros

French authorities have already imposed three different fines of millions on Google. Violations related to insufficient transparency with regard to the personalization of advertising formats, the use of cookies for advertising purposes without consent and user-unfriendly cookie management.

  1. Facebook: 60 million euros

The French data protection authority also criticized Facebook for the cumbersome cookie management and imposed a fine of 2022 million in January 60.

  1. H&M: 35 million euros

After it became known that employees at a location in Nuremberg were extensively questioned about sensitive private information and that this data was stored, German authorities imposed a fine of millions in October 2020.

Spain is the country most likely to penalize data protection breaches

In the four years since the introduction of the General Data Protection Regulation at EU level, Spanish data protection authorities have punished a total of 405 violations and imposed fines of 45 million euros. No other country imposed more penalties in the same period. The previously mentioned record fine for Amazon of 746 million euros was imposed by Luxembourg.

Majority of violations in Germany by SMEs and natural persons

Germany has punished a total of 63 data protection violations in the last four years and imposed fines of 52 million euros. The recipients of the fine notices from the German data protection authorities included H&M (EUR 35 million), Notebooksbilliger (EUR 10 million) and AOK Baden-Württemberg (EUR 1,2 million). However, the majority of the notices concerned small and medium-sized companies as well as natural persons and the self-employed. Tutoring on GDPR compliance seems particularly necessary here. The fines are not as high as in the case of large corporations with sales in the millions, but penalties of between 100 and 10.000 euros can still hit companies hard.

10 criteria determine the amount of the fine

The respective data protection authorities of the EU countries are responsible for the investigation, punishment and fine notices in the event of violations of the General Data Protection Regulation. You decide not only whether there has been a violation, but also the amount of the penalty. Incidentally, every person has the right to report data protection violations to the data protection authorities. The authorities are obliged to investigate every complaint and, if necessary, to issue warnings and penalties. The amount of the penalty, usually in the form of a fine and a request to close the data gaps, is determined by the data protection authorities based on the following criteria:

  • Nature and scope of the violation
  • intent or negligence
  • path of damage limitation
  • Type of Data Affected
  • Precautions
  • Privacy Certification
  • Prehistory
  • cooperation with the authorities
  • Proactive reporting to the authority or reporting by a third party
  • Other aggravating or mitigating factors

sources

All data on violations, penalties and fines were included in the report “GDPR Enforcement tracker, 2nd edition 2021” removed. 

Detailed information on violations and recipients of fines was provided with the GDPR portal researched.

Get data protection fit with us!

Request a quote now

Europe In The Data Protection Ranking

With the adoption of the General Data Protection Regulation (GDPR) in May 2018, the European Union set a milestone in the history of data protection that has received great international recognition. With the aim of achieving a common high level of data protection, rules for the protection of personal information have been standardized for the entire European Union for the first time. In a growing digitized world, in which theoretically every activity can be tracked and personal data generates high financial profits, the possibilities of individuals to control their personal information are limited. At this point, the regulation has created a dense network of rights and obligations that give consumers power and control over their data back.

heyData knows data protection from its daily work with companies. Therefore, three years after the introduction of the GDPR, we wanted to use this study to find out how close the European countries have come when it comes to the level of data protection and to discover which points still need improvement. To do this, we examined the majority of the EU member states, Norway, which also implemented the EU GDPR, and the United Kingdom, in which the regulation was in effect until Brexit.

The study focuses on five overarching categories, which we have evaluated in 24 sub-points using data and statistics from well-known sources, such as the European Commission or the Organization for Economic Cooperation and Development. A comparison of the EU countries was made possible by a simple mathematical point system. The result is the following data protection ranking, which shows the nations with the actually highest data protection level - Ireland, Germany and the Netherlands - at the top.

