vpnAlert.com
Search
Close this search box.

50+ GDPR Fines Statistics, Facts & Trends

We are reader supported and may earn a commission when you buy through links on our site. Learn more.

The General Data Protection Regulation (GDPR) came into force in the EU in May 2018 and has been transforming the landscape of personal data ever since.

What do the GDPR fines statistics tell us about its implementation across the union and beyond?

In this article, I will go over the statistics of GDPR enforcement across different countries and industries and also delve into the state of the GDPR compliance solutions market.

Top 6 GDPR Fines Statistics (Editor’s Pick)

  • There have been 503 GDPR fines for the insufficient legal basis for data processing.
  • The cumulative fines issued in 2021-2023 are EUR 2,516,137,068.
  • As of February 2023, the UK issued 12 GDPR fines.
  • In 2022-2023, Spain issued 241 GDPR fines.
  • Italy issued 122 GDPR fines in 2022.
  • The industry and commerce sector received the most GDPR fines.

Infographic

top 6 gdpr fines statistics
Share This Image On Your Website
				
					<a href="https://vpnalert.com/resources/gdpr-fines-statistics/" target="_blank" data-wpel-link="internal"><img src="https://vpnalert.com/wp-content/uploads/2023/06/top-6-gdpr-fines-statistics.png" alt="Top 6 GDPR Fines Statistics" width="768" border="0" height="601.17416829746" loading="lazy" fetchpriority="low"></a>
				
			

GDPR Fines General Statistics & Facts

1. There have been 51 GDPR fines issued so far in 2023.

The fines were issued by eight countries. Most of these fines (34).

The full amount of these fines amounted to EUR 397,130,920 as of March 2023.

2. The highest GDPR fine was issued to Amazon Europe Core S.à.r.l.

The fine amounted to EUR 746 million and was issued in July 2021 by the Luxembourg data protection authority. The basis was non-compliance with general data processing principles.

Here is a table of other highest GDPR fines issued in 2021-2023:

Country Month & Year Fine Sum, EUR Fine Recipient GDPR Violation
Ireland September 2022 405 million Meta Platforms, Inc. Non-compliance with general data processing principles
Ireland January 2023 390 million Meta Platforms Ireland Limited Non-compliance with general data processing principles
Ireland November 2022 265 million Meta Platforms Ireland Limited Insufficient technical and organizational measures to ensure information security
Ireland September 2021 225 million WhatsApp Ireland Ltd. Insufficient fulfillment of information obligation
France December 2021 90 million Google LLC Insufficient legal basis for data processing

3. As of February 2023, Ireland issued the highest GDPR fines by sum.

In total, Ireland has issued 22 GDPR fines in the cumulative sum of EUR 1,309,575,900. Luxembourg is in second place, with 25 fines amounting to EUR 746,285,100.

4. There have been 503 fines issued for the insufficient legal basis for data processing.

As of February 2023, this category has the most GDPR fines issued, with the cumulative sum being EUR 430,710,917.

Here is a breakdown of the GDPR fines by sum and type of violation, as they stand in February 2023:

Type of Violation Number of Fines Total Sum of Fines, EUR
Insufficient legal basis for data processing 503 430,710,917
Non-compliance with general data processing principles 380 1,658,265,759
Insufficient technical and organizational measures to ensure information security 282 375,650,869
Insufficient fulfillment of data subjects rights 150  51,861,370
Insufficient fulfillment of information obligations 150 237,209,440
Insufficient cooperation with supervisory authority 66 374,529
Insufficient fulfillment of data breach notification obligations 27 1,507,161
Insufficient involvement of a data protection officer 13 875,600
Insufficient data processing agreement 11 1,057,110

5. The highest GDPR fine issued in February 2023 came from Norway.

The Norwegian data protection authority issued a GDPR fine of EUR 900k to Sats ASA in February 2023. The breach was insufficient fulfillment of a data subject’s rights.

6. The cumulative fines issued in 2021-2023 are EUR 2,516,137,068.

That sum covers fines issued between January 2021 and February 2023.

The highest figures come from the month of July 2021, with the fines amounting to EUR 755,084,200.

