Why Can Company Receive GDPR Penalty: 5 Biggest Examples

Any organization that doesn't adhere to the European Union's General Data Protection Rule (GDPR) can be subject to a fine. The document applies to any organization — be it a small one or multinational functioning in more than one country — and regulates the behaviour towards the personal data customers trust in these companies. If the company fails to adhere to the regulations, it can receive certain fines, most of which are relatively flexible.

What Types of GDPR Violations There Are

Generally, the violations of the GDPR are divided into two types: less severe and more        serious. Both are administrative infringements, excluding instances when the customers seek compensation from the company that violated the security of their data.

Less severe GDPR violations

There are some breaches to the GDPR that the data protection regulators consider as the less serious ones. The GDPR connects this type of violations to the work of controllers of the data, certification and monitoring bodies. In detail, it can be referred to such articles of the GDPR:

  • the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
  • the obligations of the certification body pursuant to Articles 42 and 43;
  • the obligations of the monitoring body pursuant to Article 41(4).

The set of Articles 25-39 regulates the work of companies around the safety of the data they operate.

  • The monitoring body can receive a fine if it **fails to watch over the adherence to the codes of conduct ****or failure to do so (Article 41).

Suppose the company showed any activity subject to the administrative fine of this type. In that case, it will have to pay up to €10 million, or 2% of its worldwide annual revenue from the preceding financial year, if it is higher.

More serious GDPR infringements

The violations described below are considered more serious, which is why the company will have to pay the double fine that is set for the less severe ones — €20 million. The same is with the percentage of the worldwide annual revenue from the preceding financial year — it doubles in two, going up to 4%. Therefore, the company will have to pay either the fixed amount of money or the percentage — it depends on what amount is higher.

When the first type of the violation concerns only the failure to overlook the principles of the data security, the second type involves the violations that cause the data breaches.

  • The basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
  • The data subjects’ rights pursuant to Articles 12 to 22;
  • The transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
  • Any obligations pursuant to Member State law adopted under Chapter IX;
  • Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

In addition to all stated above, the severe consequences can be faced by the company in two more cases:

  • If the state the company is registered in has additional data protection rights, they must also adhere to them.
  • In case the company fails to adhere to the rules set by the monitoring body.

How the GDPR Fines are Determined

It is tough to know how much you can be fined for the different activities because the individual data protection regulators primarily undertake the determination of the fines in each EU country. The regulators must assess if the violation took place and what amount of money the company will have to pay.

However, all the regulators have to take a similar set of criteria for their assessment:

  1. Gravity and nature. The team of regulators had to consider the details of the regulation breach and its severe impact.
  2. Intention. Did this happen on purpose, or the company was unaware of violating the data protection rules?
  3. Mitigation. If the company took some measures to make the impact of the infringement less severe on the people affected, the regulators might find a reason that will soften the gravity of the fine.
  4. Precautionary measures. Did the team adhere to the regulations of GDPR before the violation happened and how good was its preparation?
  5. History. Any other company actions regarding the data security will be stated in the records so that it will have the consequences in fines.
  6. Cooperation. If the firm found out about the infringement and decided to contact the third parties to cooperate on solving it, the regulator can think of softening the measure of the fine.
  7. Data category. The information that was the subject of the violation also takes part in the regulators' assessment.
  8. Notification. It can be less than obvious, but how you notify about the infringement also plays a significant role. If the company fails to tell the monitoring entities that it noticed the violation, it can be considered an attempt to hide it.
  9. Certification. If the company received the certification previously, it cares about the data security even if the violation happened.
  10. Aggravating/mitigating factors. There can be other factors influencing the regulators' decisions.

Sometimes the regulators can find more than one violation of the GDPR in one company. If that happens, it will choose the most serious one and pay the fine connected to it.

5 Fines Companies Already Received For Not Following GDPR

The regulators are responsible for determining the fine for GDPR violation, as you already know. Data protection is an important and complicated topic, which is why any company risks receiving a fine. Even the most prominent international firms have been there in the past.

British Airways

In 2018, the UK's data protection entity found that the personal data of more than 400,000 British Airways customers was breached. The information included names, addresses, and even CVV numbers of their credit cards. The company reported the incident to the monitoring organization but was still subject to a fine. The regulators determined that British Airways didn't take enough measures to protect their customers' data. In 2019, the company received a fine of €183 million, but in 2020 this sum was reduced to €20 million because of the COVID-19.


While the previous company received a fine for the breach of its customers' data, the retailer H&M violated the employees' data security. The store managers recorded the employees' conversations and stored the videos in the free access to their colleagues without notifying them they did it. For this, the company received a fine of €35 million.


In 2019, the search engine company Google received a fine of €50 million for the improper notification of customers about collecting and processing their data. The company has been attracting the eyes of the regulators for a long time with its targeted advertisements that magically knew what might interest the person searching. And this fine isn't the last on their account. In January 2022, the French regulators of data security fined the company €150 million for mistreating the cookie policies.


In 2022, Irish data security regulators fined Facebook's parent company, Meta, for the inability to have proper technological and organizational measures to protect their users' data privacy. The company received a fine of €17 million after the regulators were notified of 12 data breaches in 6 months.


Amazon received the most extensive fine in 2021 — €746 million. The company was found improperly dealing with the customers' data without consent for their targeted advertisements. Moreover, the French data security regulators found Amazon guilty of the same reason back in 2020 and fined the company €35 million. However, the company appealed the accusations, stating that its data security behaviour is perfect.

Bottom Line

Data security is one of the essential parts of managing a company. Whether it is the data you have and don't want to share with the competitors or the information your customers trust you — you must look after it very closely. In the case of the GDPR penalties, no company in the world can avoid getting them without thoroughly preparing data protection measures. As much as it sounds easy, the wrong attitude toward the regulations leads the biggest companies in the world to pay enormous fines. The thorough preparation here cannot go without the help of a lawyer. At AVITAR, we can help you to be one step ahead, calculate all the risks and give a consultation on the necessary measures to take to care for the data security at your company. Feel free to email us at, and we will set you up with one of our specialists.

12.21.2022 21:00

Let's discuss your project

Application successfully sent
Request submission error
By clicking "Allow all" you agree to store cookies on your device to enhance website navigation, analyse usage and assist in our marketing efforts
Allow chosen


Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
You can find more in our
Cookie Policy