Although the GDPR is a European law, the execution is not uniform but is taken over by the data protection authorities of the member states. We would like to give you an overview of all publicly known data protection penalties since May 25, 2018. You can sort the list by clicking on the header.
| Title | Type of Incident | Country | Date | Number of involved data records | GDPR Fine | Sensible Data involved? |
|---|---|---|---|---|---|---|
| Storage period exceeded | Illegal data collection | France | 22/07/2021 | several million | 1,750,000 € | Yes |
| Delete request ignored | violated rights of the data subject | Spain | 03/08/2021 | 1 | 96,000 € | No |
| open contact details | no Data Protection Officer | Germany | 28/01/2021 | unknown | 100 € | No |
| Data stored from critics | France. | 28/08/2021 | over 200. | 400,000 € | Yes | |
| unwanted advertising cookies. | France. | 29/07/2021 | unknown. | 50,000 € | No | |
| Recovery of fictitious debts | violated duty to inform | Spanish | 27/07/2021 | 1 | 60,000 € | No |
| unencrypted data | inadequate data protection | Italy | 02/08/2021 | unknown | 40,000 € | No |
| Insufficient privacy policy | violated duty to inform | Spain | 05/08/2021 | unknown | 6,000 € | No |
| E-mail data freely accessible | inadequate data protection | Great Britain | 08/07/2021 | 550 | 29,183 € | Yes |
| Video surveillance is too detailed | Luxembourg | 13/07/2021 | unknown | 12,500 € | No | |
| Video surveillance of employees customers and passers-by | violated rights of the data subject | Germany | 28/01/2021 | unknown | 9,444 € | No |
| Police database abused for private purposes | Germany | 28/01/2021 | unknown | 600 € | Yes | |
| advertising calls without consent | violated rights of the data subject | Germany | 27/02/2021 | unknown | 260,000 € | No |
| Online shop with outdated software | technical deficiency | Germany | 27/05/2021 | unknown | 65,500 € | No |
| unlawful submissions to general practitioners | technical deficiency | Italy | 20/07/2021 | 48 | 120,000 € | Yes |
| dentist refuses examination | Illegal data collection | Italy | 10/06/2021 | 1 | 20,000 € | Yes |
| Company refuses access to data protection authority | Cooperation refused | Germany | 13/07/2021 | 7,000 € | No | |
| Penalty for video surveillance in swimming facility | Illegal data collection | Germany | 24/03/2020 | unknown. | 12,000 € | No |
| GDPR fine after Facebook posting | Illegal data processing | Austria | 19/10/2020 | unknown | 600 € | Yes |
| Penalty on computer mail order | Illegal data collection | Germany | 08/01/2021 | unknown | 10,400,000 € | No |
| Data protection penalty against Vfb Stuttgart | Illegal data processing | Germany | 10/03/2021 | 70000 | 300,000 € | No |
| Ticketmaster UK Limited – Hacker Attack | Illegal data processing | United Kingdom | 13/11/2020 | 9400000 | 1,392,525 € | No |
| Digital Growth Experts Limited (DGEL) – Promotional Emails | United Kingdom | 22/09/2020 | 16190 | 65,400 € | No | |
| Reliance Advisory Limited – Advertising Calls: 226,403 Euro Penalty Advertising Calls: 226,403 Euro Fine | Illegal data processing | United Kingdom | 27/11/2020 | 15100000 | 226,403 € | No |
| Kebap Restaurant now only has to pay a fine of 1500 euros. | 19/01/2020 | 1,500 € | No | |||
| Hora Credit IFN SA – 14,000 euros fine. | Illegal data processing | Romania | 10/12/2019 | 13,000 € | No | |
| Penalty against Czech bank. | Illegal data processing | Czech Republic | 01/04/2019 | 1 | 9,700 € | Yes |
| Spam Emails: 43.928,00 EUR GDPR fine | Illegal data processing | UK | 08/10/2020 | 9000 | 43,928 € | No |
| 100 EUR GDPR Fine for Bank Branch | Illegal data collection | Austria | 28/05/2020 | 1 | 100 € | No |
