GDPR Enforcement Monitor
Real cases. Real fines. Real risk.
Track enforcement actions from European data protection authorities. Understand what violations get penalized, how much, and what lessons to learn.
TikTok
Data Protection Commission (DPC) · Data Subject Rights
The DPC fined TikTok €345 million for multiple GDPR violations relating to child users. The platform's default settings made children's accounts public, allowed a "Family Pairing" feature with unverified adults, and used dark patterns in its privacy settings that nudged children toward less privacy-protective options.
Read full caseTelekall Infoservice
Autoridade Nacional de Proteção de Dados (ANPD) · Consent Violation
Brazil's ANPD issued its first-ever LGPD fine against Telekall Infoservice, a small telemarketing company, totaling R$14,400 (approximately $2,880 USD). The microenterprise was found to have offered a list of WhatsApp contacts of voters to political candidates during the 2020 municipal election campaign, processing personal data (phone numbers) without a valid legal basis. The ANPD also found that Telekall failed to appoint a Data Protection Officer as required by LGPD. While the fine amount is small by international standards, the case was historically significant as the first administrative sanction under Brazil's data protection law, marking the beginning of active LGPD enforcement. The ANPD applied a proportionate penalty considering the company's micro-enterprise status.
Read full caseCriteo SA
Commission Nationale de l'Informatique et des Libertés (CNIL) · Consent Violation
France's CNIL fined Criteo, one of the world's largest advertising technology companies, €40 million for multiple GDPR violations in its advertising targeting activities. The investigation, prompted by complaints from Privacy International, found that Criteo could not demonstrate that users whose data it processed had given valid consent. Criteo tracked users across websites using cookies and built extensive browsing profiles without a proper legal basis. The company also failed to adequately respond to data subjects exercising their rights of access and erasure, providing incomplete information and not deleting data upon request. The fine reflects the scale of Criteo's operations, processing data of millions of EU users for behavioral advertising.
Read full caseSpotify AB
Integritetsskyddsmyndigheten (IMY) · Data Subject Rights
Sweden's IMY (formerly Datainspektionen) fined Spotify SEK 58 million (approximately €5 million) for failing to adequately inform data subjects about how it processes their personal data and for providing insufficient responses to subject access requests. The investigation, triggered by a complaint from the privacy rights organization NOYB, found that when users exercised their right of access under Art. 15 GDPR, Spotify provided data in a format that was difficult to understand. The company failed to clearly explain the purposes of processing, retention periods, and recipients of personal data in response to access requests. Spotify's general privacy policy was also found to be insufficiently clear about the technical details of personal data processing.
Read full caseAmazon.com (Ring LLC)
Federal Trade Commission (FTC) · Security Measures
The FTC fined Amazon's Ring LLC $5.8 million for privacy violations related to its home security cameras. The FTC alleged that Ring gave every employee and contractor unrestricted access to customers' private videos, and that Ring failed to implement basic privacy and security protections, enabling hackers to take control of consumers' accounts, cameras, and videos. Specifically, Ring employees in Ukraine were found to have viewed thousands of video recordings from female customers' bedrooms and bathrooms. Additionally, Ring failed to implement adequate security measures like multi-factor authentication until 2019, after numerous account compromises. The settlement also required Ring to delete all data products derived from videos it unlawfully reviewed.
Read full caseMeta Platforms
Data Protection Commission (DPC) · Data Transfer
The Irish DPC fined Meta €1.2 billion for transferring EU user data to the United States without adequate safeguards following the Schrems II ruling. Meta continued relying on Standard Contractual Clauses (SCCs) despite the CJEU finding that US surveillance laws did not provide adequate protection for EU citizens' data. This is the largest GDPR fine ever issued.