7. The total value of 2022 GDPR fines was 50% more than that of 2021.

The aggregate amount of GDPR fines in 2022 was EUR 1.64 billion – an increase from EUR 1.09 billion in 2021.

8. Eleven EU countries issued a GDPR fine of over EUR 1 million in 2022-2023.

These countries are Ireland, France, Greece, Italy, Spain, the UK, Austria, Portugal, the Netherlands, Germany, and Denmark.

9. In 2021-2022, nine entities received a GDPR fine for insufficient involvement of a data protection officer.

These entities received fines from data protection authorities of Germany, Belgium, Luxembourg, and Spain. The highest fine for this GDPR violation was EUR 525k, which was issued by the German authorities to a subsidiary of a Berlin-based ecommerce group.

10. Twenty-three GDPR fines were issued in 2022-2023 for insufficient cooperation with a supervisory authority.

Here is a table outlining the countries where such violations occurred and the aggregate sums of applicable fines.

Country Number of Fines in the Category Aggregate Sum of Fines, EUR
Greece 2 53k
Spain 8 27.8k
Romania 5 7.8k
Poland 3 8.74k
Finland 1 8.3k
Cyprus 3 8.5k
Italy 1 10k

11. Insufficient data processing agreements led to eight GDPR fines across the EU in 2021-2022.

These fines were issued by Romania, Poland, Italy, Germany, and Spain.

The largest fine was EUR 900k and was imposed in September 2021 by a German data protection authority on Vattenfall Europe Sales GmbH.

12. Between 2021-2023, there have been 1,098 GDPR fines issued in total.

Here is a table of countries and the number of GDPR fines they issued in 2021-2023:

Country Number of GDPR Fines Highest Fine Issued, EUR
Austria 9 9.5 million
Belgium 19 250k
Bulgaria 1 380
Croatia 17 285k
Cyprus 23 925k
Czechia 1 118.5k
Denmark 18 1.3 million
Finland 12 750k
France 22 90 million
Germany 63 10.4 million
Greece 40 20 million
Hungary 17 634k
Iceland 8 51k
Ireland 16 405 million
Italy 199 20 million
Latvia 1 65k
Lithuania 6 110k
Luxembourg 25 746 million
Malta 1 65k
Norway 37 6.3 million
Poland 27 1 million
Portugal 3 4.3 million
Romania 77 28k
Slovakia 3 40k
Spain 423 10 million
Sweden 11 1.6 million
The Netherlands 10 3.7 million
UK (including Isle of Man) 9 9 million

GDPR Statistics & Facts by Region

UK GDPR Fines Statistics

13. The UK issued 8 GDPR fines in 2021-2022.

The highest GDPR fine issued by the UK’s data protection authority in that period was EUR 9 million. It was issued to the American company Clearview AI in May 2022 for non-compliance with general data processing principles.

14. As of February 2023, the UK issued 12 GDPR fines.

Six of those fines were over EUR 1 million. Two were over EUR 20 million and issued to British Airways and Marriott International in 2020.

15. The total of UK GDPR fines in 2021-2022 was EUR 16.4 million.

These fines include the 2022 EUR 9 million fine to Clearview AI, the EUR 5 million fine to Interserve Group Limited, and the EUR 585k fine issued to the Cabinet Office in 2021. These figures do not include fines issued in the Isle of Man.

16. The Isle of Man data protection authority issued a fine of EUR 202k.

The fine was issued in July 2022 to Manx Care Ltd. The basis for the fine was non-compliance with general data processing principles.

17. In 2022, the UK ICO issued 33 UK GDPR reprimands.

Following the post-Brexit implementation of the GDPR in the UK, the country’s Information Commissioner’s Office issued reprimands for personal data breaches.

