A small summary after 4 years of GDPR: data protection authorities sanctioned more than 1.000 violations with fines of 1,6 billion euros. Public service and SMEs with a clearly visible lack of compliance in data protection issues. Violations punished in Germany primarily affect SMEs.
On the occasion of the anniversary of the European General Data Protection Regulation (GDPR), the data protection experts from heyData took a look back at all GDPR fine procedures and took stock. Since 2018, the responsible European data protection authorities have punished a total of 1.072 data protection violations with fines of more than 1,6 billion euros.
A striking number of data protection violations in the public sector
Gaps in data protection were most often discovered in industry and commerce and punished by the authorities. The sectors count 244 violations and fines worth 796 million euros. Companies from the media and telecommunications industry were responsible for 178 data protection violations with fines totaling EUR 613 million. The high number of data protection offenses in the public service and education is striking. With 141 violations and a fine of 19 million euros, the civil service ranks third on the list of industries with the most data protection violations.
Miloš Djurdjević, CEO and founder of heyData: “The results are shocking and make it clear that little has happened in the last four years. There is still a lot of ignorance, unfortunately also in public administration. This is fatal, because data volumes and their processing will constantly increase in the course of further digitization processes and automation, and with it the risk of data breaches or the misuse of information.
Violations doubled in pandemic years 2020 and 2021
European data protection authorities have imposed an average of 24 fines per month over the past six years. A striking number of violations were punished in the pandemic years 2020 and 2021. Compared to 2019, the number of penalized violations doubled in 2020 (+104%) and grew again in 2021 by +40% compared to 2020.
Timeline GDPR violations (Image: HeyData).
Since the GDPR came into force in 2018, German data protection authorities have punished several hundred data protection violations. The exact figure is unclear as not all authorities share information equally. The majority affected small and medium-sized companies, the self-employed and natural persons with fines of between 100 euros and 10.000 euros.
Miloš Djurdjević: “Generally speaking, there is data that needs to be protected in every company. This starts with employee information, but also affects, for example, customer communication by telephone or e-mail and many other areas. Therefore, no one operating a business should take data protection lightly. Data breaches or the improper use of sensitive data can quickly result in severe fines. Even if you don't act intentionally. Ignorance does not protect against punishment - not even in data protection."
Record fines for Amazon, Google, Meta and H&M
The retail giant Amazon received the highest fine in the history of the GDPR: a fine of 746 million euros for illegal online targeting. The more consumers are affected by data breaches or the misuse of sensitive data, the higher the fine is usually. Accordingly, the highest GDPR fines went to some of the largest corporations in the world.
More at heyData.eu
About heyData
heyData is a leading data protection and compliance company. All information relevant to data protection law is made available to our customers via our digital data protection solution, the heyData platform. In addition, our data protection lawyers from heyData are personally available to our customers at all times.