More Than 200 GDPR Fines Issued Totaling €144 Million, New Study by Privacy Affairs Finds

Spanish and Romanian authorities issued over 70 fines, with the UK applying one.

GDPR Fines Tracker

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​Over 200 fines have been handed to organisations in Europe under strict data protection laws implemented in 2018, according to research from Privacy Affairs. Using data from official sources, the researchers created an online dashboard to track GDPR fines.

A key finding is that different national data protection authorities interpret the rules differently. The largest fine in Romania, €80,000, was a similar offense that has seen other companies issued with several million Euro fines.

Breakdown of GDPR fines by amount:

  • France: €51,100,000
  • Italy: €39,360,000
  • Germany: €25,085,725
  • Austria: €18,070,100
  • Bulgaria:  €3,198,460
  • Spain: €1,882,670
  • Netherlands: €1,410,000
  • Poland: €934,330
  • Greece: €735,000
  • UK: €320,000

Breakdown of GDPR fines by number:

  • Spain: 55
  • Romania: 22
  • Germany: 21
  • Bulgaria: 16
  • Hungary: 14
  • Czech Republic: 11
  • Austria: 8
  • Cyprus: 8
  • Belgium: 6
  • Greece: 6

The Spanish Data Protection Authority has issued 55 fines to date, from €3,600 issued to Amador Recreativos for improper use of surveillance footage, to a €75,000 fine issued to Vodafone España for a technical error resulting in invoices being sent to a former customer.

The Romanian Data Protection Authority has issued 22 fines, ranging from €3,000 issued to Legal Company & Tax Hub SRL for Failure to implement sufficient measures to ensure information security to €80,000 issued to ING Bank N.V. for not implementing adequate technical measures to ensure the protection of personal data. 

The UK Information Commissioner has dealt with three cases and fines from which one was finalised,  and was of €320,000. The two potential fines, British Airways of €204,600,000 and Marriott International of €110,390,200 are not yet final.

The largest GDPR fine to date was issued by French authorities to Google in January 2019. The €50 Million was issued on the basis of “lack of transparency, inadequate information and lack of valid consent regarding ads personalization.”

8 private individuals have also been fined a total of €46,921 including:

  • €11,000 issued to a soccer coach in Austria who was found to be secretly filming female players in the shower.
  • €300 issued to a car owner in Austria for unlawful use of a dash-cam.
  • €2,200 issued to a person in Austria for having unlawfully filmed public areas using a CCTV system. The system filmed parking lots, sidewalks and a garden of a nearby property.
  • €800 issued to a person in Spain who created a fake profile of a female colleague on an erotic website. The profile contained the person’s contact details and information of sexual nature.
  • €2,500 issued to a person in Germany who sent emails to several recipients, where each could see the other recipients' email addresses.​

For questions regarding the research or more information about the team behind the report, contact Joe Robinson at or visit Privacy Affairs.

​Full research here:

Privacy Affairs is a data privacy and cybersecurity research, information, and advice website.

Source: Privacy Affairs