What are the Biggest GDPR Fines?

As at 17 October 2023, the biggest GDPR fines across UK and Europe were:

  1. €1.2bn GDPR fine (2023) for Meta Platforms Ireland Ltd.
    Transfers to US without adequate safeguards.
  2. €746m GDPR fine (2021) for Amazon Europe.
    Targeted advertising without consent (complaint from 10,000 people in 2018)
  3. €405m GDPR fine (2022) for Meta Platforms, Inc.
    Defaulting contact details in teenagers Instagram business accounts to public
  4. €390m GDPR fine (2023) for Meta Platforms Ireland Ltd.
    Changing legal basis from consent to contract, therefore forcing consent for personalised and behavioural advertising.
  5. €345m GDPR fine (2023) for TikTok Ltd.
    Lack of transparency and fairness processing children’s data.
  6. €265m GDPR fine (2022) for Meta Platforms Ireland Limited.
    Data leak – 533m user’s phone numbers and email addresses posted online by crooks
  7. €225m GDPR fine (2021) for WhatsApp Ireland.
    Lack of transparency from WhatsApp
  8. €90m GDPR fine (2021) for Google LLC, plus €100k/day after 3 months.
    French cookie consent on YouTube.
  9. €60m GDPR fine (2021) for Google Ireland.
    French cookie consent on Google.fr.
  10. €60m GDPR fine (2022) for Facebook
    Cookie consent
  11. €59m GDPR fine (2019) for Google France
    Lack of transparency and lawful basis for ads personalisation
  12. €40m GDPR fine (2023) for Criteo.
    Lack of transparent, lawful basis and data subjects rights, for targeted advertising.
  13. €35.3m GDPR fine (2020) for H&M.
    Data leak of employee data which shouldn’t have been collected in the first place.
  14. €27.8m GDPR fine (2020) for TIM.
    Aggressive marketing without transparency or lawful basis.
  15. £20m GDPR fine (2020) for British Airways. Reduced from a threat of £138m in 2019.
    Data leak of 400k customers focused on credit card data.
  16. €20m GDPR fine (2022) for Clearview AI Inc. France.
    Facial recognition data capture without adequate transparency or lawful basis.
  17. €20m GDPR fine (2022) for Clearview AI Inc. Greece.
    Facial recognition data capture without adequate transparency or lawful basis.
  18. €20m GDPR fine (2022) for Clearview AI Inc. Italy.
    Facial recognition data capture without adequate transparency or lawful basis.
  19. £18m GDPR fine (2020) for Marriott International.
    Data breach affecting 339m guest records of which 31m were EEA.
  20. €17m GDPR fine (2022) for Meta Platforms Ireland Ltd.
    Inadequate security controls following 12 breach notifications.
  21. €16.7m GDPR fine (2020) for Wind Tre.
    Marketing calls without opt-out, with over 100 complaints.
  22. €14.5m GDPR fine (2019) for Deutsche Wohnen.
    Excessive retention of tenant data, then failure to destroy them after regulator engagement
  23. £12.7m GDPR fine (2023) for TikTok.
    Processing over 1m children (under 13) data, against its own terms and without parental consent.
  24. €12.25m GDPR fine (2020) for Vodafone Italia.
    Telemarketing without lawful basis.
  25. €11.5m GDPR fine (2020) for Eni Gas e Luce.
    Telemarketing to individuals who had opted out, and who were registered on national database.

Want to know more about GDPR fines and how to protect your organisation?

Contact our GDPR DPO specialists today: