New research from cybersecurity specialists ESET reveals the countries that have handed out the biggest GDPR related fines, where it was found the UK has only issued five since 2018…
ESET conducted a study that analysed GDPR related penalties, looking at; the biggest fines companies have received, the most common reasons for GDPR fines and the countries handing out the most and largest fines.
The research found the UK has given out just five GDPR fines since 2018, whereas Spain has handed out 273 in the same amount of time.
The 10 Countries That Have Given Out the Least Amount of GDPR-Related Fines Since 2018
|
Rank |
Country |
Number of fines |
Average fine |
Total amount fined |
|
1 |
The Netherlands |
1 |
€450,000 |
€450,000 |
|
1 |
Isle Of Man |
1 |
€13,500 |
€13,500 |
|
1 |
Malta |
1 |
€5,000 |
€5,000 |
|
4 |
Slovakia |
2 |
Unknown |
Unknown |
|
4 |
Croatia |
2 |
Unknown |
Unknown |
|
6 |
Portugal |
4 |
€106,000 |
€424,000 |
|
6 |
Iceland |
4 |
€21,675 |
€86,700 |
|
8 |
United Kingdom |
5 |
€8,850,000 |
€44,250,000 |
|
8 |
Estonia |
5 |
€60,110 |
€300,548 |
|
8 |
Latvia |
5 |
€48,650 |
€243,250 |
The 10 Countries That Have Given Out the Most GDPR-Related Fines
|
Rank |
Country |
Number of fines |
Average fine |
Total amount fined |
|
1 |
Spain |
273 |
€118,831 |
€32,440,810 |
|
2 |
Italy |
75 |
€1,126,584 |
€84,493,770 |
|
3 |
Romania |
60 |
€11,659 |
€699,550 |
|
4 |
Hungary |
43 |
€18,881 |
€811,883 |
|
5 |
Norway |
31 |
€49,527 |
€1,535,350 |
|
6 |
Germany |
28 |
€1,756,673 |
€49,186,833 |
|
7 |
Sweden |
26 |
€697,374 |
€18,131,730 |
|
8 |
Belgium |
25 |
€40,720 |
€1,018,000 |
|
9 |
Poland |
24 |
€86,242 |
€2,069,798 |
|
10 |
Bulgaria |
20 |
€160,535 |
€3,210,690 |
The UK & GDPR
Despite being amongst the lowest when it comes to the number of fines, the UK is the second-highest for average fine (€8,850,000), only beaten by Luxembourg (€124,343,383).
Insufficient legal basis for data processing was found to be the most common GDPR related fine, with 276 fines.
Amazon has been subject to the biggest GDPR related bill of €746million. Google was second with €50 million and H&M followed with €35.5 million.
Jake Moore, Cybersecurity Specialist for ESET, commented on the findings:
“In today’s data-driven world, there is only so much that people can do to limit the information they share – whether it is online, through mobile communications, or in person. This means it is vital for organisations to be responsible with the data they gather and store. GDPR was introduced for precisely this reason, providing guidelines for good practices and enforcing consequences for bad.
Some of Europe’s biggest companies have fallen foul of GDPR for various reasons. Most of the priciest fines have been given due to an insufficient legal basis for data processing, which is when an organisation is unable to prove that there is a lawful basis that makes their processing of customers’ data ‘necessary’. While the penalties can be huge, it unfortunately doesn’t seem that this acts as a sufficient deterrent, as fines have been issued as recently as September 2021.
It is always interesting to see how different countries interpret and enforce the same legislation in different ways. With Spain issuing 230 fines compared to Germany’s 30, it is clear that GDPR penalties are not necessarily cut and dry. However, what should remain the same throughout each region is a dedicated focus on what really matters – ensuring individuals are in control of their own data and that it is not exploited for profit.”
