The General Data Protection Regulation (GDPR) came into force in the EU in May 2018 and has been transforming the landscape of personal data ever since.
What do the GDPR fines statistics tell us about its implementation across the union and beyond?
In this article, I will go over the statistics of GDPR enforcement across different countries and industries and also delve into the state of the GDPR compliance solutions market.
Top 6 GDPR Fines Statistics (Editor’s Pick)
- There have been 503 GDPR fines for the insufficient legal basis for data processing.
- The cumulative fines issued in 2021-2023 are EUR 2,516,137,068.
- As of February 2023, the UK issued 12 GDPR fines.
- In 2022-2023, Spain issued 241 GDPR fines.
- Italy issued 122 GDPR fines in 2022.
- The industry and commerce sector received the most GDPR fines.
GDPR Fines General Statistics & Facts
1. There have been 51 GDPR fines issued so far in 2023.
The fines were issued by eight countries. Most of these fines (34).
The full amount of these fines amounted to EUR 397,130,920 as of March 2023.
2. The highest GDPR fine was issued to Amazon Europe Core S.à.r.l.
The fine amounted to EUR 746 million and was issued in July 2021 by the Luxembourg data protection authority. The basis was non-compliance with general data processing principles.
Here is a table of other highest GDPR fines issued in 2021-2023:
|Country||Month & Year||Fine Sum, EUR||Fine Recipient||GDPR Violation|
|Ireland||September 2022||405 million||Meta Platforms, Inc.||Non-compliance with general data processing principles|
|Ireland||January 2023||390 million||Meta Platforms Ireland Limited||Non-compliance with general data processing principles|
|Ireland||November 2022||265 million||Meta Platforms Ireland Limited||Insufficient technical and organizational measures to ensure information security|
|Ireland||September 2021||225 million||WhatsApp Ireland Ltd.||Insufficient fulfillment of information obligation|
|France||December 2021||90 million||Google LLC||Insufficient legal basis for data processing|
3. As of February 2023, Ireland issued the highest GDPR fines by sum.
In total, Ireland has issued 22 GDPR fines in the cumulative sum of EUR 1,309,575,900. Luxembourg is in second place, with 25 fines amounting to EUR 746,285,100.
4. There have been 503 fines issued for the insufficient legal basis for data processing.
As of February 2023, this category has the most GDPR fines issued, with the cumulative sum being EUR 430,710,917.
Here is a breakdown of the GDPR fines by sum and type of violation, as they stand in February 2023:
|Type of Violation||Number of Fines||Total Sum of Fines, EUR|
|Insufficient legal basis for data processing||503||430,710,917|
|Non-compliance with general data processing principles||380||1,658,265,759|
|Insufficient technical and organizational measures to ensure information security||282||375,650,869|
|Insufficient fulfillment of data subjects rights||150||51,861,370|
|Insufficient fulfillment of information obligations||150||237,209,440|
|Insufficient cooperation with supervisory authority||66||374,529|
|Insufficient fulfillment of data breach notification obligations||27||1,507,161|
|Insufficient involvement of a data protection officer||13||875,600|
|Insufficient data processing agreement||11||1,057,110|
5. The highest GDPR fine issued in February 2023 came from Norway.
The Norwegian data protection authority issued a GDPR fine of EUR 900k to Sats ASA in February 2023. The breach was insufficient fulfillment of a data subject’s rights.
6. The cumulative fines issued in 2021-2023 are EUR 2,516,137,068.
That sum covers fines issued between January 2021 and February 2023.
The highest figures come from the month of July 2021, with the fines amounting to EUR 755,084,200.
7. The total value of 2022 GDPR fines was 50% more than that of 2021.
The aggregate amount of GDPR fines in 2022 was EUR 1.64 billion – an increase from EUR 1.09 billion in 2021.
