Two Years Into GDPR, a Flashback of the Seven Biggest Fines

May 25 marked the 2nd anniversary since the world’s strictest data privacy law came into effect. Over the past two years, the European Union’s General Data Protection Regulation (GDPR) has made some significant impacts on the data economy around the world. It has certainly increased the global awareness of data protection and formed a benchmark for database security.

At the time of its inception, there had never been a data privacy law as comprehensive and strict as GDPR. Many were surprised by its rules and regulations and did not expect it to last long. However, the time has proven that not only is it here to stay, its signing into effect triggered many governments around the world to start their own conversations on data privacy. Indeed, since GDPR went into effect, we have seen dozens of governments coming up with their own modified version of the law. These include countries and regions across all continents, such as Japan, California, Brazil, South Korea, Argentina, South Africa, Chile, and Kenya.

Along with GDPR, these new laws and regulations have made data protection a top priority for all organizations that collect or use personal data. Many businesses have done a complete overhaul to their IT systems to meet the security standards of the regulation and managed to eliminate any vulnerabilities in the process. Companies started to hire in-house security experts, and some even set up management positions like Data Protection Officers and GDPR analysts to exclusively deal with data compliance.

Two years into GDPR, what specifically has it done? We thought this would be a good time to review some of the major violations and the reasons behind them.


Two tiers of GDPR fines

Before going into the details of the violations, it would be helpful to understand the two tiers of fines outlined by GDPR.

Tier 1 (lower tier) fine applies to all kinds of failure in having proper database security measures in place, or for not implementing a Data Protection Impact Assessment (DPIA). These are usually revealed following a data breach. The maximum tier 1 fine is set at 2% of a company’s global revenue or 10 million euros, whichever is greater. To avoid this fine, organizations need to have high-security levels, cooperate with authorities, and perform a DPIA. 

Tier 2 (higher tier) fine is related to data collection and usage. Organizations are required to obtain consent before collecting and processing personal data. It also ensures compliance with the eight data subject rights consumers have under GDPR. The maximum tier 2 fine is set at 4% of a company’s global revenue, or 20 million euros, whichever is greater.

Now let us take a look at some of the major violations that resulted in the biggest fines over the past two years.


Top 7 biggest GDPR fines above 10 million euros (as of May 2020)


No. 7: Eni gas e luce –  11,500,000 euros (Italy)

In December 2019, Eni gas eluce, a subsidiary of Eni S.p.A., one of the big seven oil companies in the world, was found for illegal telemarketing and sales activities. It was reported for making advertising calls to non-customers without their consent.

After an investigation by the Italian Data Protection Authority, known as Garante, the company was charged for several offenses, including having no consent management measures in place, purchasing potential customers’ data without their consent, and having no consent management practice in place. All these tier 2 fines added up to a total of 11.5 million euros.

Source: EDPB


No. 6: Deutsche Wohnen – 14,500,000 euros (Germany)

In October 2019, German real estate firm Deutsche Wohnen was reported for a lack of data retention policy. More specifically, it failed to erase the personal data of former tenants, which were considered to be unnecessary data for the company. These data included credit scores and social security information. 

The Berlin Commissioner for Data Protection charged the company for a violation of Article 5 and Article 25 of GDPR, which state that a company does not have the legal ground to store data longer than necessary. A tier 2 fine of 14.5 million euros was issued.

Source: Norton Rose Fulbright


No. 5: Austrian Post – 18,000,000 euros (Austria)

In October 2019, Österreichische Post (Austrian Post), the national postal service provider of Austria, was caught selling their customers’ personal information. With a massive database of 3 million Austrian citizens, the company created separate profiles for them based on their age, address, and political orientation. It then sold these data directly to political parties, who likely purchased the data with the hope of gaining an advantage at the elections.

The Austrian Data Protection Authority (Austrian DPA) issued a tier 2 fine of 18 million euros to the Austrian Post.

Source: Reuters


No. 4: TIM (Telecom Italia) – 27,800,000 euros (Italy)

In January 2020, Italian telecommunications provider TIM was fined for aggressive sales activities that violated GDPR. The company was found to have illegally collected the personal data of non-customers without their consent and retained these data for longer than they should. Some people complained about receiving more than 150 calls from the company per month.

The Italian Data Protection Authority (Garante), handled the case and charged the company with violation of Article 5, Article 6, Article 17, and Article 31, and Article 32 of GDPR, which resulted in a tier 2 fine of 27.8 million euros.

Source: Data Privacy Manager


No. 3: Google – 50,000,000 euros (France)

This was the first large fine issued under the GDPR. As soon as GDPR came into force in May 2018, two privacy rights groups accused Google of illegally processing user data for advertising personalization. Even though Google Ireland serves as the company’s headquarters in Europe, the case was directed at Google France.

The National Commission on Informatics and Liberty (CNIL) of France was in charge of the investigation. CNIL discovered that during the signup process for new Android users, Google’s privacy statements were written in ambiguous language that was hard to interpret and that statements about user data processing were too difficult to find in the agreement. The company was also charged with consent bundling. When a user tries to set up a new smartphone, Google pushes the user to sign up for a Google account as part of the process, or else their smartphone user experience would be worse. To avoid consent bundling, the Google account creation consent should be separated from the smartphone setup consent. Consequently, CNIL charged Google with a tier 2 fine of 50,000,000 euros, the first GDPR fine ever issued by CNIL.

Source: TechCrunch


No. 2: Marriott International – 99,200,396 euros (United Kingdom)

In November 2018, a data breach at Marriott International exposed the personal information of 500 million people, including payment card details, passport details, and dates of birth. The data breach involved unauthorized access to the hotel chain’s reservation database dating back all the way to 2014.

The Information Commissioner’s Office (ICO) of the United Kingdom stated that the data breach could have been prevented if Marriott had taken more steps on securing its IT systems. What’s more, the hotel chain did not inform the affected customers about the data breach in a timely manner. Even though the incident was discovered in September 2018, it was not disclosed until two months later. As a result, the ICO held Marriott International responsible for a tier 1 fine of 99 million euros.

Source: The Guardian


No. 1: British Airways – 183,390,000 euros (United Kingdom)

This is by far the heaviest fine ever charged under a data privacy law. Between August 21 and September 5, 2018, a whopping 500,000 customers who browsed and booked flights on British Airways’ website had their personal and financial information stolen by cybercriminals. Among them, over 380,000 pieces of card payment information were breached. The hackers attacked the airline’s web application and diverted customers to a fraudulent website to obtain their information. 

After investigating the case, the Information Commissioner’s Office (ICO) of the United Kingdom attributed the cause of the data breach to having an outdated IT system, which put the fault on the company. The ICO then issued a massive tier 1 fine of 183.39 million euros, 1.5% of the airline’s annual revenue of 2018.

Source: TechCrunch


Why compliance helps us all

All things aside, let us not forget that data privacy laws like GDPR are not designed to suppress the data economy. Their goal is the exact opposite, which is to help organizations obtain the trust from the public by assuring the secured sharing of personal data and to facilitate the sustainable growth of the data economy.

Penta Security helps businesses around the world with security compliance. Our products and solutions meet the security standards of GDPR and CCPA. They are not only applicable to traditional IT systems, but are also optimized for a variety of cloud and industrial environments, protecting a wide range of businesses, governments, manufacturers, and healthcare providers.

To learn more about Penta Security’s compliance solutions, click here.


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Web Application Firewall for Cloud: WAPPLES SA

Database Encryption: D’Amo

Authentication: ISign+ 

Smart Car Security: AutoCrypt