• enGlobal | EN
Show locations Show locations
  • EQS Cockpit
  • Whistleblowing
  • Insider Management
  • Policy manager
  • Investor Targeting
  • Disclosure
  • Webcast
  • Career
Back to overview

The Biggest GDPR Fines of 2021

The financial penalties for breaching the GDPR can be staggering, running into hundreds of millions of euro.

by Niall McCarthy 5 min

    Europe’s General Data Protection Regulation (GDPR) contains hundreds of pages’ worth of requirements and it is considered one of the toughest privacy and security laws globally. In effect since May 25, 2018, the regulation imposes obligations on organisations anywhere in the world as long as they target or collect data related to people in the EU.

    The scale and complexity of the GDPR has turned it into a daunting prospect for compliance departments, though the availability of innovative software solutions has helped ease the burden. Nevertheless, breaches are serious and financial penalties can add up to hundreds of millions of euro. This article looks at the biggest fines of 2021, two of which were record sums.

    Nevertheless, breaches are serious and financial penalties can add up to hundreds of millions of euro. This article looks at the biggest fines of 2021, two of which were record sums.

    Evolution of GDPR fines

    1. Amazon – €746 million

    Amazon was handed a mammoth €746 million EU GDPR fine by Luxembourg’s National Commission for Data Protection in July 2021 and it dwarfs all previous breaches. The online retail behemoth has its EU base in Luxembourg and it has come under scrutiny in recent years for compiling data on its customers and partners. Amazon has appealed the fine, stating that it “strongly” disagrees with the Commission’s findings. It isn’t the first time Amazon has fallen foul of data protection regulations. The French Data Protection Authority (CNIL) fined the company €35 million in late 2020 for its alleged failure to provide cookie consent and associated information to users on its website.

    2. WhatsApp – €225 million

    2021 wasn’t just notable for the biggest GDPR fine on record. It also saw the second-highest financial penalty when WhatsApp was given a massive €225 million fine in August by Ireland’s Data Protection Commission. This was as a result of breaches of transparency and data subject information obligations under articles 12, 13 and 14 of the GDPR. Specifically, WhatsApp came up short in providing information to data subjects “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” and “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing”. As was the case with Amazon, WhatsApp also decided to appeal this decision.

    3. Notebooksbilliger.de – €10.4 million

    2021 kicked off with a significant fine for German online electronics retailer notebooksbillger.de. On January 8, the data protection commissioner for the German state of Lower Saxony announced that the company would be subject to a €10.4 million fine for violating the GDPR’s data protection rules. For more than two years, notebooksbilliger.de had been monitoring its employees and customers with CCTV cameras while the recordings were stored for up to 60 days. While the GDPR does not prohibit the use of CCTV, surveillance must be a legitimate response and conducted with a proper legal basis.

    4. Austrian Post – €9.5 million

    September saw the largest GDPR fine in Austria’s history when the country’s national post service was slapped with a €9.5 million fine. The company was sanctioned for failing to enable people to make inquiries about stored personal data via email. This was despite the fact that Austrian Post has already made this possible through several mediums such as letter, online forms and customer service. However, the Austrian Data Protection Authority said that the post service should have allowed rights requests to be sent by any medium desired, including email.

    Biggest GDPR fines by country

    5. Vodafone España – €8.15 million

    Spain’s Agencia Española de Protección de Dato or Data Protection Authority (AEPD) imposed an €8.15 million penalty on Vodafone España on March 11, 2021, the country’s biggest GDPR fine to date. The sum is actually an amalgamation of four separate fines for various activities involving marketing and prospecting by telephone and electronic communications infringements. For example, some of the measures employed did not have prior written authorization, an international data transfer did not take sufficient measures required under the GDPR while individuals were contacted and had their data processed despite them objecting.

    6. Grindr – €6.3 million

    In January, Norway’s Data Protection Authority notified Grindr that it was administering it with a €6.3 million fine for not complying with GDPR rules on consent. The location-based dating app for gay, bi, trans and queer people allegedly shared user data with a number of third parties without a legal basis. Consent was needed prior to this data being shared and Grindr’s consents were not valid. The Norwegian Data Protection Authority added that because use of the platform is based on sexual orientation, the offense constituted a special category meriting particular protection.

    7. Caixabank S.A. – €6 million

    The AEPD imposed a fine of €6 million on Caixabank S.A. in January 2021 which broke Spain’s previous record. The company’s failure to provide a mechanism to collect the data subject’s consent and a lack of justification for its processing activities constituted a breach of Article 6 of the GDPR and an administrative fine of €4 million. The remaining €2 million penalty was down to a lack of transparency under Articles 13 and 14 of the GDPR, particularly the legal basis behind the purposes of personal data processing.

    Most common GDPR violations

    8. Fastweb – €4.5 million

    Garante, Italy’s Data Protection Authority, announced a €4.5 million fine for telecommunications firm Fastweb on April 02. Garante launched an investigation into Fastweb after hundreds of complaints were received by users who received promotional calls without their consent. The calls in question allegedly originated from unregistered numbers and the issue impacted the company’s entire customer base. This is not the first time Fastweb has been sanctioned for telemarketing offenses that breached the GDPR. Indeed, it was fined for similar violations in 2012 and 2018. After the latest incident, Garante ordered Fastweb to strengthen its security measures to prevent unauthorised use of its databases, to discontinue using data obtained by third parties without consent and to overhaul its telemarketing practices.

    9. Sky Italia – €3.3 million

    In October, Garante announced another hefty GDPR fine for aggressive telemarketing. Sky Italia was levied a €3.3 million penalty for alleged misuse of customer data for the purpose of making unwanted promotional calls. While this is the sixth-largest fine announced by Garante, it represented just 2.5% of the maximum penalty applicable in the case. It developed when dozens of customers complained after receiving unwanted phone calls promoting Sky’s services. This occurred both directly and through the use of third-party call centers. Garante alleges that the calls were made without consent while the lists used were unverified and acquired from other organisations.

    10. Caixabank Payments & Consumer EFC, EP, S.A.U. – €3 million

    On October 21, 2021, the AEPD fined Caixabank Payments & Consumer EFC, EP, S.A.U. €3 million for unlawfully processing personal data, pursuant to Article 6 of the GDPR. The investigation began in 2018 when an individual made a complaint that the company had requested information about him from a solvency file without both parties having a contract while he was also included in a commercial campaign for a pre-granted credit. The fine was levied due to a lack of information and no legal basis for data processing and profiling,

    In summary

    GDPR fines are designed to make non-compliance around data security a costly mistake and they can be separated into two tiers. Less severe infringements can result in a fine of €10 million or 2% of a firm’s annual revenue from the preceding financial year, depending on which amount is higher. More serious violations can result in a fine of up to €20 million or 4% of a firm’s annual revenue from the preceding year, depending on what is higher.

    Both the uptick in violations and the record-breaking fines levied in 2021 highlight a growing lack of consent and transparency. Despite that worrying trend, it has been reassuring to see European regulators actively enforcing the law and imposing fines at a rate never seen before. Before 2021, the largest fine on record was levied in 2019 when Google was penalised €50 million for how it communicated privacy to its users as well as various data processing offences. As can be seen above, that sum has been dwarfed by both Amazon and WhatsApp this year. It’s going to be very interesting to see how the trend evolves in 2022.

    Browse the full list of GDPR violations

    Building an effective anti-bribery and corruption programme

    Key principles of establishing an effective ABC programme

    Download now
    Niall McCarthy
    Niall McCarthy

    Niall is a Content Writer at the EQS Group. Originally from Ireland, he previously worked as a journalist, which included reporting on major corruption trends worldwide.