8. Eleven EU countries issued a GDPR fine of over EUR 1 million in 2022-2023.
These countries are Ireland, France, Greece, Italy, Spain, the UK, Austria, Portugal, the Netherlands, Germany, and Denmark.
9. In 2021-2022, nine entities received a GDPR fine for insufficient involvement of a data protection officer.
These entities received fines from data protection authorities of Germany, Belgium, Luxembourg, and Spain. The highest fine for this GDPR violation was EUR 525k, which was issued by the German authorities to a subsidiary of a Berlin-based ecommerce group.
Here is a table outlining the countries where such violations occurred and the aggregate sums of applicable fines.
|Country||Number of Fines in the Category||Aggregate Sum of Fines, EUR|
11. Insufficient data processing agreements led to eight GDPR fines across the EU in 2021-2022.
These fines were issued by Romania, Poland, Italy, Germany, and Spain.
The largest fine was EUR 900k and was imposed in September 2021 by a German data protection authority on Vattenfall Europe Sales GmbH.
12. Between 2021-2023, there have been 1,098 GDPR fines issued in total.
Here is a table of countries and the number of GDPR fines they issued in 2021-2023:
|Country||Number of GDPR Fines||Highest Fine Issued, EUR|
|The Netherlands||10||3.7 million|
|UK (including Isle of Man)||9||9 million|
GDPR Statistics & Facts by Region
UK GDPR Fines Statistics
13. The UK issued 8 GDPR fines in 2021-2022.
The highest GDPR fine issued by the UK’s data protection authority in that period was EUR 9 million. It was issued to the American company Clearview AI in May 2022 for non-compliance with general data processing principles.
14. As of February 2023, the UK issued 12 GDPR fines.
Six of those fines were over EUR 1 million. Two were over EUR 20 million and issued to British Airways and Marriott International in 2020.
15. The total of UK GDPR fines in 2021-2022 was EUR 16.4 million.
These fines include the 2022 EUR 9 million fine to Clearview AI, the EUR 5 million fine to Interserve Group Limited, and the EUR 585k fine issued to the Cabinet Office in 2021. These figures do not include fines issued in the Isle of Man.
The fine was issued in July 2022 to Manx Care Ltd. The basis for the fine was non-compliance with general data processing principles.
17. In 2022, the UK ICO issued 33 UK GDPR reprimands.
Following the post-Brexit implementation of the GDPR in the UK, the country’s Information Commissioner’s Office issued reprimands for personal data breaches.
The reprimanded organizations included Grindr LLC and Jackson Quinn Solicitors from the private sector and several ministries and hospital trusts from the public sector.
18. In 2022, the UK issued the largest GDPR fine to a law firm in the EU.
The fine was issued to a criminal defense law firm Tuckers Solicitors LLP and amounted to EUR 115k. The cause of the fine was a ransomware attack resulting in a personal data breach.
Other fines issued to law firms include a EUR 9.6k one issued in Poland to Pionier law firm and EUR 67.2k in Denmark to Sirius law firm, both issued in 2022.
Spain GDPR Fines Statistics
19. As of February 2023, Spain has issued more GDPR fines than any other country.
That amounts to 594 fines, totaling EUR 57,833,010. Italy is in second place, with 246 GDPR fines issued for a total sum of EUR 57,833,010.
20. In 2022-2023, Spain issued 241 GDPR fines.
The biggest GDPR fine in Spain was handed to Google LLC in May 2022 for the insufficient legal basis for data processing. It amounted to EUR 10 million.
Here is a table specifying other high fines issued by Spain in 2022-2023:
|Month & Year||Fine Sum, EUR||Fine Recipient||GDPR Violation|
|February 2022||3.94 million||Vodafone España, S.A.U.||Non-compliance with general data processing principles|
|February 2022||2 million||Amazon Road Transport Spain S.L.||Insufficient legal basis for data processing|
|February 2022||900k||TELEFÓNICA MÓVILES ESPAÑA, S.A.U.||Non-compliance with general data processing principles|
|October 2022||525k||TECHPUMP SOLUTIONS S.L.||Non-compliance with general data processing principles|
|January 2023||56k||Vodafone España, S.A.U.||Insufficient legal basis for data processing|
21. Spain’s February 2023 GDPR fines amount to EUR 37,180.
The highest of these fines was EUR 15k, issued on February 28, 2023.
