How can we help?


GDPR Fines Across the EU

The GDPR increased the fines available to EU supervisory authorities for breaches of data protection requirements.  Now, as we celebrate the GDPR’s 18-month birthday, it’s a good opportunity to take a look at some of the largest fines imposed to date and where in the EU we are seeing these.

The United Kingdom

The UK has issued notices of intent which would see it imposing the two highest fines so far!

8 July 2019, British Airways, €204,600,000.00.  The ICO has issued an intention to fine only at this stage and has been issued as a result of a failure to adequately protect personal data. Users of British Airways’ website were diverted to a fraudulent site by hackers. Through this false site, details of about 500,000 customers were harvested. This case is currently being appealed by British Airways.

9 July 2019, Marriott International, €110,390,200.00. Again, the ICO has announced an intention to fine only at this stage.  According to the ICO, the systems of Marriot’s subsidiary, Starwood hotels group were allegedly compromised in 2014. This was left undiscovered until 2018. The personal data of approximately 339 million guests was allegedly exposed by the incident (30 million related to EU residents, of which 7 million related to UK residents). The ICO’s investigation found that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”.


France currently holds the record for the highest fine actually imposed at €50,000,000.

21 January 2019, Google, €50,000,000.  CNIL imposed this fine on Google for ‘lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.’ CNIL said that the ‘users are not able to fully understand the extent of the processing operations carried out by Google’ as the essential information was spread across numerous documents and difficult to access. CNIL went on to state that Google had failed to obtain a valid legal basis to process user data and had the “customised ad” boxes pre-ticked for consumers, therefore not allowing valid consent.


23 October 2019, Austrian Post, €18,000,000.  DSB issued Austrian Post with this fine as it had created profiles for over 3 million people which included details such as their addresses, personal preferences/habits and possible political allegiances which it then sold to organisations including political parties.


30 October 2019, Deutsche Wohnen SE, €14,500,000.  The Data Protection Authority of Berlin issued this fine against Deutsche Wohnen SE as it had stored personal data in its archiving system but did not have a way to erase the data when it was no longer necessary.  This personal data included financial information such as payslips, tax data, social security data, and bank statements. This breach was flagged in 2017 by the Berlin Data Protection Authority, but there was no evidence of it having been remedied by March 2019.  This case is currently being appealed.


28 August 2019, National Revenue Agency, €2,600,000. KZLD imposed this fine as a result of the National Revenue Agency failing to adequately protect personal data, resulting in the theft of data relating to 6 million people following a cyber-attack.

The GDPR increased the fines available to EU supervisory authorities for breaches of data protection requirements.


31 October 2019, UWV, €900,000.  AP imposed this fine due to inadequate security measures in respect of UWV’s online employer portal which allowed wide access to health data.


10 September 2019,, €644,780.  UODO imposed this fine as failed to put adequate security and organisational measures in place which led to over 2 million individuals’ personal data being accessed without authorisation.

Since the introduction of GDPR in 2018, many organisations have been quick to adapt and become compliant. However, it is clear that even companies with significant resources have fallen foul of the new accountability requirement of the GDPR and are now facing substantial fines. Businesses should be proactive in their efforts to ensure that all departments look closely at the data they collect and how they handle it.

Click here to contact Clarkslegal’s Data Protection team.


About this article

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

  • 16 May 2024
  • Immigration

What Employers need to know about Biometric Residence Permits

Biometric Residence Permits (BRPs) are biometric immigration documents that are issued to non-EEA nationals and EEA nationals, who have been granted permission to stay in the UK.

  • 14 May 2024

Clarkslegal’s London team moves to new Chancery Lane office

The London office of Clarkslegal has relocated to Chancery House, on Chancery Lane. The staff is enthusiastic about the relocation because Chancery Lane has a longstanding association with the legal profession in London.

  • 10 May 2024
  • Employment

New duty on employers to prevent sexual harassment – coming October 2024

The Worker Protection (Amendment of Equality Act 2010) Act 2023 is due to come into force in October 2024.

  • 09 May 2024
  • Employment

Labour Party Employment Law Proposals – Promises of further consultations and a softer approach

The Prime Minister recently announced a raft of changes, to be implemented in the next parliament, aimed at reducing the number of people who are economically inactive due to illness.

  • 09 May 2024
  • Corporate and M&A

Navigating corporate transparency: ECCTA reforms series – part 1

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) received Royal Assent in October 2023 and marked a pivotal moment in corporate governance and transparency.

  • 07 May 2024
  • Employment

Changes to TUPE rules from 1 July 2024

The Transfer of Undertakings (Protection of Employment) Regulations 2006 (‘TUPE’) aim to safeguard employees’ rights on the transfer of a business or on the change of a service.