Europe In Comparison

Enforcement of Laws

Data Protection Violations

% Increase in Data Protection Violations During Pandemic

Fines (€)

About

Data Protection Strategy

Privacy Team

Compulsory Voluntary Training

Further Training

Data Loss

Data Leak

Insurance Cover

Individual Data Protection

Smartphone Malware

Computer Malware

Payment Fraud

Phishing

Data Protection Competence

Advertising

Browser

Cookies

Tracking

Social Media

Apps

Cloud

Social Mood About Data Protection

Fear of Data Abuse

Authority Over Data

Overall Winners in the Data Protection Ranking

Position
Country
Final
Evaluation
Enforcement
Of Laws
About
Individual Data Protection
Privacy-
Expertise
Social
Mood
1
Ireland
100,0
80,6
85,1
100,0
43,9
100,0
2
Germany
80,3
74,6
60,9
81,9
70,9
66,7
3
Netherlands
73,6
88,8
50,9
50,0
95,6
51,3
4
United Kingdom
64,8
52,1
100,0
9,2
58,4
92,3
5
Denmark
59,5
73,1
98,3
0,0
82,3
43,6
6
Finland
58,9
38,9
51,0
64,8
100,0
41,0
7
Belgium
44,3
5,3
51,7
72,1
46,6
79,5
8
Sweden
41,2
100,0
65,3
9,2
72,1
0,0
9
Italy
38,5
79,0
73,2
33,4
0,0
53,8
10
Austria
37,3
2,2
38,7
85,0
68,8
41,0
11
France
31,0
54,5
38,5
12,9
40,7
71,8
12
Latvia
27,8
2,1
63,1
64,2
13,5
66,7
13
Luxembourg
27,4
27,4
35,9
9,8
58,4
76,9
14
Poland
23,0
7,9
35,1
69,9
21,9
61,5
15
Spain
18,6
18,7
55,2
4,6
54,2
51,3
16
Estonia
17,3
0,9
47,3
88,1
41,8
2,6
17
Greece
16,1
1,2
21,8
93,1
7,3
53,8
18
Slovenia
15,7
32,1
30,9
50,6
26,4
35,9
19
Norway
12,9
26,2
45,5
4,2
64,2
28,2
20
Lithuania
0,8
0,0
29,9
76,2
13,3
15,4
21
Hungary
0,0
6,1
0,0
9,0
45,7
71,8

Enforcement of Laws

Position
Country
Category Evaluation
Data Protection Violations
Points
% Increase in Data Protection Violations During Pandemic
%
Points
Fines (€)
Points
1
Sweden
100
119
30,4
1,6 %
71,7
111,352 €
95,8
2
Netherlands
89
382
100,0
2,4 % OFF
75,6
14,591
12,6
3
Ireland
81
345
90,2
1,5 % OFF
74,7
14,402
12,4
4
Italy
79
6
0,6
23,4 %
50,8
116,242
100,0
5
Germany
75
93
23,8
76,2 %
0,0
83,068
71,5
6
Denmark
73
325
85,0
36,2 %
38,5
9,811
8,4
7
France
55
8
1,2
10,6 % OFF
83,4
80,862
69,6
8
United Kingdom
52
46
11,1
27,9 % OFF
100,0
65,976
56,8
9
Finland
39
187
48,6
1,6 %
71,7
3,755
3,2
10
Slovenia
32
168
43,5
52,3 %
23,0
0
0,0
11
Luxembourg
27
147
37,9
8,7 %
64,9
0
0,0
12
Norway
26
91
23,1
3,5 %
69,9
15,432
13,3
13
Spain
19
7
0,9
54,7 %
20,7
30,613
26,3
14
Poland
8
42
10,3
63,6 %
12,1
4,494
3,9
15
Hungary
6
16
3,3
72,4 %
3,6
10,031
8,6
16
Belgium
5
22
4,8
26,0 %
48,3
7,251
6,2
17
Austria
2
28
6,5
18,3 % OFF
90,8
797
0,7
18
Latvia
2
14
2,9
13,7 % OFF
86,4
4,869
4,2
19
Greece
1
3
0,0
14,2 % OFF
86,9
6,951
6,0
20
Estonia
1
25
5,6
14,0 %
59,7
31
0,0
21
Lithuania
0
11
2,0
62,7 %
13,0
2,89
2,5