It was issued to GRUPO NORCONSULTING, S.L., for insufficient fulfillment of a data subject’s rights.
22. Spain issued the smallest GDPR fine in 2022.
The fine issued to a private individual in December 2022 for installing a video surveillance system in a building where they rented a flat amounted to EUR 120.
It was the EU’s smallest GDPR fine in 2022.
As of February 2023, the country issued 22 GDPR fines under that category.
The last one was in January 2023 for EUR 1,000 and was issued to EDITORIAL RIBADEO S.L.
24. In 2021-2023, Spain issued more GDPR fines to private individuals than any other EU country.
In total, Spain issued 74 GDPR fines to private citizens during that period.
The two largest fines amounted to EUR 10k and were issued in June and September 2022.
Germany GDPR Fines Statistics
25. Germany issued 63 GDPR fines in 2021-2023.
The highest fine issued during that period was to IT e-commerce retailer notebooksbilliger.de for the insufficient legal basis for data processing.
The fine amounted to EUR 10.4 million and was issued in January 2021.
26. In 2022, Germany issued 3 GDPR fines to real estate players.
These fines were issued to a property developer (EUR 50k), a surveyor (EUR 5k), and a housing association (EUR 1.9 million). All of them were related to the insufficient legal basis for data processing.
Italy GDPR Fines Statistics
27. In 2023, Italy issued one GDPR fine of EUR 2.5k.
The fine was issued in January 2023 to Azienda Sanitaria Locale di Brindisi.
The legal basis for the fine was insufficient fulfillment of the data subject’s rights.
28. Italy issued 122 GDPR fines in 2022.
The highest fine that year issued by Italy was EUR 20 million.
It was issued to Clearview AI in February 2022 for non-compliance with general data processing principles.
This table specifies the highest GDPR fines issued by Italy in 2021-2022:
|Month & Year||Fine Sum, EUR||Fine Recipient||GDPR Violation|
|February 2022||20 million||Clearview AI||Non-compliance with general data processing principles|
|December 2022||4.9 million||Edison Energia S.p.A.||Non-compliance with general data processing principles|
|March 2021||4.5 million||Fastweb S.p.A.||Non-compliance with general data processing principles|
|September 2021||3.3 million||Sky Italia S.r.l||Insufficient legal basis for data processing|
|May 2021||2.86 million||Iren Mercato S.p.A.||Insufficient legal basis for data processing|
|June 2021||2.6 million||Foodinho S.r.l.||Non-compliance with general data processing principles|
29. In 2021-2022, 77 GDPR fines were issued in Italy for the insufficient legal basis for data processing.
The largest fine was EUR 3.3 million. It was issued in September 2021 to Sky Italia S.r.l. for illegal telemarketing.
Eastern Europe GDPR Fines Statistics
30. Romania is in third place for the number of GDPR fines issued.
As of February 2023, Romania issued 124 GDPR fines overall and is behind Spain and Italy in that regard. The total sum of Romanian GDPR fines is EUR 705,550.
31. Romania issued eight GDPR fines in 2023.
The highest fine amounted to EUR 5,000 and was issued in February 2023.
The recipient was Medijobs Platform SRL, and the cause was insufficient technical and organizational measures to ensure information security.
32. In 2022, Poland issued 13 GDPR fines.
The highest fine issued by the Polish data protection authority was issued in January 2022. It amounted to EUR 1 million and was received by the Polish company Fortum Marketing and Sales Polska SA for insufficient technical and organizational measures to ensure information security.
