Published on: 04/12/2019

#Data Protection

The GDPR increased the fines available to EU supervisory authorities for breaches of data protection requirements.  Now, as we celebrate the GDPR’s 18-month birthday, it’s a good opportunity to take a look at some of the largest fines imposed to date and where in the EU we are seeing these.

The United Kingdom
The UK has issued notices of intent which would see it imposing the two highest fines so far!

8 July 2019, British Airways, €204,600,000.00.  The ICO has issued an intention to fine only at this stage and has been issued as a result of a failure to adequately protect personal data. Users of British Airways' website were diverted to a fraudulent site by hackers. Through this false site, details of about 500,000 customers were harvested. This case is currently being appealed by British Airways.   

9 July 2019, Marriott International, €110,390,200.00. Again, the ICO has announced an intention to fine only at this stage.  According to the ICO, the systems of Marriot’s subsidiary, Starwood hotels group were allegedly compromised in 2014. This was left undiscovered until 2018. The personal data of approximately 339 million guests was allegedly exposed by the incident (30 million related to EU residents, of which 7 million related to UK residents). The ICO’s investigation found that "Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”.

France currently holds the record for the highest fine actually imposed at €50,000,000.  

21 January 2019, Google, €50,000,000.  CNIL imposed this fine on Google for ‘lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.’ CNIL said that the ‘users are not able to fully understand the extent of the processing operations carried out by Google’ as the essential information was spread across numerous documents and difficult to access. CNIL went on to state that Google had failed to obtain a valid legal basis to process user data and had the “customised ad” boxes pre-ticked for consumers, therefore not allowing valid consent.

23 October 2019, Austrian Post, €18,000,000.  DSB issued Austrian Post with this fine as it had created profiles for over 3 million people which included details such as their addresses, personal preferences/habits and possible political allegiances which it then sold to organisations including political parties.

30 October 2019, Deutsche Wohnen SE, €14,500,000.  The Data Protection Authority of Berlin issued this fine against Deutsche Wohnen SE as it had stored personal data in its archiving system but did not have a way to erase the data when it was no longer necessary.  This personal data included financial information such as payslips, tax data, social security data, and bank statements. This breach was flagged in 2017 by the Berlin Data Protection Authority, but there was no evidence of it having been remedied by March 2019.  This case is currently being appealed.

28 August 2019, National Revenue Agency, €2,600,000. KZLD imposed this fine as a result of the National Revenue Agency failing to adequately protect personal data, resulting in the theft of data relating to 6 million people following a cyber-attack.

31 October 2019, UWV, €900,000.  AP imposed this fine due to inadequate security measures in respect of UWV’s online employer portal which allowed wide access to health data.

10 September 2019,, €644,780.  UODO imposed this fine as failed to put adequate security and organisational measures in place which led to over 2 million individuals’ personal data being accessed without authorisation.

Since the introduction of GDPR in 2018, many organisations have been quick to adapt and become compliant. However, it is clear that even companies with significant resources have fallen foul of the new accountability requirement of the GDPR and are now facing substantial fines. Businesses should be proactive in their efforts to ensure that all departments look closely at the data they collect and how they handle it.

Click here to contact Clarkslegal’s Data Protection team.


This information is for guidance purposes only and should not be regarded as a substitute for taking professional and legal advice. Please refer to the full General Notices on our website.