About

Position
Country
Category Evaluation
Data Protection Strategy
%
Points
Data Protection Team
%
Points
Continuing Education Voluntary
%
Points
Compulsory Training
%
Points
Data Loss
%
Points
Data Leak
%
Points
Insurance Cover
%
Points
1
United Kingdom
100
40
%
93,8
45,0
%
0,0
60,0
%
100,0
37
%
84,4
2
%
100,0
1
%
100,0
46
%
80,8
2
Denmark
98
42
%
100,0
69,0
%
75,0
52,0
%
77,8
35
%
78,1
4
%
71,4
2
%
50,0
56
%
100,0
3
Ireland
85
42
%
100,0
61,0
%
50,0
59,0
%
97,2
35
%
78,1
5
%
57,1
2
%
50,0
39
%
67,3
4
Italy
73
28
%
56,3
66,0
%
65,6
47,0
%
63,9
35
%
78,1
4
%
71,4
1
%
100,0
13
%
17,3
5
Sweden
65
39
%
90,6
59,0
%
43,8
44,0
%
55,6
26
%
50,0
8
%
14,3
1
%
100,0
39
%
67,3
6
Latvia
63
25
%
46,9
74,0
%
90,6
60,0
%
100,0
20
%
31,3
7
%
28,6
1
%
100,0
12
%
15,4
7
Germany
61
27
%
53,1
68,0
%
71,9
49,0
%
69,4
17
%
21,9
5
%
57,1
1
%
100,0
20
%
30,8
8
Spain
55
25
%
46,9
67,0
%
68,8
41,0
%
47,2
21
%
34,4
7
%
28,6
1
%
100,0
33
%
55,8
9
Belgium
52
27
%
53,1
77,0
%
100,0
42,0
%
50,0
20
%
31,3
6
%
42,9
2
%
50,0
25
%
40,4
10
Finland
51
35
%
78,1
62,0
%
53,1
54,0
%
83,3
25
%
46,9
5
%
57,1
3
%
0,0
28
%
46,2
11
Netherlands
51
32
%
68,8
74,0
%
90,6
35,0
%
30,6
18
%
25,0
5
%
57,1
2
%
50,0
26
%
42,3
12
Estonia
47
18
%
25,0
54,0
%
28,1
44,0
%
55,6
42
%
100,0
3
%
85,7
2
%
50,0
7
%
5,8
13
Norway
46
22
%
37,5
52,0
%
21,9
41,0
%
47,2
29
%
59,4
4
%
71,4
2
%
50,0
33
%
55,8
14
Austria
39
28
%
56,3
60,0
%
46,9
39,0
%
41,7
22
%
37,5
5
%
57,1
2
%
50,0
18
%
26,9
15
France
39
18
%
25,0
67,0
%
68,8
36,0
%
33,3
19
%
28,1
6
%
42,9
2
%
50,0
39
%
67,3
16
Luxembourg
36
22
%
37,5
63,0
%
56,3
39,0
%
41,7
21
%
34,4
6
%
42,9
2
%
50,0
26
%
42,3
17
Poland
35
18
%
25,0
69,0
%
75,0
26,0
%
5,6
32
%
68,8
8
%
14,3
1
%
100,0
11
%
13,5
18
Slovenia
31
26
%
50,0
61,0
%
50,0
44,0
%
55,6
15
%
15,6
8
%
143
1
%
100,0
4
%
0,0
19
Lithuania
30
22
%
37,5
64,0
%
59,4
42,0
%
50,0
21
%
34,4
9
%
0,0
1
%
100,0
4
%
0,0
20
Greece
22
10
%
0,0
57,0
%
37,5
24,0
%
0,0
10
%
0,0
4
%
71,4
1
%
100,0
25
%
40,4
21
Hungary
0
13
%
9,4
45,0
%
0,0
33,0
%
25,0
10
%
0,0
7
%
28,6
1
%
100,0
4
%
0,0