33. In 2021-2023, Lithuania issued 6 GDPR fines.
Here is a breakdown of the GDPR fines issued by Lithuania in 2021-2023:
|Month & Year||Fine Sum, EUR||Fine Recipient||GDPR Violation|
|January 2023||6k||Praktiškas UAB||Insufficient legal basis for data processing|
|November 2021||110k||UAB Prime Leasing||Insufficient technical and organizational measures to ensure information security|
|June 2021||20k||UAB VS FITNESS||Non-compliance with general data processing principles|
|March 2021||15k||Registrų Centras||Insufficient technical and organizational measures to ensure information security|
|February 2021||12k||Nacionaliniam visuomenės sveikatos centrui (NVSC)||Non-compliance with general data processing principles|
|February 2021||3k||IT sprendimai sėkm||Non-compliance with general data processing principles|
34. Latvia, Bulgaria, and Czechia each issued a single GDPR fine in 2021.
Latvia and Czechia fined their organizations for the insufficient legal basis for data processing, and Bulgaria for non-compliance with general data processing principles.
The Czech data protection authority fined an unknown entity EUR 118.5 k, and the Latvian authority fined Lursoft IT SA EUR 65k. The Bulgarian authority fined a bank EUR 380.
35. Croatia issued 14 GDPR fines in 2022.
The highest GDPR fine issued in Croatia that year was EUR 285,000.
A telecommunication company received that fine for insufficient technical and organizational measures to ensure data security.
36. The highest GDPR fine issued by Hungary was EUR 634k.
The fine was issued in February 2022 to Budapest Bank Zrt. The grounds for the fine were insufficient legal basis for data processing.
GDPR Enforcement Outside EU Statistics & Facts
37. Most non-EU companies that received GDPR fines in 2021-2023 were American.
These companies included Meta Platforms Inc., Google LLC, Clearview AI Inc., and Discord Inc., among others.
38. US-based Google LLC received EUR 100 million in GDPR fines in 2021-2022.
This figure is the sum of two fines issued by Spain in 2022 (EUR 10 million) and France in 2021 (EUR 90 million). Both fines were issued for the insufficient legal basis for data processing.
GDPR Fines Statistics & Facts by Industry
39. The industry and commerce sector received the most GDPR fines.
As of February 2023, the industry and commerce sector received 362 GDPR fines, totaling EUR 857,190,981. The media and telecoms sector is in second place, with 216 fines amounting to EUR 1,694,160,741.
40. Members of the Vodafone group received 41 GDPR fines in 2021-2023 from Spain and Italy.
The highest fines were issued in Spain to Vodafone España, S.A.U. in March 2021.
It amounted to EUR 8.15 million and was issued after 191 complaints against the company about advertising messages.
Here is the table illustrating the breakdown of GDPR fines issued by all the EU countries in the public sector and education in 2021-2022:
|Country||Number of Fines||Examples of Fined Entities||Aggregate Amount, EUR|
|The Netherlands||4||Dutch Tax and Customs Administration, Dutch Foreign Ministry||7.6 million|
|The United Kingdom||1||Cabinet Office||585k|
|Spain||8||PODEMOS Political party, Master Distancia S.A., Certime S.A.||53.4k|
|Romania||1||Natural person holding the position of General Secretary for a political party in Bucharest||500|
|Portugal||3||Portuguese National Statistical Institute, Lisbon City Council||5.73 million|
|Poland||8||Mayor of Dobrzyniewo Duże municipality, Foundation for the promotion of mediation and legal education, National School of Justice and Prosecution||61.7k|
|Norway||3||Norwegian Parliament, Lillestrøm Municipality||239.5k|
|Lithuania||2||Registrų Centras, Lithuanian National Health Service||27k|
|Italy||40||City of Rome, Veneto region, Italian Ministry of Defense||2.59 million|
|Ireland||2||Limerick City and County Council, Irish Teaching Council||170k|
|Iceland||2||City of Reykjavík, Icelandic Ministry of Industry and Innovation||87k|
|Greece||5||Greek Ministry of Tourism, Candidate for parliamentary elections||96k|
|Denmark||9||Hørsholm municipality, Lolland municipality, Syddanmark Region||218.4k|
|Cyprus||5||English School in Cyprus, Cypriot Ministry of Defense, Oroklini Municipal Council||26k|
Two of these fines came from Sweden.