Read full caseEasy Healthcare (Premom App)
Federal Trade Commission (FTC) · Transparency
The FTC fined Easy Healthcare Corporation, maker of the Premom fertility tracking app, $100,000 for sharing users' sensitive reproductive health data with third parties including AppsFlyer, Google, and two Chinese firms without users' consent or knowledge. Despite promises in its privacy policy that health data would not be shared, Premom transmitted precise geolocation data, device identifiers, and health information about users' fertility and pregnancy status to advertising and analytics companies. The FTC noted this was particularly concerning given the sensitive nature of reproductive health data and the small company's promises of privacy. Easy Healthcare was also required to obtain consent before sharing health data and to notify consumers about the unauthorized disclosures.
Read full caseDepartment of Justice and Constitutional Development
Information Regulator of South Africa · Security Measures
South Africa's Information Regulator issued an enforcement notice against the Department of Justice and Constitutional Development following a devastating ransomware attack in September 2021 that encrypted the department's entire IT infrastructure. The attack disrupted court operations, child maintenance payments, and legal aid services across the country for weeks. Personal data of millions of South Africans involved in legal proceedings was potentially compromised. The Information Regulator found that the department had failed to implement adequate security measures to protect personal information as required by POPIA Section 19, and had not established sufficient incident response capabilities. While no monetary fine was imposed (the regulator focused on compliance orders), the enforcement notice required the department to implement comprehensive security improvements within specified deadlines.
Read full caseTikTok Information Technologies UK
Information Commissioner's Office (ICO) · Consent Violation
The ICO fined TikTok £12.7 million for a series of breaches of UK data protection law, including failing to use children's personal data lawfully. The investigation found that TikTok allowed up to 1.4 million UK children under 13 to use the platform in 2020 despite its own rules prohibiting under-13s. TikTok failed to implement effective age-checking mechanisms, meaning children below the minimum age were able to create accounts and have their data collected and used for content recommendation algorithms. The ICO determined that TikTok processed children's data without parental consent, violating the special protections afforded to minors under UK GDPR. TikTok was also found to have provided insufficiently clear privacy information to users.
Read full caseBetterHelp Inc.
Federal Trade Commission (FTC) · Data Transfer
The FTC fined BetterHelp, an online mental health counseling platform, $7.8 million for sharing consumers' sensitive health data with advertising platforms including Facebook, Snapchat, Criteo, and Pinterest — despite promising users that their personal health information would be kept private. BetterHelp used intake questionnaire responses about users' mental health conditions, relationship status, and other sensitive information to target them with ads on social media. The company shared email addresses and health information via tracking pixels and APIs without users' knowledge or consent. The FTC found that BetterHelp's privacy promises were deceptive, as the company represented that it would not use or share health data for advertising while doing exactly that.
Read full caseGoodRx Holdings Inc.
Federal Trade Commission (FTC) · Transparency
The FTC fined GoodRx $1.5 million in the agency's first-ever enforcement action under the Health Breach Notification Rule. GoodRx, a popular prescription drug discount platform, shared users' sensitive personal health information — including medications they searched for and purchased, health conditions, and personal contact information — with advertising companies including Facebook, Google, and Criteo without users' knowledge or authorization. Despite prominently featuring a 'HIPAA' badge on its website and app, GoodRx was not actually a HIPAA-covered entity. The company used tracking pixels and SDKs that transmitted health data to these advertising platforms, which then used the information to target users with health-related advertisements.
Read full caseMinistry of Defence
Information Commissioner's Office (ICO) · Data Breach
The ICO fined the Ministry of Defence £350,000 for a serious data breach involving the disclosure of personal information of Afghan nationals who had worked with and assisted UK forces in Afghanistan. In September 2021, an email was sent to a distribution list of Afghan nationals who had applied for relocation to the UK under the Afghan Relocations and Assistance Policy (ARAP). The email, sent using CC rather than BCC, exposed the email addresses — and in some cases names and profile pictures — of 245 individuals, some of whom were still in Afghanistan after the Taliban takeover. This put individuals at direct risk of harm. A second similar email breach occurred shortly afterwards, affecting 55 individuals.
