GDPR is well-known for its costly violation penalties. Amazon was famously fined $880+ million in 2021 for tracking user data without appropriate consent, and Google has paid several violation penalties amounting to upwards of $200 million.

Learn more about GDPR fines and penalties below.

Tiers of GDPR fines and penalties

There are two tiers of penalties, depending on the severity of the violation. Less severe violations can result in fines of up to 10 million euros, or 2% of the company’s global annual revenue from the previous financial year, whichever is higher. 

The second tier of penalties are for violating the core principles of GDPR, including the right to consent, data subjects rights, and the principles of data processing. These violations can result in fines of up to 20 million euros, or 4% of the company’s global annual revenue from the previous financial year, whichever is higher. Plus, those affected by the breach have the right to seek compensation for damages.

How much is a GDPR fine?

That depends. Under GDPR, fines are administered by the data protection regulator in each EU member state. The data protection regulator will determine two things: first, whether an infringement has occurred and second, the severity of the penalty.

If an investigation reveals multiple GDPR violations, the organization will only be penalized for the most severe one (as long as all the violations are part of the same processing operation).

To determine whether a fine will be issue and in what amount, the data protection regulator uses the following 10 criteria:

• Gravity and nature: What happened? How did it happen and why? How many people were affected and what was the damage? How long did it take to resolve?
• Intention: Was the infringement intentional or the result of negligence?
• Mitigation: Did the organization try to mitigate the damage suffered by those affected by the infringement?
• Precautionary measures: How much technical and organizational preparation did the organization implement to be GDPR compliant before the infringement?
• History: Were there any previous infringements?
• Cooperation: Did the organization cooperate with the supervisory authority to discover and remedy the infringement?
• Data category: What type of personal data did the infringement affect?
• Notification: Did the organization proactively report the infringement to the supervisory authority?
• Certification: Was the organization previously certified? If not, did it follow the approved codes of conduct?
• Aggravating/mitigating factors: Were there any financial benefits gained or losses avoided as a result of the infringement?

GDPR violation examples

Since GDPR came into effect in 2018, there have been several newsworthy examples of violations, most notably Amazon’s and Google’s GDPR fines.

Below are 10 GDPR violation cases with the largest fines imposed and what you can learn from each.

1. Amazon - €746M

Year issued: 2021

Penalty type: Non-compliance with general data processing principles

In 2021, the Luxembourg National Commission for Data Protection (CNDP) fined Amazon Europe Core S.a.r.l. €746 million for non-compliance with general data processing principles. It remains the largest fine imposed by a European data protection authority since GDPR came into effect in 2018.

Although there are limited details available to the public, the fine is most likely the result of infringements regarding Amazons’ advertising targeting system.

Lessons to learn:  

• Obtain consumer consent by using clear, plain language and explaining how data is going to be used, for what purpose, and by whom.

2. Meta - €405M

Year issued: 2022

Penalty type: Non-compliance with general data processing principles

In 2022, the Irish Data Protection Authority issued a record GDPR fine of €405 million to Meta for its treatment of children’s data on Instagram. More specifically, it made the accounts of children aged 13 to 17 set to public by default, and allowed teenagers with business accounts on Instagram to make their email addresses and phone numbers public.

Lessons to learn: 

• The legal basis for collecting and processing personal data must be valid — for example, you must prove that processing data is necessary for the performance of a contract.

3. WhatsApp - €225M

Year issued: 2021

Penalty type: Insufficient fulfillment of information obligations

In 2021, the Irish Data Protection Authority fined WhatsApp €225 million. At the time, it was the largest GDPR fine imposed by the Irish DPA. In its decision, the regulator stated that WhatsApp had not provided enough information about how data was collected "in a concise, transparent, intelligible and easily accessible form, using clear and plain language,”

Lessons to learn: 

• Write clear and comprehensive privacy policies so users understand how their data is processed.

4. Google LLC and Ireland- €150M

Year issued: 2021

Penalty type: Insufficient legal basis for data processing

The French Data Protection Authority (CNIL) issued a fine of €150 million against Google (€90 million for Google LLC and €60 million for Google Ireland) for non-compliance with local (and pan-EU) cookie consent rules. More specifically, it does not make it as easy to refuse all cookies as it does to accept them all on google.fr and youtube.com. 

Lessons to learn:

• Present option for users to reject non-essential cookies as easily as option to accept all tracking.

5. Facebook - €60M

Year issued: 2021

Penalty type: Insufficient legal basis for data processing

In 2021, the CNIL also fined Facebook €60 million for failing to provide users easy methods to refuse cookies when using the website.

Lessons to learn:

• Provide a clear way for users to opt out of cookies.

6. Google LLC - €50M

Year issued: 2019

Penalty type: Insufficient legal basis for data processing

In 2019, the French Data Protection Authority (CNIL) fined Google €50 million for unclear privacy consent agreements that failed to obtain freely given consumer consent for ad targeting. In its investigation, the CNIL found that Google had failed to act transparently and provide information in a way that was easily accessible to its users, and did not have any legal basis for processing its users’ data in order to provide personalized ads.

Lessons to learn:

• Write privacy consent agreements that clearly convey how you’ll be processing personal data, including for ad personalization purposes. 

7. H&M - €35M

Year issued: 2020

Penalty type: Insufficient legal basis for data processing

The Hamburg Data Protection Authority fined H&M €30 million for employee-related offenses. One of the most notable violations was recording and storing recorded one-on-one conversations with employees and using details provided in those conversations to make decisions regarding the employees. It was the largest fine imposed by the Hamburg DPA under GDPR.

Lessons to learn:

• Collecting and storing extensive personal data about your employee’s personal lives is a violation of GDPR and their civil rights.

8. TIM- €27.8M

Year issued: 2020

Penalty type: Insufficient legal basis for data processing

In 2020, the Italian data protection authority fined Italian telecommunications operator TIM (formerly known as Telecom Italia) €27.8 million for a series of data collection and processing violations related to marketing campaigns. Violations included sending unsolicited communications and making promotional calls to millions of individuals, including those on non-contact and exclusion lists.

Lessons to learn:

• Create specific opt-ins for different marketing activities.
• Properly manage and update blocklists. 

9. Enel Energia- €26.5M

Year issued: 2021

Penalty type: Insufficient legal basis for data processingf

The Italian data protection authority (Garante) issued a €26.5 million fine to Enel Energia for multiple data privacy violations, including making unsolicited promotional calls without the required consent of users. Enel Energia was also penalized for not having sufficiently cooperated with the Garante during the course of the investigation.  

Lessons to learn:

• Cooperate with the data protection authority during any investigation into possible GDPR infringements. 

10. British Airways - €22M

Year issued: 2020

Penalty type: Insufficient technical and organizational measures to ensure information security

In 2020, British Airways was fined €20 million by the Information Commissioner's Office (ICO) for insufficient technical and organizational measures, which led to a data breach that affected the personal and credit card data of more than 400,000 customers. The fine was significantly reduced from €204.6 million, the amount the ICO originally said it intended to issue in 2019. 

Lessons to learn:

• Put adequate security measures in place to keep customers’ personal data secure.