The General Data Protection Regulation (GDPR) was implemented on May 25th 2018, with the intention of giving individuals greater control over their personal data.

Covering both the European Union and the European Economic Area, any firms which breach GDPR have risked being fined substantial sums of money, as violators can be charged up to €20 million, or 4% of the company’s global turnover for the preceding financial year.

Since not properly adhering to the GDPR can be so costly, almost all companies now have processes in place to properly handle the data of their customers, contacts, and employees, but despite this, many businesses have been penalised for breaching the regulations.

Often, this has proved to be a very expensive mistake, as our article about the 5 biggest GDPR fines to date shows!

1. British Airways - Fined €204,600,000

In 2019, British Airways was fined €204,600,000 - the largest amount to date, for an incident in September 2018 where the British Airways website diverted users to another site, which was controlled by a hacker.

Over 500,000 people had their personal data stolen, and BA was found liable for the theft, as they had inadequate security mechanisms in place to prevent such cyber-attacks from happening.

2. Marriott International - Fined €110,390,200

Following Marriott International acquiring the Starwood group of hotels and resorts, they failed to implement necessary security measures to protect the guests’ data. This meant that when Marriott was subjected to a cyber-attack, the personal data of over 339 million guests was exposed, and Marriott received a substantial fine.

3. Google - Fined €50,000,000

Google breached four separate articles of the GDPR, and paid the price for doing so.

These breaches related to Google not being transparent about how it had collected data from users, then used this data for personalised advertising campaigns. It was also found that Google failed to give enough information regarding their consent policy, and didn’t provide individuals with the required control over how their personal data would be processed.

4. TIM – Fined €27,800,000

On January 15th 2020, the Italian telecommunications company TIM was hit with a fine of €27,800,000 for an extensive list of GDPR violations.

These include contacting non-customers multiple times (up to 150 times per month, in fact) without the necessary consent, excessive data retention, enrolling people in prize competitions without their permission, and repeated leaks of customer data.

Several million people were affected by TIM’s overly aggressive marketing strategy and failure to protect customer information.

5. Austrian Post – Fined €18,000,000

Austria’s national post service was fined €18,000,000 (plus another €1.8 million to cover the costs of the investigation) in October 2019, for collecting the addresses, personal preferences, and political affiliations of over 3 million Austrians (one third of their entire population), then selling this data to private companies and political parties.

(Dis)Honourable Mentions

These are some of the other organisations who have fallen foul of the regulators for committing GDPR violations:

1&1 Telecom

Royal Dutch Tennis Association

Vodafone Spain

Pricewaterhouse Coopers

Uber

La Liga

EE