Read full caseMeta Platforms (Facebook Brazil)
Secretaria Nacional do Consumidor (SENACON) · Insufficient Legal Basis
Brazil's National Consumer Secretariat (SENACON) fined Meta Platforms (Facebook) R$6.6 million (approximately $1.3 million USD) in connection with the Cambridge Analytica scandal and its impact on Brazilian users. The investigation found that approximately 443,000 Brazilian Facebook users had their personal data improperly shared with Cambridge Analytica through the 'thisisyourdigitallife' quiz app. The data was used for political profiling without users' knowledge or consent. SENACON determined that Facebook failed to adequately protect Brazilian consumers' personal data and did not provide sufficient transparency about third-party access to user information. This was one of the largest privacy-related fines in Brazilian history at the time of issuance.
Read full caseEpic Games (Fortnite)
Federal Trade Commission (FTC) · Consent Violation
The FTC ordered Epic Games to pay $275 million in penalties for violating the Children's Online Privacy Protection Act (COPPA) through its massively popular Fortnite game. The FTC found that Epic Games collected personal information from children under 13 without notifying parents or obtaining verifiable parental consent. Fortnite's default settings enabled real-time voice and text communications, exposing children to bullying, threats, and harassment. Epic also used manipulative 'dark patterns' in its item shop that tricked players, including children, into making unwanted purchases. The company made it deliberately difficult to cancel purchases and locked accounts of customers who disputed unauthorized charges with their credit card companies.
Read full caseMicrosoft Ireland Operations
Commission Nationale de l'Informatique et des Libertés (CNIL) · Consent Violation
The CNIL fined Microsoft €60 million for depositing advertising cookies on users' devices via bing.com without obtaining prior consent. The investigation found that when users visited the Bing search engine, advertising cookies were automatically placed without any consent mechanism being presented first. Microsoft failed to implement a proper cookie consent banner, meaning cookies were set before users had any opportunity to accept or refuse them. The CNIL also noted the absence of an easy-to-use refusal mechanism. Microsoft was ordered to stop depositing cookies without consent within three months or face a penalty of €60,000 per day of non-compliance.
Read full caseInterserve Group
Information Commissioner's Office (ICO) · Security Measures
The ICO fined Interserve Group, one of the UK's largest outsourcing companies, £4.4 million for failing to keep personal data of its staff secure, leading to a cyber attack that compromised the records of up to 113,000 employees. The attack began when an employee forwarded a phishing email to a colleague who opened it and downloaded the malicious content. The malware compromised 283 systems and 16 accounts, and the attackers encrypted the personal data of current and former employees. The ICO found that Interserve used outdated software, had inadequate endpoint protection, lacked sufficient staff training, and did not conduct regular security testing. These failures meant the company did not meet the standard required by UK GDPR.
Read full caseClearview AI
Commission Nationale de l'Informatique et des Libertés (CNIL) · Insufficient Legal Basis
The CNIL fined Clearview AI €20 million for collecting and processing biometric data of French citizens without a legal basis. Clearview AI scraped billions of photographs from the internet to build a facial recognition database used by law enforcement and private companies. The CNIL found that Clearview had no legal basis for collecting and processing this biometric data, failed to inform individuals about the processing, and did not respect data subjects' rights of access and erasure. The company was also ordered to stop collecting and using data of people in France and to delete all data already collected within two months. This decision followed similar findings by the Italian Garante and other EU DPAs.
Read full caseGoogle LLC (South Korea)
Personal Information Protection Commission (PIPC) · Consent Violation
South Korea's Personal Information Protection Commission (PIPC) fined Google ₩69.2 billion (approximately $50 million USD) for collecting and using users' location data without obtaining proper consent. The PIPC found that Google violated South Korea's Personal Information Protection Act (PIPA) by defaulting its location tracking services to 'on' in Android device settings and making it difficult for users to find and change these settings. Google collected location data from Android users even when they believed they had turned off location tracking, as the company tracked location through multiple overlapping settings that were not clearly explained to users. The investigation also found that Google's consent process did not adequately inform users about how their location data would be used.
