4 years of GDPR: penalties and fines in data protection

EU countries impose more than 1,000 penalties and 1.6 billion euros in fines in just four years

Since the General Data Protection Regulation came into force in May 2018, the data protection authorities of the EU member states have regularly punished not only minor and major data breaches with hefty fines, but also massive breaches of data protection guidelines involving many thousands of data subjects.

In just four years, the responsible state and local data protection authorities uncovered more than 1,000 data privacy violations across Europe and imposed fines totaling 1.6 billion euros as a result. In addition to fines in the millions against some of the world's top-selling corporations, numerous smaller fines were also imposed, but ones that were quite significant for the companies or individuals concerned.

Even small data breaches can be expensive for small and medium-sized companies. Added to this are the reputational damage and possible claims for damages by those affected. The topic of data protection and complete compliance with the GDPR should therefore not be taken lightly.

Review: Data privacy breaches and fines over time

Doubling of breaches in pandemic years 2020 and 2021.

A look at the data shows that European data protection authorities have been investigating, confirming and punishing data protection violations from the first day after the GDPR came into force. On average, 24 penalties were imposed per month.

A strikingly high number of data protection violations were reported and penalized in the pandemic years 2020 and 2021. From 2019 to 2020, the number of penalized violations increased by 104% and from 2020 to 2021 by another 40%. However, there may still be different trends for 2022.

These industries most frequently violate data protection regulations

Even the public sector has difficulties with GDPR compliance

In every company, countless sensitive, personal data come together. Data protection is therefore relevant for every specialist department. A review of data breaches by industry shows which sectors of the economy have turned out to be particularly negligent when it comes to data protection over the past four years.

With 244 penalized violations, industry and commerce top the list. The industry received fines totaling 796 million euros. However, this total already includes a single infringement, which has already been punished with a fine of 746 million euros. The record fine was received by retail giant Amazon in 2021, followed by the media and telecommunications industry with 178 violations and fines issued totaling 613 million euros.

The high volume of violations in the public sector and education is particularly striking. 141 breaches have been reported since 2018 and penalized with a total of 19 million euros in fines. This shows that even government agencies still have considerable difficulties with compliance four years after the GDPR came into force.

The highest fines

Record fines for Amazon, Meta, Google and H&M

  1. Amazon: 746 million euros

In July 2021, the mail order company received the record fine from the data protection authority in Luxembourg. This is the highest fine imposed since the GDPR came into force. The Group violated consent requirements as part of its online targeting.

  1. WhatsApp: 225 million euros

After WhatsApp violated transparency requirements under Articles 12-14 of the GDPR, the Irish Data Protection Authority penalized Meta's messenger service in September 2021.

  1. Google: 50 million euros, 60 million euros and 90 million euros

French authorities have already imposed three different million-dollar fines on Google. Violations related to insufficient transparency regarding the personalization of advertising formats, the use of cookies for advertising purposes without consent, and user-unfriendly cookie management.

  1. Facebook: 60 million euros

At Facebook, the French data protection authority also criticized the cumbersome cookie management and imposed a fine of 60 million in January 2022.

  1. H&M: 35 million euros

After it became known that employees at a site in Nuremberg had been extensively questioned about sensitive private information and that this data had been stored, German authorities imposed a fine worth millions in October 2020.

Spain most frequently penalized for data protection violations

In the four years since the introduction of the General Data Protection Regulation at EU level, Spanish data protection authorities have penalized a total of 405 violations and demanded fines of 45 million euros. No other country has imposed more fines in the same period. The record fine for Amazon of 746 million euros, which has already been mentioned several times, was imposed by Luxembourg.

Majority of infringements in Germany by SMEs and natural persons

Germany has penalized a total of 63 data protection violations over the past four years and imposed fines totaling 52 million euros. Among the recipients of the German data protection authorities' fine notices were H&M (35 million euros), Notebooksbilliger (10 million euros) and AOK Baden-Württemberg (1.2 million euros). The majority of the notices, however, concerned small and medium-sized enterprises as well as natural persons and solo self-employed persons. Here, tutoring in GDPR compliance seems particularly necessary. Although the fines are not as high as those imposed on large companies with sales in the millions, penalties of between 100 and 10,000 euros can still have a serious impact on businesses.

10 criteria determine the amount of the fine

The respective data protection authorities in the EU countries are responsible for investigating, punishing and issuing fines for violations of the GDPR. They decide not only whether a violation has occurred, but also the amount of the fine. By the way, every person has the right to report data protection violations to the data protection authorities. The authorities are obliged to investigate every complaint and, if necessary, to issue warnings and impose penalties. The level of the penalty, usually in the form of a fine and a request to close the data gaps, is determined by the data protection authorities on the basis of the following criteria:

  • Nature and scope of the infringement
  • Intent or negligence
  • Damage limitation path
  • Type of data concerned
  • Precautions
  • Data protection certification
  • Previous story
  • Cooperation with the authorities
  • Proactive notification to the authority or notification by third parties
  • Other aggravating or mitigating factors


All data on violations, penalties and fines were added to the report "GDPR Enforcement tracker, 2nd edition 2021" taken from the report. 

Detailed information on violations and recipients of fines was provided with the GDPR portal researched.

Data protection fit in two weeks

Our software-based data protection audit is easy to do when you have time. All you need to do is set aside two hours.

Learn More

More articles

Penalties and fines in data protection

Learn more

Is your favorite app spying on you, too?

Learn more
The biggest data octopuses in the App Store

The biggest data octopuses in the App Store

Learn more