Individual Data Protection

Position
Country
Category Evaluation
Smartphone Malware
%
Points
Computer Malware
%
Points
Payment Fraud
%
Points
Phishing
Points
1
Ireland
100
2
%
85,7
1,6
%
88,8
0,1
%
100,0
0,93
%
68,9
2
Greece
93
4
%
57,1
2,4
%
79,8
0,6
%
93,0
0,5
%
84,7
3
Estonia
88
1
%
100,0
2,7
%
76,0
1,3
%
82,5
0,7
%
76,7
4
Austria
85
3
%
71,4
0,6
%
100,0
2,1
%
72,6
0,4
%
91,9
5
Germany
82
3
%
71,4
1,1
%
94,4
1,0
%
87,6
0,63
%
81,4
6
Lithuania
76
3
%
71,4
0,6
%
99,9
0,3
%
96,5
0,2
%
98,5
7
Belgium
72
4
%
57,1
1,2
%
93,0
1,9
%
74,2
1,0
%
68,0
8
Poland
70
4
%
57,1
0,7
%
99,1
0,4
%
95,6
0,2
%
100,0
9
Finland
65
3
%
71,4
2 ,, 4
%
79,8
1,7
%
77,6
0,9
%
68,8
10
Latvia
64
4
%
57,1
0,7
%
98,7
1,0
%
87,4
0,3
%
95,8
11
Slovenia
51
4
%
57,1
1,3
%
92,1
1,9
%
74,9
0,6
%
84,3
12
Netherlands
50
3
%
71,4
1,5
%
90,2
2,2
%
71,0
0,80
%
74,4
13
Italy
33
5
%
42,9
1,8
%
86,8
1,9
%
75,0
1,0
%
64,7
14
France
13
5
%
42,
2,8
%
74,8
5,4
%
26,4
1,5
%
45,9
15
Luxembourg
10
5
%
42,9
5,4
%
45,4
3,1
%
58,4
0,9
%
69,4
16
United Kingdom
9
1
%
100,0
2,0
%
84,2
7,3
%
0,0
1,9
%
30,6
17
Sweden
9
3
%
71,4
2,3
%
81,0
3,3
%
55,8
2,5
%
6,5
18
Hungary
9
7
%
14,3
9,3
%
0,0
4,9
%
33,7
0,4
%
89,4
19
Spain
5
8
%
0,0
2,4
%
79,2
3,1
%
58,0
1,0
%
67,3
20
Norway
4
4
%
57,1
2,1
%
83,5
4,4
%
40,8
2,1
%
21,9
21
Denmark
0
4
%
57,1
1,8
%
86,5
5,6
%
23,2
2,6
%
0,0

Data Protection Competence

Position
Country
Category Evaluation
Advertising
%
Points
Browser
%
Points
Cookies
%
Points
Tracking
%
Points
Social Media
%
Points
Apps
%
Points
Smartphone
Points
Cloud
%
Points
1
Finland
100
69,7
%
94,2
41,5
%
91,2
50,1
%
100,0
22,2
%
37,1
56,7
%
87,3
67
%
97,5
22
100,0
50
%
55,3
2
Netherlands
96
72,6
%
100,0
41,4
%
90,9
46,8
%
89,7
29,7
%
54,2
62,7
%
100,0
64
%
90,0
14
52,9
51
%
57,9
3
Denmark
82
63,5
%
81,9
44,2
%
100,0
32,6
%
45,3
25,7
%
45,1
48,8
%
70,6
61
%
82,5
11
35,3
65
%
94,7
4
Sweden
72
43,6
%
42,6
41,5
%
91,1
29,3
%
35,1
26,0
%
45,7
40,
4%
52,6
68
%
100,0
10
29,4
66
%
97,4
5
Germany
71
62,8
%
80,5
30,7
%
55,5
49,1
%
97,1
18,2
%
28,0
40,1
%
52,0
65
%
92,5
17
70,6
33
%
10,5
6
Austria
69
60,3
%
75,6
42,2
%
93,4
36,9
%
59,0
12,1
%
14,0
53,8
%
81,1
53
%
62,5
16
64,7
38
%
23,7
7
Norway
64
47,0
%
49,3
38,8
%
82,2
27,3
%
28,8
24,5
%
42,3
36,8
%
45,1
67
%
97.5
10
29,4
56
%
71,1
8
United Kingdom
58
55,2
%
65,4
28,9
%
49,4
33,7
%
48,8
27,4
%
48,8
45,3
%
63,1
44
%
40,0
10
29,4
54
%
65,8
9
Luxembourg
58
38,4
%
32,2
36,0
%
73,1
40,4
%
69,7
20,3
%
32,7
29,6
%
29,8
63
%
87,5
12
41,2
46
%
44,7
10
Spain
54
62,2
%
79,5
18,3
%
14,4
28,9
%
33,9
13,9
18,2
53,8
%
81,1
57
%
72,5
12
41., 2
46
%
44,7
11
Belgium
47
40,9
%
37,1
15,1
%
3,8
31,4
%
41,5
49,9
%
100,0
27,8
%
25,9
50
%
55,0
9
23,5
49
%
52,6
12
Hungary
46
40,2
%
35,8
25,6
%
38,4
27,2
%
28,4
17,5
%
26,3
35,6
%
42,5
46
%
45,0
8
17,6
67
%
100,0
13
Ireland
44
50,4
%
56,0
15,3
%
4,5
29,6
%
35,9
9,9
%
9,1
42,7
%
57,7
51
%
57,5
13
47,1
50
%
55,3
14
Estonia
42
35,8
%
27,1
25,4
%
38,0
34,5
%
51,3
20,5
%
33,1
27,4
%
25,1
50
%
55,0
12
41,2
44
%
39,5
15
France
41
43,8
%
43,0
25,7
%
38,9
32,8
%
46,1
19,3
%
30,5
34,6
%
40,3
53
%
62,5
10
29,4
34
%
13,2
16
Slovenia
26
34,8
%
25,2
22,7
%
29,0
23,3
%
16,4
18,1
%
27,6
24,9
%
19,8
49
%
52,5
8
17,6
40
%
28,9
17
Poland
22
36,2
%
27,9
15,4
%
4,9
26,3
%
25,8
19,5
%
30,9
30,5
%
31,7
46
%
45,0
9
23,5
29
%
0,0
18
Latvia
14
32,0
%
19,5
15,1
%
3,6
23,6
%
17,3
10,6
%
10,6
31,2
%
33,1
40
%
30,0
7
11,8
34
%
13,2
19
Lithuania
13
32,8
%
21,2
21,0
%
23,3
19,9
%
5,8
13,8
%
18,0
27,7
%
25,8
33
%
12,5
5
0,0
41
%
31,6
20
Greece
7
28,6
%
12,8
14,0
%
0,0
23,3
%
16,4
14,3
%
19,0
24,4
%
18,8
33
%
12,5
7
11,8
33
%
10., 5
21
Italy
0
22,1
%
0,0
27,3
%
%
44,3
18,1
%
0,0
5,9
%
0,0
15,6
%
0,0
28
%
0,0
5
0,0
34
%
13,2