Read full caseMeta Platforms (South Korea)
Personal Information Protection Commission (PIPC) · Consent Violation
South Korea's PIPC fined Meta Platforms ₩30.8 billion (approximately $22 million USD) for collecting sensitive personal information about Facebook users' religious views, political opinions, and sexual orientation without obtaining specific consent as required by PIPA. The PIPC found that Meta analyzed users' behavior on Facebook — including pages liked, ads clicked, and groups joined — to infer sensitive attributes such as political leanings, religious beliefs, and whether users were in same-sex relationships. This inferred sensitive data was then used to create behavioral advertising profiles and serve targeted ads. Under PIPA, processing sensitive information requires separate, specific consent beyond general terms of service acceptance. The decision was announced alongside the Google location tracking fine.
Read full caseMeta Platforms (Instagram)
Data Protection Commission (DPC) · Consent Violation
The DPC fined Instagram €405 million for violating children's privacy. The investigation found that Instagram's business account feature allowed children aged 13-17 to make their accounts public by default, exposing their email addresses and phone numbers. Instagram also relied on legitimate interest as a legal basis for processing children's data, which the DPC deemed inappropriate.
Read full caseSephora Inc.
California Attorney General · Consent Violation
The California Attorney General reached a $1.2 million settlement with Sephora in the first public CCPA enforcement action. The investigation found that Sephora failed to disclose to consumers that it was selling their personal information, failed to process user requests to opt out of the sale of personal information submitted via the Global Privacy Control (GPC) browser signal, and did not cure these violations within the 30-day notice period provided under CCPA. Sephora allowed third-party companies to install tracking software on its website and app that collected consumers' personal data, including browsing activity, in exchange for analytics and advertising services — which constitutes a 'sale' under CCPA. The company's privacy policy did not disclose this practice.
Read full caseDidi Global Inc.
Cyberspace Administration of China (CAC) · Insufficient Legal Basis
China's Cyberspace Administration (CAC) fined Didi Global ¥8.026 billion (approximately $1.19 billion USD) for serious violations of China's Personal Information Protection Law (PIPL), Data Security Law, and Cybersecurity Law. The CAC found that Didi illegally collected users' personal information including facial recognition data, precise location data, device information, and audio recordings through its ride-hailing app. Didi was also found to have collected clipboard information, address book data, and photo albums without users' knowledge. The company processed personal information of over 600 million Chinese users without adequate legal basis. The massive fine represented approximately 4% of Didi's 2021 domestic revenue. Didi's chairman and president were also personally fined ¥1 million each.
Read full caseCosmote Mobile Telecommunications (OTE Group)
Hellenic Data Protection Authority (HDPA) · Data Breach
Greece's HDPA fined Cosmote Mobile Telecommunications, a subsidiary of OTE Group (Deutsche Telekom), €6 million for a data breach that exposed the call data records of millions of customers. In September 2020, an attacker accessed a Cosmote server and extracted detailed call records including phone numbers, timestamps, duration, and cell tower location data of approximately 5 million subscribers. The HDPA found that Cosmote had failed to implement adequate data protection by design and by default, did not adequately anonymize or pseudonymize call data records, and lacked sufficient access controls. OTE Group, the parent company, was separately fined €3.25 million for its role in the shared IT infrastructure.
