Research - 25 July 2021 | By TermsHub

Updated at: 09 December 2021

The Biggest GDPR Fines: Which Companies Have Been Fined the Most?

Alongside the amazing opportunities brought by the Internet are looming threats against data privacy and security. Over the past decade, more than 4.1 billion records have been illegally leaked by multiple organizations. Data breaches have also become rampant and threaten the global economy. And the more pressing matter is that the statistics of unlawful data management have been showing a steady increase throughout the years.

The internet, for the longest time, has remained uncharted territory. But as the world continues to transition its economic and social activities online, lawmakers acknowledge the importance of data protection and privacy. The European Union (EU) is leading this movement with their General Data Protection Regulation (GDPR).

What Is GDPR?

GDPR was enforced on May 25, 2018, in response to a call for protection and safety in the ever-changing world of the internet. It is currently considered one of the strongest privacy and security laws established in the world. Other countries such as Brazil and Singapore are following the EU example and have adopted similar data protection laws.

GDPR is the product of four long years of discussion and dialogues between experts, lawmakers, and concerned parties. It strengthened, updated, and widened the scope of the 1995 Data Protection Directive that was deemed no longer suitable in modern times.

One of the goals of GDPR is to standardize the data privacy laws among the member countries of the EU. Cooperating countries are allowed to make amendments based on what they think is best for their constituents.

It is also in the interest of GDPR to provide individuals with more access and control over their personal data. At the same time, the law transforms the usual management, handling, and storage of data by businesses and organizations.

Moreover, the law is set forth on punishing corporations and organizations that are found guilty of infringement with a huge sum of fines and reputational damage. Since its enforcement, GDPR has amassed almost €300 million worth of fines allocated to fund national projects.

What are the tenets of GDPR?

The data protection of GDPR is governed by seven major principles:

1. Lawfulness, Fairness, and Transparency
   Under these principles, every organization is required by GDPR to implement a lawful means of collecting, processing, and storing data. To be considered lawful, the processing of the data must abide by any of the following legal grounds:
   – Consent
   – Contract
   – Legal obligation
   – Public task
   – Protection of vital interests
   – Legitimate interest
   
   As for fairness, GDPR demands businesses to use the collected data for reasonable purposes only. This principle also emphasizes that data collection must never employ deceit, manipulation, or misleading statements/procedures.
   
   Lastly, transparency requires corporations and organizations to disclose to their clients the purpose and procedures of data collection and management. They are also bound to ask consent before handling the data to another party.
2. Purpose Limitation
   Purpose limitation of GDPR mandates that every organization or business must clearly state the specific reason (s) or purpose (s) for collecting and processing data. An infringement can be filed against an organization that will collect data for a completely unrelated agenda.
    
3. Data Minimization
   This tenet of GDPR restricts the amount of data collected from individuals. Data minimization requires businesses and organizations to only collect the needed information that will help them achieve their purposes.
    
4. Accuracy
   GDPR recognizes the importance of accuracy in data protection, thus requiring organizations to regularly update the personal data they hold and store. Individuals are also given the right to request for changes, rectification, or deletion of incorrect personal data.
    
5. Storage Limitation
   Storage limitation aims to prevent businesses and organizations from keeping and storing your data for more than a reasonable amount of time. This entails a mandatory deletion of information that is no longer necessary for their purpose.
    
6. Integrity and Confidentiality
   These tenets are put in place to enforce and ensure data security. GDPR requires businesses and organizations to implement technical and organizational procedures to prevent any form of data breaches and malicious attacks.
    
7. Accountability
   Accountability is the newest principle included in GDPR that obliges organizations to substantiate their compliance to the first six principles through elaborate documentation of the strategies implemented by the organization.

For a more detailed discussion of the 7 key principles of GDPR check: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/

Who is covered by GDPR?

Essentially, anyone who lives in any member country of the EU and EEA is protected by GDPR. On the other hand, all organizations and corporations that collect, process, and store data of individuals living in the EU are mandated to comply with GDPR regardless of whether they are based in Europe or not.

What are the GDPR fines?

The lawmakers that authored GDPR made sure that any violation comes with a hefty price.

GDPR has two distinct levels of fines – lower tier and upper tier that are categorized based on the severity of the infringement. The less serious violations entail GDPR fines amounting up to €10M or 2% of the firm’s annual revenue from the previous year while more severe infringements could result in a €20M fine or 20 % of the firm’s annual revenue from the previous year. Whichever is the highest will be the GDPR fine charged to the non-compliant party.

How to compute GDPR fines?

The GDPR fine charged against a company or organization is seldom released to the public. But the data protection regulators explain that the computation takes into consideration 10 major criteria which are listed below:

1. Gravity, Nature, and Duration – review all the details of the violation including how it occurred, its effects on the subjects, the number of affected individuals, the severity of the damage, and for how long it took the company to solve the issue.
2. Intention – assess whether the violation is encouraged by pure negligence or malicious motive.
3. Mitigation – determines whether the company conducted mitigation plans to compensate the affected individuals.
4. Precautionary measures – evaluation of the technical and organizational readiness of the company against risks and threats of the data breach.
5. History – reviews any past GDPR infringement filed against the same company.
6. Cooperation – assess the level of participation of the company in the investigation and mitigation procedures of the government.
7. Data Category – determines the type of affected personal data.
8. Notification – reviews whether the concerned party has reported the infringement timely.
9. Certification – reviews documents that certify compliance or good conduct.
10. Aggravating/mitigating factors – investigates other factors including financial benefits that may have resulted from the violation.