The reprimanded organizations included Grindr LLC and Jackson Quinn Solicitors from the private sector and several ministries and hospital trusts from the public sector.

uk ico issued uk gdpr reprimands
Share This Image On Your Website
				
					<a href="https://vpnalert.com/resources/gdpr-fines-statistics/" target="_blank" data-wpel-link="internal"><img src="https://vpnalert.com/wp-content/uploads/2023/06/uk-ico-gdpr-reprimands.png" alt="UK ICO Issued UK GDPR Reprimands" width="768" border="0" height="544.35912581217" loading="lazy" fetchpriority="low"></a>
				
			

18. In 2022, the UK issued the largest GDPR fine to a law firm in the EU.

The fine was issued to a criminal defense law firm Tuckers Solicitors LLP and amounted to EUR 115k. The cause of the fine was a ransomware attack resulting in a personal data breach.

Other fines issued to law firms include a EUR 9.6k one issued in Poland to Pionier law firm and EUR 67.2k in Denmark to Sirius law firm, both issued in 2022.

Spain GDPR Fines Statistics

19. As of February 2023, Spain has issued more GDPR fines than any other country.

That amounts to 594 fines, totaling EUR 57,833,010. Italy is in second place, with 246 GDPR fines issued for a total sum of EUR 57,833,010.

20. In 2022-2023, Spain issued 241 GDPR fines.

The biggest GDPR fine in Spain was handed to Google LLC in May 2022 for the insufficient legal basis for data processing. It amounted to EUR 10 million.

Here is a table specifying other high fines issued by Spain in 2022-2023:

Month & Year Fine Sum, EUR Fine Recipient GDPR Violation
February 2022 3.94 million Vodafone España, S.A.U. Non-compliance with general data processing principles
February 2022 2 million Amazon Road Transport Spain S.L. Insufficient legal basis for data processing
February 2022 900k TELEFÓNICA MÓVILES ESPAÑA, S.A.U. Non-compliance with general data processing principles
October 2022 525k TECHPUMP SOLUTIONS S.L. Non-compliance with general data processing principles
January 2023 56k Vodafone España, S.A.U. Insufficient legal basis for data processing

21. Spain’s February 2023 GDPR fines amount to EUR 37,180.

The highest of these fines was EUR 15k, issued on February 28, 2023.

It was issued to GRUPO NORCONSULTING, S.L., for insufficient fulfillment of a data subject’s rights.

22. Spain issued the smallest GDPR fine in 2022.

The fine issued to a private individual in December 2022 for installing a video surveillance system in a building where they rented a flat amounted to EUR 120.

It was the EU’s smallest GDPR fine in 2022.

23. Spanish data protection authority issued the most fines for insufficient cooperation with the supervisory authority.

As of February 2023, the country issued 22 GDPR fines under that category.

The last one was in January 2023 for EUR 1,000 and was issued to EDITORIAL RIBADEO S.L.

24. In 2021-2023, Spain issued more GDPR fines to private individuals than any other EU country.

In total, Spain issued 74 GDPR fines to private citizens during that period.

The two largest fines amounted to EUR 10k and were issued in June and September 2022.

Germany GDPR Fines Statistics

25. Germany issued 63 GDPR fines in 2021-2023.

The highest fine issued during that period was to IT e-commerce retailer notebooksbilliger.de for the insufficient legal basis for data processing.

The fine amounted to EUR 10.4 million and was issued in January 2021.

26. In 2022, Germany issued 3 GDPR fines to real estate players.

These fines were issued to a property developer (EUR 50k), a surveyor (EUR 5k), and a housing association (EUR 1.9 million). All of them were related to the insufficient legal basis for data processing.

Italy GDPR Fines Statistics

27. In 2023, Italy issued one GDPR fine of EUR 2.5k.

The fine was issued in January 2023 to Azienda Sanitaria Locale di Brindisi.

The legal basis for the fine was insufficient fulfillment of the data subject’s rights.

28. Italy issued 122 GDPR fines in 2022.

The highest fine that year issued by Italy was EUR 20 million.

It was issued to Clearview AI in February 2022 for non-compliance with general data processing principles.