Read full caseResidual Pumpkin Entity (CafePress)
Federal Trade Commission (FTC) · Data Breach
The FTC ordered the former owner of CafePress, an online custom merchandise retailer, to pay $500,000 for covering up a major data breach and failing to secure consumers' personal data. In February 2019, a hacker breached CafePress and stole personal information of over 23 million consumers, including Social Security numbers, encrypted passwords, and security questions. The FTC alleged that CafePress failed to implement reasonable security measures, stored Social Security numbers in plain text, used weak encryption for passwords, and retained data far longer than necessary. When the company learned of the breach, it failed to properly investigate, misrepresented the scope of the breach to affected consumers, and did not adequately notify those whose Social Security numbers were exposed.
Read full caseTuckers Solicitors LLP
Information Commissioner's Office (ICO) · Data Breach
The ICO fined Tuckers Solicitors LLP, a criminal defence law firm, £98,000 after a ransomware attack compromised the personal data of 60 court bundles containing sensitive information relating to criminal proceedings. The attack encrypted 972,191 files, of which 24,712 related to court bundles. The compromised data included sensitive legal documents covering criminal cases, witness statements, and other highly confidential legal materials. The ICO found that Tuckers had failed to implement appropriate security measures: the firm did not use multi-factor authentication, patch management was inadequate, and there was no adequate encryption of personal data at rest. As a small law firm handling extremely sensitive criminal case data, the security obligations were particularly high.
Read full caseClearview AI
Garante per la Protezione dei Dati Personali · Insufficient Legal Basis
Italy's Garante fined Clearview AI €20 million for scraping billions of facial images from social media and the internet without any legal basis or consent. Clearview AI had no EU representative, failed to inform data subjects about processing, and did not comply with data subject access requests. The biometric data was processed without meeting the conditions for special category data under Art. 9.
Read full caseCabinet Office
Information Commissioner's Office (ICO) · Data Breach
The ICO fined the UK Cabinet Office £500,000 for disclosing the postal addresses of the 2020 New Year Honours recipients online. The Cabinet Office published the home addresses of over 1,000 people, including those who had been honoured for their contributions to national security, intelligence, and law enforcement. The data was accessible on the official government website for several hours before it was identified and removed. The ICO found that the Cabinet Office failed to put in place appropriate technical and organizational measures to prevent the unauthorized disclosure. The data was supposed to be redacted before publication, but human error and inadequate review processes led to the unredacted file being uploaded.
Read full caseEnel Energia SpA
Garante per la Protezione dei Dati Personali · Consent Violation
Italy's Garante fined Enel Energia, one of Italy's largest energy suppliers, €26.5 million for unlawful telemarketing activities conducted through a network of external agencies and call centers. The investigation found that Enel Energia's contractors made millions of unsolicited promotional calls using contact lists obtained without valid consent. Consumers who had not consented to marketing — and even those who had explicitly opted out — continued to receive unwanted calls. The company failed to adequately supervise its network of telemarketing agents and did not implement effective mechanisms to verify consent or honor opt-out requests across its supply chain of marketing partners.
Read full caseGoogle Ireland
Commission Nationale de l'Informatique et des Libertés (CNIL) · Consent Violation
The CNIL fined Google Ireland €150 million for violating French cookie consent rules on google.fr and youtube.com. The investigation found that while both sites provided a button to immediately accept all cookies, they did not offer an equally simple mechanism to refuse cookies. Users had to navigate through multiple clicks to reject tracking cookies, creating an asymmetry that undermined the freedom of consent. The CNIL determined this 'dark pattern' design meant consent was not freely given, as users were nudged toward acceptance through the path of least resistance. The fine was accompanied by an order to implement a refuse-all button within three months.
Read full caseMeta Platforms Ireland (Facebook)
Commission Nationale de l'Informatique et des Libertés (CNIL) · Consent Violation
The CNIL fined Facebook €60 million for the same cookie consent violation pattern identified in the Google case. On facebook.com, users could accept all cookies with a single click but had to navigate multiple screens and settings to refuse them. The CNIL found this design manipulated user behavior, making it significantly easier to consent than to decline. The asymmetric cookie banner failed to meet the requirement that refusal be as easy as acceptance. This decision, issued alongside the Google cookie fine, established a clear CNIL enforcement position against dark pattern cookie consent designs across major platforms.
