GDPR has already been put to work if the number of enforcement actions taken by various EU data protection agencies is anything to go by.
Since its implementation in May 2018, GDPR has already been put to work if the number of enforcement actions taken by various EU data protection agencies is anything to go by.
In this article, I outline the major GDPR fines that have been enforced so far. However, I will not cover the light penalties in the region of thousands of Euros that do not even make regional news.
Major fines applied so far;
Total Amount of Penalties in Euros
Explore more privacy compliance insights and best practices
It is important to note that these figures are according to the latest update, which was on August 5, 2019.
In a bizarre turn of events, Marriot discovered that a central reservation database belonging to Starwood, the main competitor whom it had acquired earlier, was hacked. This breach comprised 5 million encrypted passcodes and 8 million credit card records. It was discovered that this hack was ongoing from 2014 to 2018. Up to 30 million EU residents were affected.
Hotel GDPR Compliance: more on the Marriot GDPR fine.
This fine was enforced as a result of this Dutch hospital having slack controls over logging and access to patient information. For example, there was a case where 197 employees managed to access the medical records of a certain Dutch celebrity.
This fine came after a malicious third party hacked the airline’s webpage and extracted 500,000 consumer records.
The British data protection body claimed that BA's website was breached due to lax cybersecurity structures. This penalty represents the biggest fine enforced as a result of GDPR so far.
The Spanish football league was accused of eavesdropping for piracy through its smartphone application. Essentially, the football body turned on user microphones to listen for sounds of a football game and match it to any pirated stream using geolocation.
After obtaining this information, La Liga utilized it to open cases against 600 restaurants for pirating soccer matches.
Reports indicate that this real estate firm had lax restrictions regarding access to other people's data. All you needed to do was change the URL, and you could access a person's ID cards, tax notices, and other crucial documents. The absence of user validation attracted the penalty.
This firm exposed a website with records of customer payments and details, inclusive of personal data by mistake for two days. The subsequent investigations revealed that the organization gathered too much data and held it for too long.
Another factor that attracted the fine was the fact that the firm had only a single individual in charge of its IT infrastructure.
A Polish data processor faced retributive action after it scraped the internet for public contacts and carried out business outreach to over 90,000 individuals, out of which 12,000 denied consent to the use of their information.
This fine was enforced after a random audit revealed that this Danish taxi firm had over 9 million personal records that it did not need to have. Therefore, they were fined for failing to get rid of this unused data. Learn about the Danish DPA cookie guidelines.
The French data regulation body penalized the tech giant for lacking transparency and permission in ad personalization, as well as having a pre-checked option to personalize advertisements.
French CNIL fined Facebook 60 Million EUR for failing to provide the users with the ability to withdraw previously given consent as easily as it was given. For the same reasons as Facebook, the French CNIL fined Google 150 million EUR.
In 2022, 81% of French companies are still not compliant with GDPR.
Employees at this facility used bogus accounts to access patient data.
The German social media and chatting platform notified authorities about a data breach. However, following investigations, the local data protection body established that the platform had been keeping user passwords in plaintext without encryption. Fundamentally, the fine was enforced as a result of illegal data storage practices, as opposed to the breach itself.
Update: Germany's 1&1 Telecom Fined $10.6 Million for a GDPR Violation.
Read about Germany's Federal Act on Privacy in Telecommunications and Telemedia (TTSDG).
A local enterprise had a CCTV camera taking footage of too much public space.
Here are more of the highest GDPR fines enforced by regulators so far.
As a business owner or a Chief Executive Officer, the last thing you want is to be fined for failing to comply with this regulation as the companies highlighted found out the hard way. Secure Privacy offers software solutions that can help you make your company and website compliant with GDPR. Request a demo or try these solutions for free to avoid being penalized for violation of GDPR requirements.
Our free GDPR e-book provides a simplified step-by-step breakdown of the two laws to help you understand what you need to become compliant with the GDPR.
Schedule a call to learn more
