top of page

The 7 biggest GDPR fines since 2018

On the 14th April 2016, the European Parliament adopted the General Data Protection Regulation (GDPR), a new directive to replace the outdated Data Protection Directive of 1995.

Since the democratisation of internet during the 90’s, new technologies of information and communication emerged and eventually the legislation regarding data protection had to be reviewed.

At the time of its introduction, the GDPR was a revolution in terms of data protection law and it is still considered as the reference for other countries outside the European Union.

After a moratorium of 2 years, the GDPR was finally enforced on the 25th May 2018 and on the 17th July 2018, a public hospital in Portugal became the first organization to receive a fine of €400,000 for non compliance to the GDPR.

As at today, 809 organisations were fined across Europe and the sum of all the fines reach a staggering figure of €1,279,553,052.

The graphs below shows the evolution of the number of fines and the sum of all fines.



The first graph is the number of organizations fined since 2018 and its progression is quite linear, whereas the second graph show the sum of fines. There are two noticeable peaks on the second graph, a huge one in July 2021 and a relatively smaller one in September 2021. These are due to the biggest and the second biggest fines of GDPR until now.

For reminder, under the GDPR regulation, none compliant organization risk a fine of up to €20M or 4% of the global turnover (Whichever is the bigger), and there are multiple factors on which organisations might be fined.

The table below is a summary of the seven biggest GDPR fines as at today.

Name of Organisation

Country of incorporation

Sector of activity

Amount of fine in €


Amazon Europe Core S.à.r.l.




Non-compliance with general data processing principles

WhatsApp Ireland Ltd.




Insufficient fulfilment of information obligations

Google LLC




Insufficient legal basis for data processing

H&M Hennes & Mauritz Online Shop A.B. & Co. KG




Insufficient legal basis for data processing

TIM (telecommunications operator)




Insufficient legal basis for data processing

British Airways


Air Line


Insufficient technical and organisational measures to ensure information security

Marriott International, Inc




Insufficient technical and organisational measures to ensure information security

The €20M fine received by Marriott is a lot, but it looks small compared to the €746M fine received by Amazon or even compared to the €225M received by WhatsApp.

Aside the huge difference in value of the fines, there are also lot of noticeable differences. For example: the countries of incorporation, the sector of activity and even the reasons of the fines are different.

For the time being, no organisations outside the EU zone has been fined for non-compliance to the GDPR. It is only a matter of time for this to happen as any organization processing personal data regarding EU citizens has to comply with the regulation.

For example: Lawyers based in Mauritius who defends the interest of their European clients have to comply with the regulation. Hotels who receive EU citizen tourists have to comply with the regulation.

At Ascentrix Consulting, we can help you secure your Information Security Management System and implement the requirements of the GDPR for your organization. If you wish to have an assessment of your level of compliance to the regulation, please contact us.

If you want to know more about the 7 principles on which the GDPR are based, click on the lick below.


bottom of page