| GDPR Penalty against Tax Office | Theft of Data | Bulgaria | 16/07/2019 | 5 000 000 | 2,600,000 € | No |
| Penalty against Financial Institution in Bulgaria | Illegal data processing | Bulgaria | 24/07/2019 | unknown | 5,100 € | No |
| Penalty against Social Security | inadequate data protection | Bulgaria | 24/07/2019 | unknown | 2,500 € | No |
| Penalty after Infringement of the Principle of Purpose Limitation | Illegal data processing | Bulgaria | 23/07/2019 | unknown | 5,000 € | No |
| Penalty against Bulgarian Municipality | Illegal data processing | Bulgaria | 23/07/2019 | unknown | 7,700 € | No |
| Penalty after Cyberattack against Bank | Theft of Data | Bulgaria | 28/08/2019 | 510,000 € | No | |
| Data Processing without Legal Basis – Monetary Penalty | Illegal data processing | Bulgaria | 17/01/2020 | 1 | 500 € | No |
| Penalty against Ministry of the Interior | Illegal data processing | Bulgaria | 08/10/2019 | 1 | 5,000 € | No |
| Request for Information of a Former Employee Ignored | violated rights of the data subject | Bulgaria | 28/10/2019 | 1 | 500 € | No |
| Data Disclosure Denied – GDPR Penalty in Bulgaria | violated rights of the data subject | Bulgaria | 03/09/2019 | 1 | 1,800 € | No |
| Penalty against Telecommunications Company and Its Managing Directors | Illegal data processing | Bulgaria | 03/09/2019 | 1 | 10,000 € | No |
| GDPR Fine Imposed on Tax Office | Illegal data processing | Bulgaria | 03/09/2019 | 1 | 28,000 € | No |
| Penalty against City Councillor | Illegal data processing | Belgium | 25/11/2019 | 654 | 5,000 € | No |
| Another Penalty against Belgian Mayor | Illegal data processing | Belgium | 25/11/2019 | 476 | 5,000 € | No |
| Belgium: Penalty for Incorrect Privacy Policy | violated duty to inform | Belgium | 17/12/2019 | unknown | 15,000 € | No |
| Penalty against Nursing Organization | violated rights of the data subject | Belgium | 17/12/2019 | 1 | 2,000 € | No |
| Fine for German energy provider for illegal telephone marketing | violated rights of the data subject | Germany | 10/12/2018 | thousands | 300,000 € | No |
| Fine for Callcenter for illegal marketing calls | violated rights of the data subject | Germany | 18/12/2018 | over 1.400 | 300,000 € | No |
| Health data accidentally leaked | inadequate data protection | Germany | 06/12/2018 | unknown | 84,000 € | No |
| GDPR fine for private individual | Illegal data processing | Germany | 29/01/2019 | 1 | 119 € | No |
| Fine for university hospital for patient mix-up | inadequate data protection | Germany | 03/12/2019 | 1 | 105,000 € | No |
| GDPR fine for Austrian kebab store | Illegal data collection | Austria | 23/11/2018 | unknown | 1,500 € | No |
| Fine for Vodafone Germany for illegal marketing calls | violated rights of the data subject | Germany | 02/07/2019 | unknown | 100,000 € | No |
| Spain: Cookie-Banner causes 30.000€ fine for Vueling Airlines | technical deficiency | Spain | 24/10/2019 | unknown | 30,000 € | No |
| Fine due to not naming a DPO | no Data Protection Officer | Germany | 09/12/2019 | 0 | 10,000 € | No |
| Hora Credit IFN SA – 14.000 Euro Fine | violated rights of the data subject | Romania | 10/12/2019 | unknown | 14,000 € | No |
| Allseas MARINE S.A. – 15.000 Euro Fine | violated rights of the data subject | Greece | 31/01/2020 | unknown | 15,000 € | No |
| 6000 Euro Fine for SC Enel Energie SA | violated rights of the data subject | Romania | 16/12/2019 | unknown | 6,000 € | No |
| Entirly Shipping & Trading SRL – 10.000 Euro Bußgeld | violated rights of the data subject | Romania | 13/12/2019 | unknown | 10,000 € | No |
| Social worker has to pay 482 Euros | violated rights of the data subject | United Kingdom | 15/01/2020 | 2 | 482 € | No |
