ContractsCounsel Logo

Biggest GDPR Fines

Updated: March 28, 2023
Clients Rate Lawyers on our Platform 4.9/5 Stars
based on 10,527 reviews
No Upfront Payment Required, Pay Only If You Hire.
Home Blog Biggest GDPR Fines

Jump to Section

GDPR fines have been a hot topic since the law’s European inception. To avoid incurring penalties, data controllers and processors should have the proper protocols and contracts in place, including data transfer agreements , data processing agreements , and data protection agreements .

In this article, we help you understand penalties surrounding GDPR violations, offer real-world examples, and show you how to calculate GDPR fines.

What is the Penalty for a GDPR Violation?

The penalties for a General Data Protection Regulation (GDPR) violation can result in up to twenty million euros or four percent of the company’s global annual revenue from the previous year, whichever number is higher. EU legislators impose fines for penalties to enforce data protection compliance.

You can learn more about the GDPR through this web page .

GDPR Fine Examples

It is hard to imagine the magnitude of how massive GDPR fines can grow. Since penalties are variable according to the number of records exposed and the severity of the breach, they can easily reach the multi-million dollar range. In the last few years, there have been several high-profile GDPR breach cases with alarmingly high fines.

Here is an explanation of nine GDPR fine examples below:

Example 1. Amazon: $877 Million

Amazon received a massive GDPR fine. The violation relates to the companies cookie policy and consent procedures. This GDPR fine is not the first received by Amazon as they faced a $40,000 fine at the tail-end of 2020.

Example 2. Google: $56.6 Million

In 2019, Google received its fine in March 2020 and was the largest on record until the Amazon violation. They were fined for how Google communicated privacy policies to users. In this case, Google should have offered end-users more information in their privacy policy and user agreement .

Example 3. H & M: $41 million

German authorities fined H & M around $41 million for employee data violations. H & M did not take proper precautions to protect employee days off and unnecessarily shared videos of meetings with 50 other H & M managers. These meetings were used to make decisions about the employee’s performance without their knowledge or consent.

Example 4. British Airways: $26 million

British Airways received a GDPR fine related to a 2018 incident. Their fine was the result of a breached computer system that affected over 400,000 customers. Customer information, payment details, and log-in information were exposed at the time of the breach.

Example 5. Marriott: $23.8 million

After a database breach, Marriott hotels exposed 383 million guest records, and hackers obtained all collected customer information. The company could have avoided the fine if they had paid due diligence after acquiring Starwood Hotels.

Example 6. Google: $8.3 million

Google received another fine in 2020 for a GDPR violation. Sweden fined Google for failing to remove search result listings under the right to be forgotten principle. The search provider should have honored this right by ensuring that a process was available to respond to erasure requests without unnecessary delay.

Example 7. Fastweb: $5.5 million

This Italian telecommunications company received a massive fine in 2021 after engaging in telemarketing without obtaining consumer consent. The company was using fake or false telephone numbers that were not registered with communication operators, and Fastweb should have obtained consumer consent beforehand since this standard is very high.

Example 8. Bulgaria’s National Revenue Agency: $3 million

Bulgaria’s National Revenue Agency received a fine after a data breach affected five million people. The information leaked included names, contact details, and tax information. The agency failed to take proactive and effective technological measures to protect the data in its control.

All GDPR penalties are paid to the Information Commissioner’s Office (ICO) and into a government fund owned by the treasury. GDPR fines are utilized to fund public resources and services, and most European nations use the structure.

This article also contains examples of GDPR fines.

Meet some lawyers on our platform

Scott S.

60 projects on CC
CC verified
View Profile

Alan B.

10 projects on CC
CC verified
View Profile

Sara S.

118 projects on CC
CC verified
View Profile

Haroldo M.

1 project on CC
CC verified
View Profile

How are GDPR Fines Calculated?