This table specifies the highest GDPR fines issued by Italy in 2021-2022:

Month & Year Fine Sum, EUR Fine Recipient GDPR Violation
February 2022 20 million Clearview AI Non-compliance with general data processing principles
December 2022 4.9 million Edison Energia S.p.A. Non-compliance with general data processing principles
March 2021 4.5 million Fastweb S.p.A. Non-compliance with general data processing principles
September 2021 3.3 million Sky Italia S.r.l Insufficient legal basis for data processing
May 2021 2.86 million Iren Mercato S.p.A. Insufficient legal basis for data processing
June 2021 2.6 million Foodinho S.r.l. Non-compliance with general data processing principles

29. In 2021-2022, 77 GDPR fines were issued in Italy for the insufficient legal basis for data processing.

The largest fine was EUR 3.3 million. It was issued in September 2021 to Sky Italia S.r.l. for illegal telemarketing.

Eastern Europe GDPR Fines Statistics

30. Romania is in third place for the number of GDPR fines issued.

As of February 2023, Romania issued 124 GDPR fines overall and is behind Spain and Italy in that regard. The total sum of Romanian GDPR fines is EUR 705,550.

31. Romania issued eight GDPR fines in 2023.

The highest fine amounted to EUR 5,000 and was issued in February 2023.

The recipient was Medijobs Platform SRL, and the cause was insufficient technical and organizational measures to ensure information security.

32. In 2022, Poland issued 13 GDPR fines.

The highest fine issued by the Polish data protection authority was issued in January 2022. It amounted to EUR 1 million and was received by the Polish company Fortum Marketing and Sales Polska SA for insufficient technical and organizational measures to ensure information security.

33. In 2021-2023, Lithuania issued 6 GDPR fines.

Here is a breakdown of the GDPR fines issued by Lithuania in 2021-2023:

Month & Year Fine Sum, EUR Fine Recipient GDPR Violation
January 2023 6k Praktiškas UAB Insufficient legal basis for data processing
November 2021 110k UAB Prime Leasing Insufficient technical and organizational measures to ensure information security
June 2021 20k UAB VS FITNESS Non-compliance with general data processing principles
March 2021 15k Registrų Centras Insufficient technical and organizational measures to ensure information security
February 2021 12k Nacionaliniam visuomenės sveikatos centrui (NVSC) Non-compliance with general data processing principles
February 2021 3k IT sprendimai sėkm Non-compliance with general data processing principles

34. Latvia, Bulgaria, and Czechia each issued a single GDPR fine in 2021.

Latvia and Czechia fined their organizations for the insufficient legal basis for data processing, and Bulgaria for non-compliance with general data processing principles. 

The Czech data protection authority fined an unknown entity EUR 118.5 k, and the Latvian authority fined Lursoft IT SA EUR 65k. The Bulgarian authority fined a bank EUR 380.

35. Croatia issued 14 GDPR fines in 2022.

The highest GDPR fine issued in Croatia that year was EUR 285,000

A telecommunication company received that fine for insufficient technical and organizational measures to ensure data security.

36. The highest GDPR fine issued by Hungary was EUR 634k.

The fine was issued in February 2022 to Budapest Bank Zrt. The grounds for the fine were insufficient legal basis for data processing.

highest gdpr fine by hungary
Share This Image On Your Website
				
					<a href="https://vpnalert.com/resources/gdpr-fines-statistics/" target="_blank" data-wpel-link="internal"><img src="https://vpnalert.com/wp-content/uploads/2023/06/highest-gdpr-fine-hungary.png" alt="Highest GDPR Fine Issued by Hungary" width="768" border="0" height="544.35912581217" loading="lazy" fetchpriority="low"></a>
				
			

GDPR Enforcement Outside EU Statistics & Facts

37. Most non-EU companies that received GDPR fines in 2021-2023 were American.

These companies included Meta Platforms Inc., Google LLC, Clearview AI Inc., and Discord Inc., among others.

38. US-based Google LLC received EUR 100 million in GDPR fines in 2021-2022.

This figure is the sum of two fines issued by Spain in 2022 (EUR 10 million) and France in 2021 (EUR 90 million). Both fines were issued for the insufficient legal basis for data processing.

GDPR Fines Statistics & Facts by Industry

39. The industry and commerce sector received the most GDPR fines.

As of February 2023, the industry and commerce sector received 362 GDPR fines, totaling EUR 857,190,981. The media and telecoms sector is in second place, with 216 fines amounting to EUR 1,694,160,741.

