GDPR fines

While the GDPR was established to help ensure a more regulated and restrained way to collect, process and retain data, one of the key ways it ensures companies follow the requirements is by fining them with financial penalties if they do not. 

Here, in this article, we look at past examples of GDPR fines and penalties, but also outline what exactly the fines or penalties are. In doing so, you can gain a fuller understanding of what a GDPR breach fine can really cost your firm. Some of the fines make for eye watering reading - so much so that you will find a true motivator in ensuring your GDPR compliance procedures and processes are watertight. 

What are GDPR fines and penalties?

GDPR fines and penalties are financial payments that are required from companies when they have been found to be breaking the rules of the GDPR. They are enforced because compliance to the GDPR is legally required by all companies that deal with data collection and data processing who do business in Europe. 

Fines are imposed when authorities uncover a GDPR infringement, though some authorities choose different tactics before imposing a final penalty. Those actions can include a warning, banning a company’s data processing, demanding deletion or modifications of data and stopping any data transfer to other countries.

What is the maximum GDPR fine a company can receive? 

The GDPR stipulates that there are two levels of fines it can impose on a company who fails to uphold the GDPR framework in some way. 

Firstly, on its lower level of fines or penalties, it can charge companies up to €10million or 2% of a company’s entire annual turnover (whichever is greater) if it breaks the rules with regards to the following articles:

• 8 (child’s consent conditions)
• 11 (illegal processing of data that does not warrant identification)
• 25 - 39 (what data processors or controllers are legally required to do when dealing with data)
• 42 & 43 (certification and certification bodies)
  ‍

Secondly, for its higher level of GDPR fines, it can charge up to €20 million or 4% of a company’s entire annual turnover (whichever is greater) if it breaks the rules with regards to the following articles

• 5 (breaking data processing principles)
• 6 (if found to be unlawful in the processing of data)
• 7 (not meeting the conditions for lawful consent)
• 9 (improper processing of high risk data)
• 12- 22 (inappropriate conduct with regards to a data subject’s rights)
• 44-49 (illegal transferal of data to other countries or other international organisations)
  ‍

The biggest GDPR fines of all time

While it is all well and good knowing what the regulators could impose on you in terms of a fine, some real life examples can also help emphasise just how important GDPR compliance is. The majority of the names we list below are well known, so it goes to show just how much the regulatory authorities believe in the adherence to the framework - authorities are happy to make an example of anyone.

La Liga

La Liga was hit with a fine that will do nothing to diminish those who worry about how smartphones can be used to track our every move. The authorities in question found that La Liga’s app was not only using its technology to provide users with updates on games and scores, but also to listen in on its users. The ultimate intent was to spy on what was going on around those that were using the app to clamp down on illegal streaming of games. However, authorities found this to be a breach of the GDPR and imposed a €250,000 fine.

British Airways

Local authorities found that there was a data breach due to poor security protocols surrounding British Airways’s app and website. 

In fact, hackers managed to input a piece of coding  into the company’s online technology so that almost half a million people were directed to a fake website. That website asked for personal and sensitive information which the unsuspecting audience divulged. As a result, hackers managed to acquire credit card details, usernames and passwords amongst many other pieces of data. 

At present, BA have had to pay £20 million as it was found not to have sufficient security measures in place to protect its users or data. 

H&M

The clothing giant was hit with one of the biggest fines on record in 2020. It has been ordered to pay just over £32 million for violating parts of the GDPR by misleading employees during back-to-work interviews after a period of sick leave. Those interviews were then accessible to H&M managers without those employees knowing. As a result, those managers were able to learn a great deal about employees - from the inconsequential to emotionally fraught issues. The authorities found H&M to be in breach of the GDPR’s data minimisation principle as well as data misappropriation and security. 

Why GDPR fines can vary so much

What is clear to see from the examples we have mentioned above is the sheer scale of fines, but also the difference in them. The reason being is the GDPR aims to be proportionate to the scale and importance of the breach involved. 

To impose fines that are proportionate to how the rules of the GDPR were broken, authorities look at the following factors: 

• Gravity and nature - i.e what happened in the overall scheme of things
• Intention - was the breach down to negligent behaviour or a conscious choice
• Mitigation - did the company do anything to minimise the data breach
• Precautionary measures - what protocols the company had in place
• History - does the company have any past GDPR infringements or other past data protection laws
• Cooperation - did the company helpfully work alongside the authorities to help them in their investigation 
• Data category - what was the type of information that was leaked or hacked
• Notification - did the company report the breach to the authorities
• Certification - did the company stick to approved procedures? 
• Other factors - are there any other factors that should be taken into account when investigating the breach. 
  ‍

What a GDPR breach can really cost - key takeaways

The GDPR may be, to some, a complicated framework that adds more administration to an already heavy workload. However, remember - not only can you be fined heavily if you do not comply with them properly, you are also somewhat missing the point of the framework altogether.

Something that some companies forget is that the GDPR improves data reliability and therefore can improve decisions made from that data. Without reliable information that is held securely, individuals are far less likely to to impart it and companies will find it less worthwhile to work with. Inefficiencies start to escalate as a result and all because data was collected and handled incorrectly. 

Plus, the framework does not have to be complicated. Automating data collection procedures and data processing through software, like ours at Contractbook, helps take out that administrative burden. Additionally, it ensures the very accuracy of data that the GDPR stipulates as one of its principles. 

Ultimately, as a result, it can pay to pay for software to help streamline and automate your GDPR compliance processes. With the risk of incurring a fine of an unknown amount, it can be more than worth it. 

‍