At the forefront of the GDPR report – Hungary, there are so many fines
Which businesses have been hit with the biggest privacy fines and where?
The GDPR (General Data Protection Regulation) was introduced in 2018 and during this time many have failed due to its rules. In fact, more than 650 fines were imposed for breaches of the GDPR, totaling more than € 280 million in just over three years. So what were the most severe penalties? What are the most common violations? And which countries were the most serious offenders? ESET is submerged in the datato find out!
The highest GDPR fines to date
1. Amazon – 746 million euros
The most significant GDPR fine to date was slow, but surpassed all previous fines: the technology giant Amazon was fined € 746 million. The fine is more than double all the previous GDPR fines combined, and this is the first really significant fine imposed. Amazon is currently appealing the decision (brought against it by Luxembourg), making the decision a milestone in the early history of the GDPR, whatever it develops.
2. Google – € 50 million
The second GDPR fine went to one of the largest organizations: Google. The search engine giant has been fined € 50 million by the French data protection authority, CNIL. It has been determined that Google does not inform the user about how they collect their information and how they use the targeted ads in which they are served. Although the fine was appealed in 2020, the appeal was dismissed by the French Conseil d’État, the country’s highest court, and ordered the fine to be upheld.
3. H&M – EUR 35.3 million
The H&M Hennes & Mauritz online store AB & Co. KG (better known simply as H&M) was fined just under € 35.3 million last year for illegally monitoring its hundreds of employees. It turned out that the fashion retailer stored too much data about employees at its service center in Nuremberg, including data about their family, religion and illness. However, the investigation with Google and Amazon led H&M to accept the fine and promised to compensate the affected employees.
The highest GDPR fines to date
Hungary also found many irregularities, the fourth highest number of European countries in terms of case numbers. In Hungary, 43 cases were punished, therefore a fine of 811 thousand euros was imposed. We were strong most in the number of cases, with only more than one of the countries on the list being fined: in Germany, for example, 28 cases were fined € 49 million, but everyone is around Luxembourg, where the fine was 746 million, as we shall see, not by chance.
The most common causes of GDPR fines
Most of the fines to date fell into the “insufficient legal basis for data processing” category, and until the last Amazon fine, the rule was responsible for both the average fine and the total amount of GDPR fines paid so far.
In essence, an organization needs to be able to prove that there is a legal basis that makes the processing of your data “necessary” rather than simply useful, which more than 270 companies have not done.
The second most common reason for fines was appropriate technical and organizational measures to ensure information security “, there have been 155 infringements since the introduction of the GDPR in 2018. The two largest such fines were imposed within the UK, where British Airways and Marriott International was fined € 22 million and € 20.45 million respectively in October 2020.
This specific GDPR rule aims to protect consumers ‘personal data: an infringement occurs when an organization is deemed not to ensure the security of consumers’ data.
The third most common breach was much more general: “non-compliance with general data processing principles”, which covers more serious breaches of the GDPR.
The number of total and average fines imposed for this infringement will have a major impact on the significant fines imposed on Amazon this year, which averaged HUF 5.2 million and the amount of fines imposed was EUR 782 million.
The most common causes of GDPR fines
In countries with the highest GDPR fines to date
Although the average fine imposed on Spanish organizations is extremely low, at just over € 118,000, most fines have been imposed in Spain: with 273 fines, the region is responsible for just over a third of all GDPR infringements to date. This is a huge number of fines for a single country, even if the amounts imposed are not as high as for other countries on the continent.
Italy is the second most fined country, with more than € 84 million since 2018. Their most significant case was that of Gruppo TIM, who was fined € 27.8 million, followed by WINDTRE (€ 16.7 million) and Vodafone Italy (€ 12.25 million).
Romania’s average GDPR fine is very modest, at € 11,659, one of the lowest in Europe, but the nation still received a lot of fines, making it third on the list. The most significant was Raiffeisen Bank’s fine of € 150,000 – which is fading compared to fines imposed by large companies in other countries. Instead, fines in Romania were often much higher, usually only a few thousand euros.
The GDPR report – Which companies have been hit with the highest GDPR fines?
Hardware, software, tests, curiosities and colorful news from the IT world of your time!