40. Members of the Vodafone group received 41 GDPR fines in 2021-2023 from Spain and Italy.

The highest fines were issued in Spain to Vodafone España, S.A.U. in March 2021.

It amounted to EUR 8.15 million and was issued after 191 complaints against the company about advertising messages.

41. In 2021-2022, the Dutch data protection authority issued four fines in the public sector and education.

Here is the table illustrating the breakdown of GDPR fines issued by all the EU countries in the public sector and education in 2021-2022:

Country Number of Fines Examples of Fined Entities Aggregate Amount, EUR
The Netherlands 4 Dutch Tax and Customs Administration, Dutch Foreign Ministry 7.6 million
The United Kingdom 1 Cabinet Office 585k
Spain 8 PODEMOS Political party, Master Distancia S.A., Certime S.A. 53.4k
Romania 1 Natural person holding the position of General Secretary for a political party in Bucharest 500
Portugal 3 Portuguese National Statistical Institute, Lisbon City Council 5.73 million
Poland 8 Mayor of Dobrzyniewo Duże municipality, Foundation for the promotion of mediation and legal education, National School of Justice and Prosecution 61.7k
Norway 3 Norwegian Parliament, Lillestrøm Municipality 239.5k
Lithuania 2 Registrų Centras, Lithuanian National Health Service 27k
Italy 40 City of Rome, Veneto region, Italian Ministry of Defense 2.59 million
Ireland 2 Limerick City and County Council, Irish Teaching Council 170k
Iceland 2 City of Reykjavík, Icelandic Ministry of Industry and Innovation 87k
Greece 5 Greek Ministry of Tourism, Candidate for parliamentary elections 96k
France 1 GIE INFOGREFFE 250k
Denmark 9 Hørsholm municipality, Lolland municipality, Syddanmark Region 218.4k
Cyprus 5 English School in Cyprus, Cypriot Ministry of Defense, Oroklini Municipal Council 26k
Belgium 1 A school 1k

42. Healthcare companies received four GDPR fines from Scandinavian countries in 2022.

Two of these fines came from Sweden.

Here is a table with more information:

Country Entity Amount, EUR Grounds
Finland A Medical Clinic 5k Insufficient fulfillment of information obligations
Denmark Danish National Genome Center 6.7k Insufficient technical and organizational measures to ensure information security
Sweden Uppsala hospital board 152k Insufficient technical and organizational measures to ensure information security
Sweden Uppsala regional board 28.5k Insufficient technical and organizational measures to ensure information security

43. There were ten GDPR fines issued to healthcare providers in 2022-2023.

Two such fines were issued in 2023 by Ireland (EUR 460k) and Sweden (EUR 17.9k). The rest of the fines were issued in 2022 by Spain and Italy.

44. Meta was fined over EUR 1 billion in GDPR penalties in 2022-2023.

The tech companies Meta Platforms Inc. and Meta Platforms Ireland Limited received four fines in total in that period, the highest being EUR 405 million.

All of them came from the Irish data protection authority.

Meta’s fines amounted to 80% of all GDPR fines in 2022.

45. Social media & messenger apps received over EUR 1.3 billion in GDPR fines in 2021-2023.

Here is a breakdown of fines incurred by social media and messenger apps, including Meta’s fines:

Country Date Amount, EUR App Breach
Ireland January 2023 5.5 million WhatsApp Insufficient legal basis for data processing
Ireland January 2023 390 million Facebook, Instagram Non-compliance with general data processing principles
Ireland November 2022 265 million Facebook, Facebook Messenger Insufficient technical and organizational measures to ensure information security
France November 2022 800k Discord Non-compliance with general data processing principles
Italy October 2022 2 million Clubhouse Non-compliance with general data processing principles
Ireland September 2022 405 million Instagram Non-compliance with general data processing principles
Norway December 2021 6.3 million Grindr Insufficient legal basis for data processing
Ireland September 2021 225 million WhatsApp Insufficient fulfilment of information obligations
The Netherlands April 2021 750k TikTok Insufficient fulfilment of information obligations

46. Amazon received three GDPR fines in 2021-2022.

These fines came from Italy, Spain, and Luxembourg, each country issuing a fine to the respective Amazon subsidiary on their territory. The total amount of fines was EUR 748.02 million.