GDPR fines are calculated in generally the same manner as described in this article. However, several factors influence the total fine amount, including company size, size class, subcategory, average annual turnover, and the facts and circumstances of the violation. You should always work with a legal professional to help you determine if the GDPR fine you are receiving is fair and how to protect unfair or incorrect amounts.

Here are five steps for calculating GDPR fines:

Step 1. Categorize Your Company’s Size

Start by categorizing your company’s size. You can find your GDPR size class and subcategories through the GDPR website for more information.

Step 2. Account for Your Average Annual Turnover

After locating your company’s subgroup, determine the average annual turnover to which your company belongs. If your annual turnover exceeds 500 million euros, the maximum fine of two or four percent should be applied to your situation.

Step 3. Divide Your Average Annual Turnover by 360

In this next step, you will divide your average annual turnover by 360. This calculation determines the fine’s basic economic value.

Step 4. Classify the Basic Value Factor

Take the number from step three and classify the basic value factor. This number is defined as the severity of your offense. Determination of your basic value factor is based on concrete facts and circumstances and listed as light, medium, severe, or very severe.

Step 5. Adjust the Calculation

Finally, you will want to take your calculated amount and adjust it for the circumstances both in favor of and against the tortfeasor. Typically, these circumstances surround offense-related details, such as proceeding length and company insolvency. Depending upon the facts and circumstances, there could be reductions or increases that apply to your final number.

For greater clarity on calculating a GDPR fine, you can use the following formula to help:

Average annual turnover x Basic value factor = Amount of fine

It is not always easy to calculate a GDPR violation without professional help. Here is a web page that discusses penalties for GDPR violations.

Maximum Fine for Breach of GDPR

The maximum fine for a breach of the GDPR is 20 million euros or four percent of the preceding year’s revenues. A company will receive a penalty that is the greater of the two numbers. However, not every violation results in a data protection fine.

There is a wide range of other actions that they can take against offending companies, including:

  • Issuing reprimands and warnings
  • Temporarily or permanently banning data processing rights
  • Ordering the restriction or erasure of personally identifiable information (PII)
  • Rescinding data transfer rights to other countries

There are a host of penalties that the GDPR can impose. Check out this article for examples of GDPR breach costs.

Can an Individual be Fined for GDPR Breach?

Yes, an individual can be fined for a GDPR breach if they engage in a legitimate business. Otherwise, the violation falls under criminal activity and subsequent legal charges. If you have questions about whether you could be fined for a GDPR breach, speak with GDPR compliance lawyers to apply the law to your situation.

GDPR compliance is essential when soliciting Europeans and collecting their information. Otherwise, severe fines and penalties are on the line, not to mention the damage to your brand and intellectual property. Privacy lawyers in your state will help you understand the rules provided in the GDPR and how to structure your agreements so that they meet the requirements.

Need help with a GDPR Compliance?

Create a free project posting

Meet some of our Lawyers

Keidi C. on ContractsCounsel
View Keidi
5.0 (11)
Member Since:
August 25, 2021

Keidi C.

Principal Attorney
Free Consultation
Boston, MA
26 Yrs Experience
Licensed in MA, NY
New England Law | Boston

Keidi S. Carrington brings a wealth of legal knowledge and business experience in the financial services area with a particular focus on investment management. She is a former securities examiner at the United States Securities & Exchange Commission (SEC) and Associate Counsel at State Street Bank & Trust and has consulted for various investment houses and private investment entities. Her work has included developing a mutual fund that invested in equity securities of listed real estate investment trusts (REITs) and other listed real estate companies; establishing private equity and hedge funds that help clients raise capital by preparing offering materials, negotiating with prospective investors, preparing partnership and LLC operating agreements and advising on and documenting management arrangements; advising on the establishment of Initial Coin Offerings (ICOs/Token Offerings) and counseling SEC registered and state investment advisers regarding organizational structure and compliance. Ms. Carrington is a graduate of Johns Hopkins University with a B.A. in International Relations. She earned her Juris Doctorate from New England Law | Boston and her LL.M. in Banking and Financial Law from Boston University School of Law. She is admitted to practice in Massachusetts and New York. Currently, her practice focuses on assisting investors, start-ups, small and mid-size businesses with their legal needs in the areas of corporate and securities law.

