GDPR penalties and fines: An introduction

Imagine a world where companies could collect and use your personal data without any restrictions. Scary, right? The General Data Protection Regulation (GDPR) was designed to prevent such a nightmare from becoming a reality for EU/EEA citizens. 

But all rules get occasionally broken. In the case of GDPR, that can mean hefty fines.

In this article, we’ll take a closer look at some of the common areas that companies fail to comply with GDPR, as well as some of the biggest GDPR fines of 2023, the reasons behind them, and the critical lessons everyone can learn from these cases to ensure data protection compliance.

The big bullet point? You don’t want to play fast and loose with GDPR!

Short Summary

• Transparency, consent management & data security measures are essential to avoid hefty fines & keep customers’ data safe.
• This article covers the biggest GDPR fines of 2023 and their lessons for companies.
• Companies must prioritize these steps to build customer trust and stay in line with privacy regulations.

Understanding GDPR fines

GDPR takes a territorial approach, focusing on the processing of personal data of individuals within the covered regions rather than the location of the company. This broadens the scope of GDPR compliance to include organizations outside the EU/EEA that interact with individuals within those regions.

This means that your business may be located in the U.S. or Canada, but if you offer goods or services to individuals in the EU/EEA or monitors their behavior, it may be subject to GDPR’s requirements.

Because of this, GDPR fines have become a significant concern for businesses worldwide since the regulation took effect in 2018. The main purpose of these fines is to ensure that companies handle personal data responsibly and in accordance with the law. However, the fines’ severity varies based on the infringement’s nature, gravity, and duration.

Two tiers of GDPR fines

The GDPR establishes two tiers of fines, depending on the severity of the violation. 

Tier 1 penalties

Tier 1 penalties can reach up to €10 million (roughly USD$10.9M) or 2% of the company’s total annual revenue, whichever is greater.

Tier 2 penalties

Tier 2 penalties, reserved for more serious violations, can go as high as €20 million or 4% of the company’s total annual revenue, whichever is greater. These fines are imposed by data protection authorities within the EU to hold companies accountable for data protection violations, such as illegal data processing or failing to protect data subjects’ rights.

Criteria for determining fines

When determining GDPR fines, several factors are considered, including:

• The type, severity, and duration of the violation
• The number of people affected, and 
• The level of cooperation with the supervisory authority. 

For instance, Google Ireland was fined €90 million by the French Data Protection Authority for not making it easy to refuse cookies.

Another example is WhatsApp, which was fined €225 million for not providing users with sufficient information about their data usage and not having clear privacy policies. The diversity of these cases highlights the importance of understanding and adhering to the many aspects of GDPR compliance.

Liability for third-party infringements

It’s not just your own company you need to keep an eye on: Companies can be held liable for GDPR violations committed by third parties if they fail to take appropriate measures to ensure compliance. 

This means that companies must thoroughly review any third-party services they use to ensure that they have a good security history.

For example, H&M was fined €35.3 million for unlawfully collecting and storing employee information, which was discovered after a technical error exposed the data on the company’s network drive. Another example is TIM, which was fined €27,8 million for using and storing customer data without authorization.

---

---

These cases show that companies must be diligent in their GDPR compliance efforts, even when working with third parties.

What are the consequences of not complying with GDPR?

GDPR is a complex set of regulations, but it’s essential to ensure your business is compliant. Taking the time to understand the rules and regulations can save you from hefty fines and potential reputational damage.

Not complying with GDPR can have serious financial consequences, ranging from a warning and reprimand to fines of up to €20 million or 4% of the business’s total annual worldwide turnover.

Moreover, under 83(4) GDPR, there is potential for fines of up to 10 million euros, or 2% of a company’s global turnover. Businesses must take compliance seriously to avoid severe penalties.

What constitutes a GDPR violation?

There are two levels of GDPR violations: 

1. Lower level violations: Could result in an administrative fine of up to €10 million, or 2% of the annual global turnover of the company of the preceding financial year, whichever is higher.
2. Severe violations: Could result in an administrative fine of up to €20 million, or 4% of the annual global turnover of the company of the preceding financial year, whichever is higher.