Social Mood About Data Protection

Position
Country
Category Evaluation
Fear of Data Abuse
%
Points
Authority Over Data
%
Points
1
Ireland
100
83
%
100,0
26,0
%
65,5
2
United Kingdom
92
80
%
92,3
26,0
%
65,5
3
Belgium
80
75
%
79,5
33,0
%
41,4
4
Luxembourg
77
74
%
76,9
26,0
%
65,5
5
France
72
72
%
71,8
34,0
%
37,9
6
Hungary
72
72
%
71,8
26,0
%
65,5
7
Germany
67
70
%
66,7
45,0
%
0,0
8
Latvia
67
70
%
66,7
31,0
%
48,3
9
Poland
62
68
%
61,5
21,0
%
82,8
10
Italy
54
65
%
53,8
23,0
%
75,9
11
Greece
54
65
%
53,8
22,0
%
79,3
12
Netherlands
51
64
%
51,3
30,0
%
51,7
13
Spain
51
64
%
51,3
36,0
%
31,0
14
Denmark
44
61
%
43,6
26,0
%
65,5
15
Finland
41
60
%
41,0
16,0
%
100,0
16
Austria
41
60
%
41,0
31,0
%
48,3
17
Slovenia
36
58
%
35,9
25,0
%
69,0
18
Norway
28
55
%
28,2
24,0
%
72,4
19
Lithuania
15
50
%
15,4
17,0
%
96,6
20
Estonia
3
45
%
2,6
21,0
%
82,8
21
Sweden
0
44
%
0,0
31,0
%
48,3

Methodology In A Nutshell

The aim of the study is to evaluate the efficiency of data protection measures as well as the data protection competence of consumers in Europe and to compare them at national level. The objects of investigation are all member states of the European Union (with exceptions) as well as the United Kingdom and Norway.

Bulgaria, Croatia, Malta, Portugal, Cyprus, Romania, the Czech Republic and Slovakia had to be excluded from the study due to insufficient data and to enable a fair comparison between all nations.

For the study, all of the named nations were evaluated in the five research fields “Legal Regulations”, “Companies”, “Private Individuals”, “Data Protection Competence” and “Social Mood”. A total of 24 influencing factors contributed to the final result of the study. All influencing factors were selected based on their informative value in relation to the performance of data protection measures or the data protection competence of consumers.

The result is a ranking of the pioneering nations in terms of data protection. The study ended on May 15, 2021.

A complete presentation of the methodology with all definitions, data and sources can be found here (German version, English version)