| Germany: PayTV channel Sky has to pay a 250.000 Euro data protection fine | violated rights of the data subject | Germany | 23/12/2019 | > 1.000 | 250,000 € | No |
| Hungary: 1.500 Euro Fine for a healthcare facility | violated rights of the data subject | Hungary | 12/11/2019 | 1 | 1,500 € | No |
| Eni gas e luce SpA – 11,5 Mio. Euro data protection fine | violated rights of the data subject | Italy | 17/01/2020 | 7200 | 11,500,000 € | Yes |
| GDPR fine for DSG Retail Ltd | Theft of Data | United Kingdom | 09/01/2020 | 14 million | 587,240 € | No |
| GDPR fine after careless storage of health data | inadequate data protection | United Kingdom | 20/12/2019 | 500.000 | 318,563 € | Yes |
| 9.5 million Eur fine for 1&1 Telekom | inadequate data protection | Germany | 09/12/2019 | 9,550,000 € | No | |
| Vreau Credit S.R.L fined for not reporting a Data Breach | violated duty to inform | Romania | 01/10/2019 | 1177 | 20,000 € | No |
| Raiffeisen Bank SA and Vreau Credit S.R.L fined for inadequate data protection | inadequate data protection | Romania | 01/10/2019 | 1177 | 150,000 € | No |
| Poland: Fine for complicate data deletion for affected people | violated rights of the data subject | Poland | 13/11/2019 | unknown | 47,000 € | No |
| German real estate company hoards data – A GDPR fine follows | technical deficiency | Germany | 01/03/2019 | unknown | 14,500,000 € | No |
| 18 Million Euros GDPR fine for Austrian Post Service | Illegal data processing | Austria | 29/10/2019 | 3 Million | 18,000,000 € | Yes |
| GDPR Fine for merchant | Illegal data collection | Belgium | 19/09/2019 | unknown | 10,000 € | No |
| Punishment against medical company | violated duty to inform | Austria | 22/08/2019 | unknown | 50,000 € | No |
| Online-Shop Morele.net – 2.2 Mio. customer records stolen | Theft of Data | Poland | 20/09/2019 | 2.2 million | 644,000 € | Yes |
| GDPR fine for the new owner of a food delivery platform in Berlin | violated rights of the data subject | Germany | 23/09/2019 | unknown | 195,407 € | No |
| Hungary: GDPR fine for political party | Theft of Data | Hungary | 05/04/2019 | 6.000+ | 34,375 € | No |
| Austria: Footballtrainer films naked players | Illegal data collection | Austria | 01/07/2019 | unknown | 11,000 € | No |
| Lithuania: Data Breach at a payment service provider | Theft of Data | Lithuania | 16/05/2019 | 9.000 | 61,500 € | Yes |
| Poland: GDPR penalty for sports association | Illegal data processing | Poland | 25/04/2019 | 585 | 12,950 € | No |
| Penalty against private person in Germany | Illegal data processing | Germany | 13/02/2019 | 160 | 2,628 € | No |
| Punishment against game website | technical deficiency | Czech Republic | 28/02/2019 | unknown | 580 € | No |
| Penalty for denied data subject request | violated rights of the data subject | Czech Republic | 26/02/2019 | 1 | 770 € | No |
| Penalty against car rental | violated duty to inform | Czech Republic | 04/02/2019 | unknown | 1,200 € | No |
| Penalty for missing file shredding | technical deficiency | Czech Republic | 04/02/2019 | 300 | 1,200 € | No |
| Penalty for Facebook posts | violated rights of the data subject | Czech Republic | 10/01/2019 | 1 | 400 € | No |
| Penalty for not deleting data | violated rights of the data subject | Czech Republic | 25/10/2018 | 1 | 400 € | No |
| Penalty for missing deletion deadlines | Illegal data processing | Denmark | 03/06/2019 | 385000 | 201,000 € | No |
| First GDPR penalty in Denmark | Illegal data processing | Denmark | 25/03/2019 | 8873333 | 161,000 € | No |
| Penalty against car insurance company | technical deficiency | France | 18/07/2019 | 144000 | 180,000 € | No |
| Penalty against real estate office | technical deficiency | France | 28/05/2019 | 29440 | 400,000 € | No |
