The General Data Protection Regulation (GDPR) is the world’s toughest rule on privacy and safety.  While it has been drafted and approved by the European Union (EU), it imposes obligations on organizations wherever they are, as long as they target or collect data relating to individuals in the EU. 

On May 25, 2018, the legislation was put into effect.  The GDPR would place harsh fines on those who breach its standards of privacy and protection, with penalties approaching tens of millions of euros. 

This article narrates, how many penalties were levied in 2020, which businesses were hit with the biggest fines, why, and how the breach could have been avoided. 


At a glance: 

  • Google received the most important fine to this point in 2020 – €50 million ($56.6 million)
  • Over 220 fines are handed out for GDPR violations within the first ten months of 2020
  • The total amount of fines issued up to now in 2020 exceeds €175 million
  • Between 2018 and 2019, the typical number of fines issues per month increased by 260%
  • July 2020 saw the best number of fines issued during a single month since the GDPR was introduced – a total of 45
  • Only 20% of US, UK and EU companies are fully GDPR compliant
  • Misdirected emails are the first reason for data loss reported to the knowledge Commissioner’s Office (ICO)

GDPR fines are being issued more than ever

More than 220 fines for GDPR breaches have been handed out as of October 2020. This number is expected to grow, based on patterns from the last 24 months.  An average of 5 fines was handed out per month between July 2018 and June 2019. 

But, an average of 18 fines was given out per month between July 2019 and June 2020. That’s an increase of 260 percent.  And with 45 fines imposed for non-compliance in October 2020 alone, it is clear that information security and compliance will be considered seriously by the EU authorities.  Research shows that only 20% of US, UK, and EU businesses are completely compliant with the GDPR, and worse still, a staggering 30 percent of businesses have yet to launch their GDPR enforcement initiatives. 

However, maintaining compliance is important particularly as organizations can be fined for a violation up to EUR 20 million (just short of $23 million) or 4 percent of annual global turnover (whichever is larger). 

The largest 2020 GDPR fines so far 

2020 has witnessed the fines breaking records set in previous years.  Here are the biggest 2020 GDPR penalties so far: 


1. Google – €50 million ($56.6 million) 

Although the fine from Google is actually from last year, the firm filed an appeal against it. 

However previous month, judges at the highest court of administrative law in France denied Google’s appeal and upheld the exorbitant penalty. 

What is the Violation?

With this GDPR fine, Google was hit with the biggest one to date, for numerous violations under Articles 5, 6, 13, and 14.  Although the breach is slightly different, the long and short of it is that Google was not open in revealing how ad targeting data was obtained and used.

How the breach(s) could have been prevented?

Google could have provided users with more detail in its consent policy and should have given them more power over the processing of their personal data.


2. H&M — €35 million ($41 million)


The Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M EUR 35,258,707.95 on October 5, the second-biggest fine ever imposed by the GDPR. 

What is the Violation?

The GDPR breaches by H&M included the “monitoring of several hundred workers.” They were forced to attend a return-to-work conference after employees took a vacation or sick leave.  Any of these meetings have been registered and available to over 50 managers of H&M.  Senior H&M employees acquired “a comprehensive knowledge of the private lives of their employees, ranging from very innocuous information to family concerns and religious views.” This “detailed profile” was used to help assess the performance of employees and make employment decisions. 

How the breach(s) could have been prevented

Specifics of the decision have not been released, but the severity of the infringement by H&M is clear.  H&M appears to have breached the , Art. 9 GDPR, data minimization principle of the GDPR: ‘do not process personal information, particularly sensitive data on the health and beliefs of people, unless you need to for a particular reason’. H&M should also have put strict access controls on the data, and this information should not have been used by the company to make decisions about the jobs of people. 


3. TIM – €27.8 million ($31.5 million)

On 15 January 2020, just two weeks into the new year the Italian telecommunications operator TIM (or Telecom Italia) was fined EUR 27.8 million GDPR by Garante, the Italian Data Protection Regulator, for a number of offenses and infringements that have accrued in recent years. 

What is the Violation?

The breaches of TIM include a number of criminal activities, most of which stem from an excessively aggressive marketing campaign.  Millions of people, some of whom were on non-contact and exclusion lists were bombarded with advertising calls and unsolicited emails. 

How the breach(s) should have been prevented

TIM could have more closely handled data subject lists and created unique opt-ins for various marketing activities. 

4. British Airways – €22 million ($26 million)


The Information Commission Office reached British Airways in October 2020 with a fine of $26 million for a violation that took place in 2018.  This is slightly less than the fine of $238 million that the ICO initially said it was going to issue back in 2019. 

What is the Violation?

So, back in 2018, what happened? The schemes of  British Airways were compromised. 400,000 clients were affected by the breach and hackers got their hands on logging in data, payment card information, and PI such as the names and addresses of travelers. 

How the infringement(s) could have been avoided?

The attack was preventable, according to the ICO,  but BA didn’t have enough security measures in place to protect their systems, networks, and data. 

In truth, at the time of the breach, they didn’t even have basics like multi-factor authentication in place. In the future, airlines should adopt a data-first approach to security, invest in security solutions, and ensure that strict GDPR data privacy policies and procedures are in place.

5. Marriott – €20.4 million ($23.8 million)

While this is a steep fine, it’s actually significantly lower than the ICO originally intended $123 million fine. 

What is the Violation?

What happened, then? 

After the hotel chain’s guest reservation database was compromised, 383 million guest records (30 million EU residents) were exposed.  PI was exposed, such as the names, addresses, passport numbers, and payment card information of guests. 