Daehoon P. on ContractsCounsel
View Daehoon
4.7 (116)
Member Since:
November 26, 2021

Daehoon P.

Corporate Lawyer
Free Consultation
New York, NY
9 Yrs Experience
Licensed in NY
American University Washington College of Law

Advised startups and established corporations on a wide range of commercial and corporate matters, including VC funding, technology law, and M&A. Commercial and Corporate Matters • Advised companies on commercial and corporate matters and drafted corporate documents and commercial agreements—including but not limited to —Convertible Note, SAFE, Promissory Note, Terms and Conditions, SaaS Agreement, Employment Agreement, Contractor Agreement, Joint Venture Agreement, Stock Purchase Agreement, Asset Purchase Agreement, Shareholders Agreement, Partnership Agreement, Franchise Agreement, License Agreement, and Financing Agreement. • Drafted and revised internal regulations of joint venture companies (board of directors, employment, office organization, discretional duty, internal control, accounting, fund management, etc.) • Advised JVs on corporate structuring and other legal matters • Advised startups on VC funding Employment Matters • Drafted a wide range of employment agreements, including dental associate agreements, physician employment agreements, startup employment agreements, and executive employment agreements. • Advised clients on complex employment law matters and drafted employment agreements, dispute settlement agreements, and severance agreements. General Counsel • As outside general counsel, I advised startups on ICOs, securities law, business licenses, regulatory compliance, and other commercial and corporate matters. • Drafted or analyzed coin or token sale agreements for global ICOs. • Assisted clients with corporate formations, including filing incorporation documents and foreign corporation registrations, drafting operating and partnership agreements, and creating articles of incorporation and bylaws. Dispute Resolution • Conducted legal research, and document review, and drafted pleadings, motions, and other trial documents. • Advised the client on strategic approaches to discovery proceedings and settlement negotiation. • Advised clients on employment dispute settlements.

Michael M. on ContractsCounsel
View Michael
4.9 (291)
Member Since:
September 10, 2022

Michael M.

Free Consultation
Los Angeles, CA
37 Yrs Experience
Licensed in CA

www.linkedin/in/michaelbmiller I am an experienced contracts professional having practiced nearly 3 decades in the areas of corporate, mergers and acquisitions, technology, start-up, intellectual property, real estate, employment law as well as informal dispute resolution. I enjoy providing a cost effective, high quality, timely solution with patience and empathy regarding client needs. I graduated from NYU Law School and attended Rutgers College and the London School of Economics as an undergraduate. I have worked at top Wall Street firms, top regional firms and have long term experience in my own practice. I would welcome the opportunity to be of service to you as a trusted fiduciary. In 2022 I was the top ranked attorney on the Contract Counsel site based upon number of clients, quality of work and top reviews.

Doug F. on ContractsCounsel
View Doug
Member Since:
September 7, 2022

Doug F.

Managing Director
Free Consultation
Boston, MA
42 Yrs Experience
Licensed in MA, NY
Boston University School of Law

Doug has over 20 years of private and public company general counsel experience focusing his legal practice on commercial transactions including both software and biotech. He is a tech savvy, business savvy lawyer who is responsive and will attain relationship building outcomes with your counterparty while effectively managing key risks and accelerating revenue. He received his Juris Doctor from Boston University School of Law earning the Book Award in Professional Ethics and after graduation he taught legal writing there for a number of years. Prior to law school, Doug earned a M.A in Mathematics at the State University of New York at Stony Brook, and a B.S in Honors Mathematics at Purdue University. After law school, Doug joined Fish & Richardson, where his practice focused on licensing software, trademarks and biotech. While at Fish & Richardson Doug authored a book on software licensing published by the American Intellectual Property Lawyers Association. Later he joined as General Counsel at FTP Software and led an IPO as well as corporate development. Doug has broad experience with a broad range of commercial agreement drafting and negotiation including SaaS software and professional services, distribution and other channel agreements, joint venture and M&A. Doug continued his leadership, corporate governance and commercial transaction practice at Mercury Computers (NASDAQ:MRCY) leading corporate development. Doug’s experience ranges from enterprise software to biotech and other vertical markets. He joined the board of Deque Systems in 2009 and joined in an operating role as President in 2020 successfully scaling the software business.