| Fine for late notification of a data breach | violated duty to inform | Germany | 01/02/2019 | unknown | 20,000 € | No |
| Penalty for processing of personal data | Illegal data processing | Greece | 30/07/2019 | unknown | 150,000 € | No |
| Penalty against telephone provider | Illegal data processing | Bulgaria | 26/02/2019 | 1 | 27,000 € | No |
| Punishment against doctor’s office | Illegal data processing | Bulgaria | 08/04/2019 | 1 | 500 € | Yes |
| Punishment against Bulgarian consulting company | Illegal data processing | Bulgaria | 26/03/2019 | 1 | 5,000 € | No |
| Penalty for denied data disclosure | violated duty to inform | Bulgaria | 22/02/2019 | 1 | 500 € | No |
| Fine against bulgarian bank | Illegal data processing | Bulgaria | 04/12/2018 | 1 | 500 € | No |
| Fine against public utility company | Illegal data processing | Czech Republic | 06/05/2019 | 1 | 230 € | No |
| Penalty against Dutch hospital | technical deficiency | Netherlands | 16/07/2019 | unknown | 460,000 € | No |
| Fine against restaurant | Illegal data collection | Austria | 23/11/2018 | unknown | 400 € | No |
| Fine against fastfood restaurant | Illegal data collection | Austria | 23/11/2018 | unknown | 1,800 € | No |
| British Airways faces 20 million EUR GDPR fine after a data breach | Theft of Data | United Kingdom | 16/10/2020 | 500000 | 22,428,000 € | Yes |
| Fine against hospital | technical deficiency | Czech Republic | 30/09/2018 | unknown | 1,550 € | Yes |
| Fine against Life at Parliament View Limited | Theft of Data | United Kingdom | 19/07/2019 | 18610 | 90,000 € | No |
| Fine against European university | Illegal data processing | Cyprus | 04/07/2018 | unknown | 500 € | No |
| Fine against Ikea | Illegal data processing | Cyprus | 04/07/2018 | unknown | 500 € | No |
| Illegal video surveillance | Illegal data collection | Cyprus | 21/09/2018 | unknown | 5,000 € | No |
| Fine because of lost medical record | technical deficiency | Cyprus | 15/02/2019 | 1 | 5,000 € | No |
| Erneut Strafe gegen Zeitung | Illegal data processing | Cyprus | 09/01/2019 | 2 | 10,000 € | No |
| Fine against trading platform | Illegal data processing | Cyprus | 28/03/2019 | 6 | 3,400 € | No |
| Fine against insurance company | Illegal data processing | Cyprus | 13/03/2019 | 8 | 4,000 € | No |
| Punishment against Marriott | Theft of Data | United Kingdom | 30/10/2020 | 339 000 000 | 20,347,230 € | No |
| Punishment against law firm | technical deficiency | Romania | 15/07/2019 | unknown | 3,000 € | No |
| Italy: Fine for Facebook | Illegal data processing | Italy | 01/07/2019 | 214.077 Profiles | 1,000,000 € | No |
| Fine against Hotel from Romania | Illegal data processing | Romania | 02/07/2019 | 46 | 15,000 € | No |
| Punishment against Unicredit Romania | technical deficiency | Romania | 27/06/2019 | 337 042 | 130,000 € | No |
| Germany: GDPR fine for Police Officer | Illegal data processing | Germany | 18/06/2019 | 1 | 1,400 € | Yes |
| France: GDPR violance in Consultation Office | technical deficiency | France | 01/10/2018 | unknown | 20,000 € | Yes |
| Spain: Soccer App spies on Fans | violated duty to inform | Spain | 12/06/2019 | unknown | 250,000 € | No |
| Italy: Energy provider violates GDPR | violated duty to inform | Italy | 01/04/2019 | 2,018,000 € | No | |
| Fine against Restorative Justice Caseworker | Illegal data processing | United Kingdom | 06/06/2019 | unknown | 680 € | No |
| Belgium: Mayor violates GDPR for voting campaigns | Illegal data processing | Belgium | 28/05/2019 | unknown | 2,000 € | No |
| Fine against individual in Austria | Illegal data collection | Austria | 27/09/2018 | unknown | 330 € | No |
| Cyprus: GDPR fine for Infocredit | Illegal data processing | Cyprus | 22/05/2018 | 0 | 25,000 € | No |