Top 5 Biggest GDPR Fines

Since the enforcement of GDPR across Europe in 2018, the total amount of GDPR fines collected has risen to €292 M. The biggest fines were issued by France, Germany, Italy, and the UK against prominent companies – Google, H&M, TIM, British Airways, and Marriott International.

Rank 1: Google LLC (France)

The single lawsuit against Google LLC that resulted in €50M turnover remains the highest GDPR fine issued in the three-year run of the law.

This controversial case was led by two complaints from None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”) filed in May 2018.

The complaints pointed out that the tech company has been exploiting smartphone users by requiring them to agree to their terms to use the phone. Moreover, the plaintiffs also brought up the unlawful processing of personal data by Google to personalize ads.

After deliberation, the French Data Protection Authority (or CNIL) charged Google LLC in January 2019 for several violations of the GDPR. According to the CNIL ruling, the major infringement committed by the tech company was a lack of transparency. The investigations concluded that Google did not disclose to its subjects the fact that their data were being used for personalized ads. Their other violations include infringement of Articles 5, 6, and 13 of GDPR.

Google LLC appealed for reconsideration at France’s highest court. However, the court re-affirmed the previous ruling in 2020 due to a lack of substantial evidence proving the company’s compliance with GDPR.

Rank 2: H&M (Germany)

Hamburg’s State Data Protection Commissioner meted the popular clothing company, H&M the second-highest GDPR fine amounting to €35.3M in 2020 for excessive and unlawful surveillance of employees. Hamburg’s State Data Protection Commissioner meted the popular clothing company, H&M the second-highest GDPR fine amounting to €35.3M in 2020 for excessive and unlawful surveillance of employees.

The investigation of the Hamburg Data Protection authority revealed that H&M has been collecting, storing, and using the personal data of their employees since 2014. The more alarming violations committed by the company included the recording of conversations, details of personal life, medical diagnoses, political stands, religion, and experience obtained through unlawful and unconsented means.

These data records were entered into the company’s “HR system” that was accessible to 50 managers. The HR and the management used the personal data of the subjects to make decisions regarding the status of their employment.

The HR system encountered a security glitch in 2019 that gave ALL H&M employees access to the information in the system. This occurrence alerted the commissioner who immediately ordered an investigation.

According to the ruling of the German court, the clothing company violated both GDPR laws (Article 5 and 6) and the civil rights of their employees. On top of the heavy fine, H&M issued a formal apology and financial compensation to all of their affected employees.

Rank 3: TIM – Telecom Italia (Italy)

Telecom Italia was hit with a huge GDPR fine amounting to €27.8M by Italy’s Data Protection Authority in January 2020. This makes the company 3rd in ranking of highest GDPR fines issued since its 2018 enforcement.

Italian DPA said that the number and severity of the GDPR violations committed by the company were significantly alarming. According to the ruling, the company infringed Articles 5, 6, 17, 21, and 32 that pertain to the lawfulness of data processing, consent, valid data retention, data security, accuracy, and right to object.

The main argument raised against the company was the millions of calls it made to non-customers as part of its rather aggressive marketing. According to investigations, during 2017-2019 TIM commissioned several call center companies that contacted subjects without any form of consent. One person revealed that he received a total of 155 promotional calls from the telecom in just a month.

The company not only chose to neglect the accuracy of their database and consent lists, but DPA also noted the intentional ambiguity in the consent forms used by TIM.

On top of these major violations was the data retention of TIM that exceeded the 10-year limit mandated by law. They also enabled customer support staff to access the subjects’ information without consent, infringing the data security clause of GDPR.

Lastly, DPA revealed that Tim refused multiple times to remedy the imminent issues in the data processing of the company that further prove their intentional neglect and malicious motive.

Rank 4: British Airways (UK)

The fourth on the list of highest GDPR fines is worth £20M (around €22M) issued to British Airways by the United Kingdom’s Information Commissioner Office (ICO).

The fine was imposed on the airline due to a cyberattack that occurred in 2018. The incident resulted in the leakage of a substantial amount of personal data of customers involving banking details, customer names, addresses, and other information entered when booking.

It took two whole months before British Airways discovered the anomaly which they immediately reported to ICO.

According to the investigations, the hackers successfully penetrated and remodeled the BA system so that the customer’s data was transmitted to their system in real-time. ICO found British Airways guilty of GDPR violation because of insufficient safety measures placed in the system as well the delayed detection.

The attack affected 400,000 individuals that greatly influenced the ICO decision. Originally, this should have been the largest GDPR fine amounting to €183M. However, due to the Covid-19 pandemic, ICO decided to give the company some leverage and lowered it to €22M since airlines took a serious beating on revenue.

Rank 5: Marriott International (UK)

One of the most luxurious and largest hotel chains in the world, Marriott International faced a huge GDPR fine amounting to £18.4M (around €20.4M) in 2020 due to a cyber attack that compromised approximately 339 million guests records.

The reported incident occurred in 2014 when the hotel was still under Starwood Hotels and Resorts Worldwide Inc. and the anomaly was detected only in 2018. Unfortunately, by this time, Marriott had already formalized their acquisition deal with Starwood hotel group. Although Marriott Inc. reported the data breach, the ICO still decided to fine the company.

In 2019, ICO explained that after deliberations, they found Marriott Inc guilty of GDPR violation because they failed to implement adequate and effective security measures after acquisition.