Some examples of lower-level GDPR violations

• Failing to adhere to basic privacy protocols regarding cookies
• Sharing user data with third parties without the user’s consent
• Concealing the involvement of third parties in the Privacy Policy
• Failing to maintain records of personal information obtained from users
• Neglecting to report a personal data breach to the supervisory authority within 72 hours of awareness
• Failing to conduct a data protection impact assessment, thereby exposing users to potential data misuse
• Not designating a responsible person to ensure compliance with GDPR rules and regulations
• Collecting information from a data subject under the age of 16 without parental consent
• Storing, collecting, or processing additional user information for identification purposes when it’s no longer necessary

Some examples of severe GDPR violations

• Processing personal data without informing or obtaining the user’s consent
• Sharing a user’s sensitive personal data without their consent
• Failing to inform the user about the option to opt out of cookies
• Illegally processing customer data in an illegitimate, fraudulent, or corrupt manner
• Providing a Privacy Policy that is difficult to read or lacks clarity
• Refusing to provide the user with a copy of their personal data
• Denying the user the right to edit, update, delete, transfer, or review their personal data
• Transferring user’s personal data outside the country without following proper protocols

Cautionary tales: The top GDPR penalties of 2023

At first glance, you may think these fines have nothing to do with you and your business. But these bigger fines will give you a sense of where even companies with huge resources can slip up when it comes to GDPR. They serve as a cautionary tale for businesses of all sizes. Each of these cases offers valuable lessons on the importance of transparency, proper consent management, and ensuring data security measures.

1. Meta’s record-breaking fine

Meta’s colossal €1.2 billion fine was imposed for transferring data collected from Facebook users in the EU/EEA to the US without proper consent, violating GDPR international transfer regulations. The fine followed the Schrems II decision, which invalidated the EU-US Privacy Shield Framework, further highlighting the importance of complying with GDPR rules on international data transfers.

The massive fine had a considerable impact on Meta and served as a warning for other companies to ensure they have the proper legal basis for processing personal data and international data transfers.

2. Amazon’s massive penalty

Amazon faced a staggering €746 million fine for tracking user data without obtaining proper consent. The fine was issued by the National Commission for Data Protection (NCDP), which determined that Amazon’s negative certificates were personal data, and the company had no legal grounds to demand them.

The consent obtained was not properly informed and not given willingly, resulting in a significant GDPR fine. This case emphasizes the importance of obtaining valid consent before processing personal data and the potential consequences of failing to do so.

3. WhatsApp’s transparency violation

WhatsApp’s €225 million fine was the result of unclear privacy policies and a lack of transparency in data usage. The investigation took three years, and the fine was one of the largest issued for GDPR violations.

The case underscores the importance of providing transparent information about data usage and having clear privacy policies in line with GDPR requirements. Companies must ensure that their customers understand how their data is being collected and processed and that they can easily access this information.

4. Google Ireland’s cookie controversy

Google Ireland faced a €90 million fine for failing to provide an easy way for users to refuse cookies. The French Data Protection Authority (CNIL) determined that Google’s disclosures were not easy to find, and the information was spread out over multiple documents.

The fine highlights the importance of making it easy for users to manage their privacy settings and provide informed consent when it comes to data collection. Companies must ensure that their users can easily understand and manage their data privacy settings to avoid hefty GDPR fines.

5. H&M’s employee data scandal

Fashion retailer H&M was fined €35.3 million for unlawfully collecting and storing employee information. The company had collected more information than necessary for each employee, and the data was accessible to more staff than required.

After a technical error on H&M’s network drive, the data became available to everyone in the company for a few hours, leading to a significant GDPR fine. The case highlights the importance of ensuring that companies collect and store employee data responsibly and in line with GDPR requirements.

6. TIM’s unauthorized data use

Italian telecommunications company TIM faced a €27.8 million fine for unauthorized use and improper storage of customer data. The company contacted millions of people without their permission, collecting personal information such as names, addresses, and phone numbers.

The GDPR fine served as a reminder that unauthorized use and improper storage of customer data are not acceptable and that companies must take appropriate measures to protect their customers’ personal data.

7. Enel Energia’s telemarketing misconduct

Enel Energia, an Italian energy company, was fined €26.5 million for using personal data for telemarketing without obtaining consent or informing customers. The company’s actions violated GDPR’s requirement for transparency and proper consent management.

