GDPR fines have been a hot topic since the law’s European inception. To avoid incurring penalties, data controllers and processors should have the proper protocols and contracts in place, including data transfer agreements , data processing agreements , and data protection agreements .
In this article, we help you understand penalties surrounding GDPR violations, offer real-world examples, and show you how to calculate GDPR fines.
What is the Penalty for a GDPR Violation?
The penalties for a General Data Protection Regulation (GDPR) violation can result in up to twenty million euros or four percent of the company’s global annual revenue from the previous year, whichever number is higher. EU legislators impose fines for penalties to enforce data protection compliance.
You can learn more about the GDPR through this web page .
GDPR Fine Examples
It is hard to imagine the magnitude of how massive GDPR fines can grow. Since penalties are variable according to the number of records exposed and the severity of the breach, they can easily reach the multi-million dollar range. In the last few years, there have been several high-profile GDPR breach cases with alarmingly high fines.
Here is an explanation of nine GDPR fine examples below:
Example 1. Amazon: $877 Million
Amazon received a massive GDPR fine. The violation relates to the companies cookie policy and consent procedures. This GDPR fine is not the first received by Amazon as they faced a $40,000 fine at the tail-end of 2020.
Example 2. Google: $56.6 Million
In 2019, Google received its fine in March 2020 and was the largest on record until the Amazon violation. They were fined for how Google communicated privacy policies to users. In this case, Google should have offered end-users more information in their privacy policy and user agreement .
Example 3. H & M: $41 million
German authorities fined H & M around $41 million for employee data violations. H & M did not take proper precautions to protect employee days off and unnecessarily shared videos of meetings with 50 other H & M managers. These meetings were used to make decisions about the employee’s performance without their knowledge or consent.
Example 4. British Airways: $26 million
British Airways received a GDPR fine related to a 2018 incident. Their fine was the result of a breached computer system that affected over 400,000 customers. Customer information, payment details, and log-in information were exposed at the time of the breach.
Example 5. Marriott: $23.8 million
After a database breach, Marriott hotels exposed 383 million guest records, and hackers obtained all collected customer information. The company could have avoided the fine if they had paid due diligence after acquiring Starwood Hotels.
Example 6. Google: $8.3 million
Google received another fine in 2020 for a GDPR violation. Sweden fined Google for failing to remove search result listings under the right to be forgotten principle. The search provider should have honored this right by ensuring that a process was available to respond to erasure requests without unnecessary delay.
Example 7. Fastweb: $5.5 million
This Italian telecommunications company received a massive fine in 2021 after engaging in telemarketing without obtaining consumer consent. The company was using fake or false telephone numbers that were not registered with communication operators, and Fastweb should have obtained consumer consent beforehand since this standard is very high.
Example 8. Bulgaria’s National Revenue Agency: $3 million
Bulgaria’s National Revenue Agency received a fine after a data breach affected five million people. The information leaked included names, contact details, and tax information. The agency failed to take proactive and effective technological measures to protect the data in its control.
All GDPR penalties are paid to the Information Commissioner’s Office (ICO) and into a government fund owned by the treasury. GDPR fines are utilized to fund public resources and services, and most European nations use the structure.
This article also contains examples of GDPR fines.
163 projects on CC
CC verified
How are GDPR Fines Calculated?
GDPR fines are calculated in generally the same manner as described in this article. However, several factors influence the total fine amount, including company size, size class, subcategory, average annual turnover, and the facts and circumstances of the violation. You should always work with a legal professional to help you determine if the GDPR fine you are receiving is fair and how to protect unfair or incorrect amounts.
Here are five steps for calculating GDPR fines:
Step 1. Categorize Your Company’s Size
Start by categorizing your company’s size. You can find your GDPR size class and subcategories through the GDPR website for more information.
Step 2. Account for Your Average Annual Turnover
After locating your company’s subgroup, determine the average annual turnover to which your company belongs. If your annual turnover exceeds 500 million euros, the maximum fine of two or four percent should be applied to your situation.
Step 3. Divide Your Average Annual Turnover by 360
In this next step, you will divide your average annual turnover by 360. This calculation determines the fine’s basic economic value.
Step 4. Classify the Basic Value Factor
Take the number from step three and classify the basic value factor. This number is defined as the severity of your offense. Determination of your basic value factor is based on concrete facts and circumstances and listed as light, medium, severe, or very severe.
Step 5. Adjust the Calculation
Finally, you will want to take your calculated amount and adjust it for the circumstances both in favor of and against the tortfeasor. Typically, these circumstances surround offense-related details, such as proceeding length and company insolvency. Depending upon the facts and circumstances, there could be reductions or increases that apply to your final number.
For greater clarity on calculating a GDPR fine, you can use the following formula to help:
Average annual turnover x Basic value factor = Amount of fine
It is not always easy to calculate a GDPR violation without professional help. Here is a web page that discusses penalties for GDPR violations.
Maximum Fine for Breach of GDPR
The maximum fine for a breach of the GDPR is 20 million euros or four percent of the preceding year’s revenues. A company will receive a penalty that is the greater of the two numbers. However, not every violation results in a data protection fine.
There is a wide range of other actions that they can take against offending companies, including:
- Issuing reprimands and warnings
- Temporarily or permanently banning data processing rights
- Ordering the restriction or erasure of personally identifiable information (PII)
- Rescinding data transfer rights to other countries
There are a host of penalties that the GDPR can impose. Check out this article for examples of GDPR breach costs.
Can an Individual be Fined for GDPR Breach?
Yes, an individual can be fined for a GDPR breach if they engage in a legitimate business. Otherwise, the violation falls under criminal activity and subsequent legal charges. If you have questions about whether you could be fined for a GDPR breach, speak with GDPR compliance lawyers to apply the law to your situation.
GDPR compliance is essential when soliciting Europeans and collecting their information. Otherwise, severe fines and penalties are on the line, not to mention the damage to your brand and intellectual property. Privacy lawyers in your state will help you understand the rules provided in the GDPR and how to structure your agreements so that they meet the requirements.
