12 of the most notorious fines for GDPR violations Екатерина В July 20, 2020

12 of the most notorious fines for GDPR violations

Most GDPR sanctions are caused due to the fact that people think about privacy only as a formal checkbox, as a link to the Privacy Notice at the bottom of the site, but not as a practical measure. That is why often employees of the company simply do not get the information on how to handle personal data.

Below are the examples of fines imposed by supervisory authorities in different EU countries that unequivocally answer these questions.



Right of access – Iberia Lae SA Operadora Unipersonal – 40,000 euros

On August 12, 2017, the applicant exercised the right of access to their personal data at Iberia (the Spanish carrier). Namely, the data subject requested access to four phone records from August 8, 9, and 11, 2017. The company responded that it “could not provide access to the data, except upon a court order.” The data subject filed a complaint with the Spanish supervisory authority, which found that the subject’s right and procedure to cooperate with the supervisory authority under Article 58 of the GDPR had been violated. As a result, the air carrier was fined 40,000 euros and accepted the sanction.


Retention period and security measures – Digi Távközlési Szolgáltató Kft. – 288,000 euros

A Hungarian e-communications service provider brought the attention of the supervisory authority under a number of GDPR articles at once. The company created a database to address an information security incident, but once it was resolved, the database was not deleted. Personal data of the users were stored on the systems in use without the purpose or legal basis for the processing. In addition, the company did not apply the appropriate technical and organizational measures in the field of data security, namely, there was no encryption of personal data and it was possible to access the databases using the vulnerability through the public website digi.hu. The supervisory authority imposed a fine of HUF 100,000,000, which at the time the breach was detected was the equivalent of EUR 288,000.

Information security – Telenor Norge AS – 134,000 euros

The Norwegian supervisory authority has filed a case based on information that the telecommunications company Telenor found a security breach in its voicemail function. For several years, it had been possible to hack into mobile responses using “spoofing services” and eavesdrop on the messages of approximately 1.3 million mobile subscribers in Norway. Earlier, for violating the Electronic Communications Act under the same circumstances, the National Communications Authority decided to impose a fee of NOK 1.5 million, the equivalent of 134,000 euros. To prevent the company from being penalized twice for the same violation, the supervisory authority issued a reprimand.


Biometrics – Unknown entity – 725,000 euros

The organization required its employees to scan their fingerprints to record attendance. However, as the Dutch data protection regulator stated in its decision, the organization could not rely on exemptions from processing this special category of personal data, and the company could not provide any evidence that the employees had given their consent to this data processing.


Retention period and privacy by design – Deutsche Wohnen SE – 14,500,000 euros

During inspections in June 2017 and March 2019, the Berlin supervisory authority found that the company used an archiving system to store tenants’ personal data. There was no option to delete the data that was no longer needed in the system. The tenants’ personal data had been stored without their consent for the storage and in some cases had been stored for several years and could therefore be accessed without the original purpose. These were tenants’ personal and financial information, such as wage statements, employment and training contract statements, tax, social security and health insurance information, and bank statements. After the data protection commissioner in Berlin issued an urgent recommendation to change the archiving system, the company also failed to clear its database.


Limitation of access – Sapienza Università di Roma – 30,000 euros

The university notified the Italian supervisory authority that it had revealed the identities of two people who reported possible illegal behavior at the university. The violation was due to the lack of adequate technical access control measures in the management system, which did not restrict access to such data to authorized personnel only. The university was fined €30,000.


Privacy by Design – unicredit BANK SA – 130,000 euros

A fine of 130,000 euros was handed down for a Privacy by Design violation that led to the disclosure of online identifiers and transactions of 337,042 data subjects. The online banking system was designed so that the recipient of the payment was unnecessarily shown the address and passport details of the payer. The Romanian supervisory authority emphasizes that when developing and designing applications, services and products that are based on the processing of personal data, companies should encourage the right to protect personal data.

Information security – 1 & 1 Telecom GmbH – €9,550,000

In the case of 1&1 Telecom GmbH, the German supervisory authority became aware that people who called the company’s customer service line could obtain extensive information about the personal data of the other customer simply by providing the customer’s name and date of birth. The supervisory authority regarded this as a violation of Article 32 of the GDPR, which requires the company to take appropriate technical and organizational measures to systematically protect the processing of personal data. The company cooperated with the authority and revised the authentication procedure, which has been significantly improved in terms of technology and data protection, but despite these measures, it was decided to impose a fine.

12 of the most notorious fines for GDPR violations


Transparency obligations and lack of appropriate legal bases – Google Inc – 50,000,000

The French supervisory authority found two types of GDPR violations: violation of transparency obligations (information provided by Google was not easily accessible to users, some information was not always clear and complete) and incorrect legal basis for processing for personalized advertising. Google stated that it obtained user consent to process data for personalized advertising purposes. However, user consent was insufficiently informed and neither “specific” nor “unambiguous”.

Top 3 of the highest fines under GDPR

The Luxembourg Data Protection Authority (CNPD) fined Amazon a record €746 million as a result of a 19-page complaint from French privacy protection group La Quadrature du Net in 2018. The complaint, on behalf of more than 10,000 consumers, stated that Amazon manipulated customers for commercial purposes by choosing what advertising and information they receive. Amazon officials stated, “Ensuring the security of our customers’ information and their trust is a top priority. There has been no security breach and no customer data has been shared with third parties. These facts are indisputable. We strongly disagree with the CNPD’s decision and intend to appeal.”
British Airways
204,600,000 euros
The fine relates to an incident reported by British Airways to the supervisory authority in September 2018. The incident involved, in part, redirecting user traffic from the British Airways website to a fraudulent site through which fraudsters collected customer data. The personal information of approximately 500,000 customers was compromised in this incident. An investigation by the regulator found that the company’s poor security system compromised a variety of information, including login information, payment card, and travel reservation information, as well as the name and address information. British Airways cooperated with the investigation and improved its security measures. Information Commissioner Elizabeth Denham: “People’s personal information is personal for what it is. When an organization can’t protect it from loss, damage, or theft, it’s more than a mere inconvenience. That’s why the law says unequivocally – when you’re entrusted with personal information, you have to take care of it. Those who do not, however, will be subject to inspection by my office as to the appropriate measures to protect basic privacy rights.”
Marriott International, Inc
The fine relates to an incident reported by Marriott to the supervisory authority in November 2018. The incident exposed various personal data contained in approximately 339 million guest records worldwide, about 30 million of which relate to residents of 31 countries in the European Economic Area (EEA), of which seven million relate to residents of the United Kingdom. Information Commissioner Elizabeth Denham: “The GDPR makes it clear that organizations must be accountable for the personal data they store. It can include conducting due diligence on corporate acquisitions and implementing appropriate accountability measures to control not only what personal data has been collected, but also how it is protected”.