PrivacyAffairs,
a leading source of data privacy and cybersecurity research, has issued a
report tallying fines issued under the 2018 General Data Protection Regulation
(GDPR). It also lists the countries where the highest fines were dealt, as well
as the nations with the most punishable incidents.
According to
the research firm, since its rollout in May 2018, the GDPR has claimed 340
‘victims’ for unlawful data protection practices. The report notes that every single one of the
28 EU nations, including the now Brexited United Kingdom, has issued at least
one penalty under the new data protection legislature.
“Whilst GDPR
sets out the regulatory framework that all EU countries must follow, each
member state legislates independently and is permitted to interpret the
regulations differently and impose their own penalties to organisations that
break the law,” according to PrivacyAffairs.
The report
breaks down the nations with the highest fines and those with the most fines as
follows:
Nations
with the highest fines:
France:
€51,100,000
Italy:
€39,452,000
Germany:
€26,492,925
Austria:
€18,070,100
Sweden:
€7,085,430
Spain:
€3,306,771
Bulgaria:
€3,238,850
Netherlands:
€3,490,000
Poland:
€1,162,648
Norway:
€985,400
Nations
with the most fines:
Spain: 99
Hungary: 32
Romania: 29
Germany: 28
Bulgaria: 21
Czech
Republic: 13
Belgium: 12
Italy: 11
Norway: 9
Cyprus: 8

France tops the list of highest fines because of a €50 million fine issued by French authorities to Google in January 2019 on the basis of “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.” By contrast, the smallest fine to date under the GDPR is a €90 penalty issued to a Hungarian hospital on November 18, 2019.
UK
organizations have been issued seven fines by the Information Commissioner’s
Office, totaling over €640,000.Two potentially massive fines, for Marriott
International (€204,600,000) and British Airways (€110,390,200) are still under
review.
The report
also tracks the highest fines issued to private individuals, including a €20,000
penalty issued to an individual in Spain for unlawful video surveillance of
employees and an €11,000 penalty issued to a soccer coach in Austria who was
found secretly filming female players while they were taking showers. It also
mentions a €2,500 fine issued to a Germany resident who sent emails to several
recipients where each could see the other recipients’ email addresses.
Readers
interested in learning more about the fines dealt under the GDPR in the past
two years can access the full research here.