Here is a table with more information:
|Finland||A Medical Clinic||5k||Insufficient fulfillment of information obligations|
|Denmark||Danish National Genome Center||6.7k||Insufficient technical and organizational measures to ensure information security|
|Sweden||Uppsala hospital board||152k||Insufficient technical and organizational measures to ensure information security|
|Sweden||Uppsala regional board||28.5k||Insufficient technical and organizational measures to ensure information security|
43. There were ten GDPR fines issued to healthcare providers in 2022-2023.
Two such fines were issued in 2023 by Ireland (EUR 460k) and Sweden (EUR 17.9k). The rest of the fines were issued in 2022 by Spain and Italy.
44. Meta was fined over EUR 1 billion in GDPR penalties in 2022-2023.
The tech companies Meta Platforms Inc. and Meta Platforms Ireland Limited received four fines in total in that period, the highest being EUR 405 million.
All of them came from the Irish data protection authority.
Meta’s fines amounted to 80% of all GDPR fines in 2022.
45. Social media & messenger apps received over EUR 1.3 billion in GDPR fines in 2021-2023.
Here is a breakdown of fines incurred by social media and messenger apps, including Meta’s fines:
|Ireland||January 2023||5.5 million||Insufficient legal basis for data processing|
|Ireland||January 2023||390 million||Facebook, Instagram||Non-compliance with general data processing principles|
|Ireland||November 2022||265 million||Facebook, Facebook Messenger||Insufficient technical and organizational measures to ensure information security|
|France||November 2022||800k||Discord||Non-compliance with general data processing principles|
|Italy||October 2022||2 million||Clubhouse||Non-compliance with general data processing principles|
|Ireland||September 2022||405 million||Non-compliance with general data processing principles|
|Norway||December 2021||6.3 million||Grindr||Insufficient legal basis for data processing|
|Ireland||September 2021||225 million||Insufficient fulfilment of information obligations|
|The Netherlands||April 2021||750k||TikTok||Insufficient fulfilment of information obligations|
46. Amazon received three GDPR fines in 2021-2022.
These fines came from Italy, Spain, and Luxembourg, each country issuing a fine to the respective Amazon subsidiary on their territory. The total amount of fines was EUR 748.02 million.
47. Clearview AI Inc. received four GDPR fines in 2022.
The American company was fined by the British, French, Greek, and Italian data protection authorities. In total, the fines amounted to EUR 69 million, with France, Greece, and Italy each issuing a EUR 20 million fine and the UK issuing a EUR 9 million one.
GDPR Compliance Solutions Market Statistics & Facts
48. The GDPR compliance services market is predicted to reach $3.9 billion by 2026.
In 2022, the market was worth $2 billion. It is expected to grow at a compound annual growth rate of 18.2%. The solutions segment of the market is expected to reach $2.6 billion by 2026.
49. GDPR startup DataGuard raised $61 million in 2022.
The German data privacy SaaS startup raised the money in a Series B round in September 2022. It provides solutions for compliance with GDPR and other data privacy regulations.
50. T-Systems & AWS launched a joint GDPR compliance venture in 2022.
The new cloud-based Data Protection as Managed Service offering will enable compliance with GDPR and Shrems II requirements.
Are Some Countries More Strict With GDPR Fines Than Others?
Since Spain and Italy have issued over 200 GDPR fines each in the last three years, they seem more zealous with applying GDPR fines than other countries, such as Iceland or Portugal.
However, some industries, such as technology, are more vulnerable to GDPR fines than others, as seen from huge Meta fines.