Note: The hack occurred in 2014 as part of the Starwood Community reservation scheme.  While Starwood was acquired by Marriott in 2016, the hack was not identified until September 2018.

How the violation(s) could have been avoided?

The ICO found that after acquiring Starwood, Marriott failed to perform adequate due diligence. 

With a better data loss prevention (DLP) approach and the use of de-identification techniques, they should have done more to secure their systems. 

6. Wind — €17 million ($20 million)

Wind Tre GDPR Fines 2020

On 13 July 2020. due to its illegal direct marketing practices, the Italian Data Protection Authority levied a fine of EUR 16,729,600 on the telecommunications firm Wind.  After Italy’s regulator received complaints about Wind Tre’s marketing communications, the enforcement action began. 

What is the Violation?

Without their permission, Wind allegedly spammed Italians with advertisements and given the incorrect contact information, leaving customers unable to unsubscribe.  The regulator also found that Wind’s mobile apps pressured users to consent to targeted marketing and location monitoring and that unauthorized data collection practices were carried out by its business partners. 

How the infringement(s) could have been avoided?

Prior to using people’s contact information for direct marketing purposes, Wind could have formed a legitimate legal basis. This would also have meant securing the consent of customers unless it could prove that it was in its ‘legitimate interests’ to submit marketing materials.  It should have ensured customers have a simple way to unsubscribe for whatever reason stated for direct marketing. Furthermore, the privacy policy of the organization should have been correct and up to date. 


7. Google – €7 million ($7.9 million)

For Google, it has not been a good year. 

What is the Violation?

In March, Google was fined by the Swedish Data Protection Authority of Sweden (SDPA) for neglecting to delete a pair of listings of search results under the European ‘right to be forgotten’ GDPR regulations that the SDPA directed the company to do in 2017. 

How the infringement(s) should have been avoided?

Google could have fulfilled the data subjects’ rights, their right to be forgotten in the first place. This is regarded as the right to erasure as well. How? “By “ensuring a mechanism was in place to reply without unnecessary delay and within one month of receipt of requests for erasure. 

8. AOK (Health Insurance) — €1.24 million ($1.5 million)

AOK Health Insurance GDPR Fines

On 30 June 2020, a fine of EUR 1,24 million was levied on the health insurance firm Allgemeine Ortskrankenkasse (AOK) by the Data Protection Authority of Baden-Wuerttemberg, Germany.  AOK developed contests and lotteries using the personal information of its customers, including details of their health insurance. This knowledge was also used by the firm for direct marketing. For this, AOK tried to get approval, but it ended up selling to some users who did not agree. 

What is the Violation?

The regulator found that without establishing a legal basis, the company had sent marketing communications to people. In order to ensure that they only sent advertising to those who agreed, AOK also failed to implement adequate technical and organizational privacy safeguards. 

How the infringement(s) could have been avoided?

What is the AOK case’s main takeaway? When sending direct advertising, be very careful. If consent was required from people, then it would have been prudent to store up-to-date records of those who have consented. 


9. BKR (National Credit Register) — €830,000 ($973,000)

What is the Violation?

The Dutch Data Protection Authority fined the Bureau Krediet Registration (‘BKR’) €830,000 on 6th July 2020, for charging individuals for digitally accessing their personal information.  BKR has permitted clients to access their own personal information free of charge on paper, but only once a year.  BKR will be appealing the fine. 

How the infringement(s) could have been avoided?

BKR should not have charged individuals for accessing their personal information and should not have imposed a limit of once a year. 

The GDPR is clear that only if a person’s request is “manifestly unfounded or excessive” can you charge for access to personal information or refuse access. 


10. Iliad Italia — €800,000 ($976,000)


On 13 July, the Italian Data Protection Authority fined €800,000 for the unlawful processing of personal information of its users by telecoms company Iliad Italia in numerous ways.

What is the Violation?

One issue was the collection of consent by Iliad for its marketing activities, which was found by the regulator to have been ‘bundled’ with an acknowledgment of the terms and conditions of the company. Iliad also failed to securely store the communication data of its users. 

How the breach(s) could have been avoided?

Consent is defined very narrowly under the GDPR.  It should make it specific to a specific activity while seeking the consent of a person.  For instance, by asking individuals to agree to market and sign a contract using one tickbox, do not “bundle” the consent requests. 

One of the cornerstones of GDPR is data security. It appears that Iliad has failed to enforce proper access controls on the personal information of its users. It should have made sure that personal data is only available on a need to know basis. 

Employee_FingerPrint_GDPR_2020 _Fines

11. Unknown – €725,000 ($821,600

What is the Violation?

The Dutch Data Protection Authority issued its largest fine to date in April 2020, to a so-far unknown company for unlawfully using fingerprint scans of employees for its records of attendance and timekeeping. The breach occurred over the course of 10 months. 

Note: Biometric data, such as fingerprints, are classified as sensitive personal data under the Article 9(1) of the GDPR and are subject to stricter protection. 

How the violation(s) could have been avoided?

The company should have had a legitimate, legitimate reason to collect fingerprints from employees.  They should also have had technical measures in place to process the data and a clear data deletion process in place. 

How can databrackets help you?

databrackets’ certified privacy and security professionals can help companies handling EU data, comply with the GDPR compliance requirement most efficiently and cost-effectively, by leveraging databrackets’ SaaS assessment platformawareness training, policies, and procedures and consulting expertise.

databrackets recommends companies conduct comprehensive GDPR compliance assessment on a yearly basis to prevent breaches and fines.

To learn more about our GDPR services, visit us at

Last Updated on January 25, 2021 By databracketsIn Events