First GDPR fines – what we know so far

January 29, 2019

Eight months have just passed since the GDPR entered into force. Corporate governance teams across Europe and overseas invested substantial time and resources preparing for the new regulation.

The financial repercussions for mishandling data are now much higher than ever before. For instance, in the UK, the previous maximum penalty available to the Information Commissioner’s Office (ICO) for was £500,000. Now, businesses might be fined with €20 million or 4% of their revenue, whichever is higher.

As the first GDPR fines are coming through, here is the overview of penalties that regulators imposed/are looking to impose on organizations that have allegedly breached the regulation:


  1. Germany – (€20,000)

The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) was the first German data protection authority to impose a fine under the GDPR. Personal data of approximately 330,000 users of a chat platform were compromised and then made publicly available by hackers in September 2018. As part of the data breach notification, the provider disclosed that the users’ passwords were stored in an unencrypted form (as a plain text). The authority considered this a violation of the obligation to implement adequate security measures (Article 32 GDPR) and imposed the rather modest fine of EUR 20,000. According to the LfDI, the very strong cooperation and willingness of the company to implement the guidelines and recommendations of the LfDI were viewed favorably when calculating the relatively low fine.

  1. Austria – retail entrepreneur (€4,800)

The entrepreneur installed a CCTV camera in front of his outlet that recorded a large part of the side walk outside. The Austrian Data Protection Authority (DSB) claimed that large-scale surveillance of public spaces contravenes GDPR rules, as no legitimate interests of companies (or entrepreneurs) to put public spaces under CCTV surveillance was recognized. Moreover, the video surveillance was not sufficiently marked, violating the transparency obligation under the GDPR. Taking into account the annual income of the entrepreneur, the Austrian DPA imposed a fine of EUR 4,800 for illegal video surveillance activities.

  1. Portugal – Central Hospital of Barreiro Montijo (€400,000)

After carrying out an inspection at a Portuguese hospital, the Portuguese Data Protection Authority (CNPD) fined the hospital for allowing too many employees to access patient records. The health facility has less than 300 doctors, yet 985 active accounts had the same level of access to sensitive data as medical practitioners. Doctors also allegedly had unrestricted privileges to view all patient files regardless of their specialty. Media reports suggested the hospital was appealing the fine under the argument that it was not responsible for these deficiencies because it used the IT system provided to public hospitals by the Portuguese Health Ministry. However, the Portuguese DPA still decided that it was the hospital’s responsibility to ensure that adequate security measures were implemented and imposed a fine of EUR 400,000 on the hospital.

  1. UK – Marriott International (TBC)

Earlier this month, Marriott International revealed hackers gained access to approximately 500 million guest accounts. Nearly two-thirds of those affected may have had passport numbers, emails, dates of birth and mailing addresses stolen. The hotel giant has also been unable to rule out the possibility that credit card data was leaked as well. Marriott has informed the ICO of the incident, which could fall under the most serious category of breaches. The company reported $22.9 billion of turnover in 2017, meaning a 4% fine would cost $916 million.

  1. France – Google (€50,000,000)

The French agency, CNIL, ruled that Google had offered users inadequate information, spreading it across multiple pages, and had failed to gain valid consent for ads personalization. Acting on a complaint from NOYB and French group La Quadrature du Net, the authority said it had investigated the process for setting up a Google account from an Android device and concluded that Google had breached the General Data Protection Regulation in two ways: by failing to meet transparency and information requirements and failing to obtain a legal basis for processing. As a result, CNIL ordered Google to hand over €50m, due to “the severity of the infringements. […] The violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.”
In a statement, the agency said that users were not able to understand the extent of Google’s “massive and intrusive” data processing. The information provided by Google “is not easily accessible for users”, as it is “excessively disseminated across several documents” and requiring as many as five or six actions to access. “The purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes.” Users are also unable to understand that Google is relying on consent as the legal basis for processing under GDPR, rather than the legitimate interest of the company. Moreover, the consent it gathers up for ads personalization is not valid, because it is not specific or unambiguous, because Google requires full agreement to the Terms of Service and data processing in the Privacy Policy, rather than unbundling the different purposes, such as ads personalization or speech recognition. CNIL pointed out that the choice of ads personalization is a pre-ticked box.

The financial repercussions for mishandling data are now much higher than ever before

The first fines under the GDPR reveal a moderate approach to the GDPR’s enforcement. Rather than imposing a great number of fines for non-compliance with new GDPR requirements, the data protection authorities focused on a small number of cases where basic requirements were not satisfied. We will certainly see more fines imposed in 2019 and organizations will likely need to reevaluate their GDPR compliance levels.

Latest Insights


One year of GDPR in review – fines, global momentum & technology

When the European Union’s General Data Protection Regulation (GDPR) entered into force on May 25th 2018, advocates of the new law promised…

Continue reading >

“Disguise ban” for forum posters might enter into force in 2020

According to the draft of a new regulation, it will be required from users of online forums, newspapers, but also platforms like Facebook to regist

Continue reading >

Optink joins weXelerate Batch 4!

Optink Team is delighted to announce that we have been nominated for Batch 4 of weXelerate Accelerator…

Continue reading >