47. Clearview AI Inc. received four GDPR fines in 2022.

The American company was fined by the British, French, Greek, and Italian data protection authorities. In total, the fines amounted to EUR 69 million, with France, Greece, and Italy each issuing a EUR 20 million fine and the UK issuing a EUR 9 million one

GDPR Compliance Solutions Market Statistics & Facts

48. The GDPR compliance services market is predicted to reach $3.9 billion by 2026.

In 2022, the market was worth $2 billion. It is expected to grow at a compound annual growth rate of 18.2%. The solutions segment of the market is expected to reach $2.6 billion by 2026.

49. GDPR startup DataGuard raised $61 million in 2022.

The German data privacy SaaS startup raised the money in a Series B round in September 2022. It provides solutions for compliance with GDPR and other data privacy regulations.

raised fund by gdpr startup dataguard
Share This Image On Your Website
				
					<a href="https://vpnalert.com/resources/gdpr-fines-statistics/" target="_blank" data-wpel-link="internal"><img src="https://vpnalert.com/wp-content/uploads/2023/06/gdpr-startup-dataguard-raised-fund.png" alt="Raised Fund by GDPR Startup Dataguard" width="768" border="0" height="544.35912581217" loading="lazy" fetchpriority="low"></a>
				
			

50. T-Systems & AWS launched a joint GDPR compliance venture in 2022.

The new cloud-based Data Protection as Managed Service offering will enable compliance with GDPR and Shrems II requirements.

Are Some Countries More Strict With GDPR Fines Than Others?

Since Spain and Italy have issued over 200 GDPR fines each in the last three years, they seem more zealous with applying GDPR fines than other countries, such as Iceland or Portugal.

However, some industries, such as technology, are more vulnerable to GDPR fines than others, as seen from huge Meta fines.

Do you want to know more about how European countries work to protect personal data? Then check out our articles on cybersecurity in Spain or Italy!

Interesting Reads:
References:
  1. https://www.enforcementtracker.com/
  2. https://www.enforcementtracker.com/?insights
  3. https://inform.dlapiper.com/9/7964/uploads/dla-piper-gdpr-fines-and-data-breach-survey-2023.pdf?intIaContactId=6Qg%2f6Y43iBqMkmaL%2fWKYrw%3d%3d&intExternalSystemId=1
  4. https://www.tessian.com/blog/biggest-gdpr-fines-2020/
  5. https://actnowtraining.blog/2022/03/14/law-firm-fined-for-gdpr-breach-what-went-wrong/
  6. https://ico.org.uk/media/action-weve-taken/mpns/4020436/clearview-ai-inc-mpn-20220518.pdf
  7. https://buckleyfirm.com/blog/2021-12-17/norwegian-data-protection-authority-fines-us-dating-app-71-million-alleged-gdpr-violations
  8. https://www.eqs.com/compliance-blog/biggest-gdpr-fines/#:~:text=The%20highest%20GDPR%20fine%20of,746%20million%20penalty%20in%202021
  9. https://www.politico.eu/article/whatsapp-facebook-privacy-fine-european-commission-data-protection/
  10. https://termly.io/resources/articles/biggest-gdpr-fines/
  11. https://eandt.theiet.org/content/articles/2023/01/meta-paid-over-80-per-cent-of-eus-2022-gdpr-fines/
  12. https://www.statista.com/statistics/1192794/meta-fines-from-eu-and-dpc/
  13. https://www.globenewswire.com/en/news-release/2022/09/27/2523109/28124/en/Global-GDPR-Services-Market-Report-2022-2026-Pressing-Need-for-Compliance-Makes-GDPR-Services-a-Hyper-Growth-Market.html
  14. https://techcrunch.com/2022/09/21/dataguard-locks-down-61m-for-data-protection-as-a-service/
  15. https://www.t-systems.com/resource/blob/544010/b24e8e63a1af262e0e10891272a62960/DL-IDC-Report-DPaaS-2022-data.pdf