The fine highlights the importance of obtaining valid consent before using personal data for marketing purposes and informing customers about how their data will be used. Companies must ensure that they have the proper legal basis for processing personal data and that they transparently communicate their data usage practices to their customers.

8. Clearview AI’s facial recognition violations

Clearview AI, a facial recognition technology company, faced a €20 million fine for violating GDPR. The Italian Data Protection Authority found that Clearview AI was conducting biometric surveillance without permission and violated GDPR principles such as transparency, purpose limitation, and storage limitation.

The company’s CEO argued that they have no business operations or customers in Italy or the EU, but the fine serves as a reminder that GDPR applies to any company processing personal data of individuals within the EU, regardless of their location.

9. Meta Platforms Ireland Limited’s data breach notification failures

Meta Platforms Ireland Limited faced a €17 million fine for GDPR violations related to data breach notifications. The company failed to take the appropriate steps to demonstrate that it had implemented personal data protection measures for EU users when it came to the reported data breaches.

The fine highlights the importance of having a robust data breach notification procedure in place and ensuring that companies can readily demonstrate their compliance with GDPR requirements when dealing with data breaches.

No matter how big your organization is: Data security is essential

Okay, you may not stare down penalties of this magnitude, but you probably don’t have coffers as deep as these companies, either! Smaller companies with less cash in the bank need to be just as, if not more, vigilant. 

These cases serve as a stark reminder of the importance of transparency, proper consent management, and ensuring data security measures. 

By understanding and adhering to these principles, companies of all sizes can avoid facing hefty fines and better protect their customers’ personal data. As data protection continues to be a critical concern for individuals and businesses alike, companies must stay updated on GDPR and implement the necessary measures to safeguard the personal information they process.

Three key takeaways from the big penalties of 2023

1. The importance of transparency when communicating with data subjects

Transparency is a key element of GDPR, requiring organizations to be open and straightforward when communicating with data subjects. Individuals must understand how their data is being used and that they have easy access to this information. Failure to provide transparent information about data usage can lead to significant GDPR fines, as seen in the cases of Clearview AI and WhatsApp.

By ensuring that their data usage practices are transparent and easily accessible, companies can foster trust with their customers and avoid running afoul of GDPR.

2. Proper consent management

Consent management is crucial for GDPR compliance, as it ensures that individuals are aware of and agree to the collection and processing of their personal data. Companies must provide clear and concise information about how their data will be used and obtain explicit consent from data subjects. Failure to obtain valid consent can lead to substantial GDPR fines, as seen in the cases of Amazon and Enel Energia.

By implementing proper consent management practices, companies can stay in line with privacy regulations, unify data and communication preferences, and foster trust with their customers.

3. Data security measures

Data security measures are essential for GDPR compliance, as the regulation requires personal data to be handled securely with appropriate technical and organizational measures. This includes ensuring data confidentiality, integrity, and availability, as well as being able to restore access and availability in case of any physical or technical incident.

Failure to implement adequate data security measures can lead to significant GDPR fines, as seen in the cases of H&M and TIM. By implementing strong data security measures, companies can protect their customers’ personal data and avoid costly GDPR fines.

Your path to GDPR Compliance with Thoropass

Okay, that may have been a scary read. If we’ve got your attention, let us now offer some reassurance. 

Chat with our compliance experts: A free 15-Min AMA 

Let’s chat. Connect with a compliance expert to find out how GDPR applies to your business — no strings attached. Book a chat here.

Our 5-step approach makes GDPR a cinch (okay, not quite a cinch, but as easy as it can get!)

• STEP 1: Kick-off. After a deep dive into data privacy, our experts customize your GDPR compliance roadmap
• STEP 2: Onboarding. Get up and running with GDPR policy templates, automated vendor discovery, and clear action items
• STEP 3: Implementation. Efficiently implement and operationalize GDPR with guided workflows, automation, and support from our experts
• STEP 4: GDPR assessment and reporting. As a third party, Thoropass delivers a transparent assessment and report to share with customers and prospects
• STEP 5: And beyond… Leverage our extensive platform to add frameworks, renew attestation, and ensure continuous compliance

Learn more here!

---