Kathryn K. on ContractsCounsel
View Kathryn
Member Since:
September 13, 2022

Kathryn K.

Free Consultation
Boulder, CO
15 Yrs Experience
Licensed in CO
Georgetown University Law Center

I graduated from Georgetown Law in 2009 and have been practicing for fourteen years. I primarily work on commercial contracts. I specialize in drafting, reviewing, and negotiating MSAs for services companies, specializing in SaaS agreements. I have drafted online terms of service, acceptance use policies, and privacy policies for clients across a range of industries. In addition, I counsel clients on NDAs, non-solicitation/non-competition agreements, employment contracts, and commercial and residential leases. Prior to opening my own practice, I worked for four years at one of the most prestigious law firms in the world, an appellate litigation firm, the federal government, and one of the country's most renowned government contracts firms. I live in Boulder but represent clients nationwide. Although I have represented numerous Fortune 500 companies and the Defense Department, my passion is advising startups and small businesses. Like so many of my clients, I am an entrepreneur and have owned and operated three businesses (my law firm and two companies outside the legal field). I understand the needs and concerns of small business owners. I look forward to working with you.

Wendy C. on ContractsCounsel
View Wendy
Member Since:
September 12, 2022

Wendy C.

Free Consultation
25 Yrs Experience
Licensed in IL, WI
University of Wisconsin Madison

Business Advisor and Real Estate Consultant: Small boutique firm working to assist entrepreneurs, business start-ups, property investors, new home buyers, and distressed owners Wendy Calvert began her career as a corporate attorney focusing on complex commercial litigation, primarily in construction, property and casualty, and contractor liability. Through this experience, Wendy has managed and successfully litigated cases in Illinois and Wisconsin. In 2004, Wendy relocated to Illinois to work as an insurance litigation counsel and later as an executive sales consultant and insurance expert. Wendy now utilizes her skills as a contract negotiator, litigator, and sales consultant to negotiate real estate deals and help entrepreneurs create and grow the businesses of their dreams. EDUCATION Wendy earned her Juris Doctor in 1999 from the University of Wisconsin Madison. In 1989, Wendy graduated with a Bachelor of Arts in Business Administration and Communications from Marquette University.

Find the best lawyer for your project

Browse Lawyers Now

Need help with a GDPR Compliance?

Create a free project posting
See All Privacy Lawyers
See All Biggest GDPR Fines Lawyers
Learn About Contracts
See More Contracts
other helpful articles

Quick, user friendly and one of the better ways I've come across to get ahold of lawyers willing to take new clients.

View Trustpilot Review

Contracts Counsel was incredibly helpful and easy to use. I submitted a project for a lawyer's help within a day I had received over 6 proposals from qualified lawyers. I submitted a bid that works best for my business and we went forward with the project.

View Trustpilot Review

I never knew how difficult it was to obtain representation or a lawyer, and ContractsCounsel was EXACTLY the type of service I was hoping for when I was in a pinch. Working with their service was efficient, effective and made me feel in control. Thank you so much and should I ever need attorney services down the road, I'll certainly be a repeat customer.

View Trustpilot Review

I got 5 bids within 24h of posting my project. I choose the person who provided the most detailed and relevant intro letter, highlighting their experience relevant to my project. I am very satisfied with the outcome and quality of the two agreements that were produced, they actually far exceed my expectations.

View Trustpilot Review

Need help with a GDPR Compliance?

Create a free project posting

Want to speak to someone?

Get in touch below and we will schedule a time to connect!

Request a call

Find lawyers and attorneys by city