The online financial news and analysis portal Finbold has published a report detailing the GDPR violation penalties imposed on companies in 2020 by data protection authorities.
The EU’s General Data Protection Regulation allows financial penalties to be imposed by data protection authorities up to a maximum of €20 million, or 4% of a company’s global annual turnover for the previous financial year, whichever is greater. No data protection authority has imposed the maximum financial penalty to date, although 2020 did see some sizeable penalties.
299 GDPR financial penalties were sanctioned in 2020 by EU member states, with €171.3 million in penalties paid to resolve GDPR violations. Italy’s data protection authority topped the list in terms of the total fine amount with its 34 enforcement actions resulting in €58.16 million in financial penalties.
There were only 3 financial penalties imposed in the United Kingdom, but they totaled €43.9 million, putting the UK in second place. The GDPR financial penalties in Italy and the United Kingdom account for 59.5% of the total figure and 13.37% of the enforcement actions. Germany (€37,398,708), Sweden (€14,278,800), Spain (€8,021,210), France (€3,309,000), Netherlands (€2,080,000), Norway (€1,050,800), Belgium (€793,000), and Ireland (€630,000) complete the top ten.
Spain placed 5th in in terms of the total amount of fines, but the Spanish data protection authority was the most active of all member states with 128 financial penalties issued or 42.80% of all GDPR violation penalties in 2020. Italy’s 34 fines put the country in second place, with Romania in third with 26 fines. Sweden (15), Belgium (13), Norway (11), Hungary (10), Poland (7), Denmark (6), and Greece (6) complete the top 10.
The French data protection authority only fined 5 entities in 2020, but they include two of the top three largest GDPR violation penalties of 2020: A €60 million fine for Google LLC, a €40 million fine for Google Ireland, and a €35 million fine for Amazon Europe Core.
Other notable GDPR financial penalties include the €35,258,708 financial penalty for H&M Hennes & Mauritz Online Shop (Germany), the €27,800,000 fine for the telecommunication company TIM (Italy), the €22,046,000 fine for British Airways (UK), the €20,450,000 fine for Marriott International (UK), and the €16,700,000 fine for Wind Tre S.p.A (Italy).
The five largest financial penalties of 2020 and six of the top ten were sanctioned in cases where there was insufficient legal basis for data processing. This was the most common GDPR violation overall to attract a financial penalty. There were 120 fines imposed for this violation, which is 40% of the year’s financial penalties. 23.4% of the penalties – 70 fines – were imposed for insufficient technical and organizational measures to ensure information security and 17% – 51 fines – for noncompliance with general data processing principles.