| City of Bergen was fined 170 000€ | Theft of Data | Norway | 29/03/2019 | 35 000 | 170,000 € | Yes |
| Fine against Sigma Live Ltd | Illegal data processing | Cyprus | 12/04/2019 | 1 | 5,000 € | No |
| Fine against newspaper | Illegal data processing | Cyprus | 12/04/2019 | 5 | 3,000 € | No |
| Fine against bank from germany | Illegal data processing | Germany | 01/01/2019 | unknown | 50,000 € | No |
| GDPR fine against Rousseau | technical deficiency | Italy | 17/04/2019 | unknown | 50,000 € | No |
| Punishment for Carphone Warehouse for lack of data protection | Theft of Data | United Kingdom | 18/01/2019 | 3 348 869 | 460,000 € | No |
| Punishment for mistaken publication of health data | technical deficiency | Germany | 12/01/2019 | unknown | 80,000 € | Yes |
| ICO fines Bounty Limited UK | Illegal data processing | United Kingdom | 11/04/2019 | 34 267 889 | 465,000 € | No |
| Penalty against Uber (NL) | Theft of Data | Netherlands | 27/11/2018 | 174 000 | 600,000 € | No |
| Punishment against True Vision Productions | violated duty to inform | United Kingdom | 10/04/2019 | 1990 | 140,000 € | Yes |
| Punishment against British Bible Society | Theft of Data | United Kingdom | 31/05/2018 | 417 000 | 115,000 € | No |
| Fine against Bisnode Polska | violated duty to inform | Poland | 26/03/2019 | 5 700 000 | 220,000 € | No |
| Punishment for inadmissible video surveillance | Illegal data collection | Austria | 20/12/2018 | unknown | 2,200 € | No |
| Penalty for denied data disclosure | violated duty to inform | Hungary | 06/03/2019 | 1 | 3,200 € | No |
| Punishment against Jusos Baden-Württemberg | Illegal data processing | Germany | 25/03/2019 | 168 | 2,500 € | No |
| Penalty against betting shop | Illegal data collection | Austria | 12/09/2018 | unknown | 5,280 € | No |
| Punishment against Uber (FR) | Theft of Data | France | 19/12/2018 | 1 400 000 | 400,000 € | No |
| Punishment against Bouygues Telecom | technical deficiency | France | 27/12/2018 | 2 176 236 | 250,000 € | No |
| Punishment against hospital | technical deficiency | Portugal | 17/07/2018 | unknown | 400,000 € | Yes |
| Punishment against Uber | Theft of Data | United Kingdom | 26/11/2018 | 2 700 000 | 440,000 € | No |
| Penalty against Facebook Ireland | Illegal data processing | United Kingdom | 24/10/2018 | 87 000 000 | 575,000 € | Yes |
| Punishment against Bupa Insurance Services Ltd | Theft of Data | United Kingdom | 26/09/2018 | 1 500 000 | 200,000 € | No |
| Penalty against Equifax Ltd | technical deficiency | United Kingdom | 19/09/2018 | 15 000 000 | 575,000 € | No |
| Punishment against the commission of inquiry against child abuse | Illegal data processing | United Kingdom | 05/07/2018 | 70 | 230,000 € | Yes |
| Punishment against the police of Gloucestershire | Illegal data processing | United Kingdom | 11/06/2018 | 56 | 92,000 € | Yes |
| CNIL imposes 50 million penalty over Google LLC | violated duty to inform | France | 21/01/2019 | unknown | 50,000,000 € | No |
| Punishment against Kolibiri Image | Illegal data processing | Germany | 17/12/2018 | unknown | 5,000 € | No |
| Punishment against Heathrow Airport | technical deficiency | United Kingdom | 08/10/2018 | 60 | 135,000 € | Yes |
| Penalty against mall group | Theft of Data | Czech Republic | 03/10/2018 | 735 000 | 60,000 € | No |
| Penalty against Optical Center | technical deficiency | France | 07/06/2018 | 300 000 | 250,000 € | Yes |
| GDPR penalty against knuddels.de | Theft of Data | Germany | 22/11/2018 | 330 000 | 20,000 € | No |
Additional fines
If you have information about a GDPR fine, which is not on our list, please let us know! Name und E-Mail address are optional.
Thank you!