Read full caseGrindr
Datatilsynet (Norwegian DPA) · Consent Violation
Norway's Datatilsynet fined Grindr €6.3 million (reduced from initial €10M) for sharing users' personal data — including GPS location, user profile data, and the fact that they used Grindr (which reveals sexual orientation, a special category of data) — with advertising partners without valid consent. Consent was bundled into the app's terms of service, making it non-specific and not freely given.
Read full caseWhatsApp Ireland
Data Protection Commission (DPC) · Transparency
The DPC fined WhatsApp €225 million for failing to provide transparent information to users and non-users about how it processes personal data. The investigation found that WhatsApp's privacy policy did not clearly explain data sharing with Facebook, processing purposes, and the legal basis for processing non-users' data obtained through contact uploads.
Read full caseAmazon Europe
Commission Nationale pour la Protection des Données (CNPD) · Insufficient Legal Basis
Luxembourg's CNPD fined Amazon €746 million for processing personal data for targeted advertising without valid consent. The fine related to Amazon's advertising targeting system, which processed customer data without a proper legal basis. This was the second-largest GDPR fine at the time of issuance.
Read full caseCaixaBank SA
Agencia Española de Protección de Datos (AEPD) · Consent Violation
Spain's AEPD fined CaixaBank €6 million for processing customer personal data for commercial purposes without obtaining valid consent. The investigation found that CaixaBank's consent mechanisms were insufficient — the bank processed personal data for marketing and profiling purposes based on contract execution rather than specific consent. Customers were not given a clear, separate choice to consent to or refuse marketing processing. The AEPD found that 6 million of the bank's customers were affected by the lack of proper consent mechanisms. The fine comprised €4 million for Art. 6 violations (processing without legal basis) and €2 million for Art. 7 violations (conditions for consent).
Read full casenotebooksbilliger.de AG
Landesbeauftragte für den Datenschutz Niedersachsen (LfD Niedersachsen) · Data Minimization
The Lower Saxony DPA fined notebooksbilliger.de €10.4 million for conducting video surveillance of employees without a legal basis for at least two years. The online electronics retailer had installed video cameras in workspaces, sales areas, and warehouses that continuously recorded employees. The company claimed the surveillance was to prevent theft, but the DPA found this was disproportionate because less intrusive measures were available, such as random bag checks or targeted surveillance of specific areas during specific timeframes. The blanket, permanent surveillance of all employees violated the data minimization principle and lacked a proper legal basis.
Read full caseBooking.com B.V.
Autoriteit Persoonsgegevens (AP) · Data Breach
The Dutch Data Protection Authority (AP) fined Booking.com €475,000 for failing to report a personal data breach within the 72-hour deadline required by GDPR. In late 2018, criminals used social engineering to obtain login credentials from employees of over 40 hotels in the UAE. The attackers then used these credentials to access personal data of over 4,100 Booking.com customers, including names, addresses, phone numbers, and credit card details of 283 individuals. Booking.com learned of the breach on January 13, 2019, but did not report it to the Dutch DPA until February 7, 2019 — 22 days late. The company also failed to notify affected individuals within the required timeframe.
Read full caseVodafone Italia SpA
Garante per la Protezione dei Dati Personali · Consent Violation
Italy's Garante fined Vodafone Italia €12.25 million for systematic unlawful telemarketing practices affecting millions of individuals. The investigation revealed that Vodafone made unsolicited promotional calls to individuals who had not given consent, including people registered on Italy's do-not-call list (Registro Pubblico delle Opposizioni). The company used contact lists acquired from external data brokers without verifying that valid consent had been obtained. Vodafone also failed to honor opt-out requests from data subjects who explicitly objected to marketing calls. The DPA found a systemic pattern of non-compliance across Vodafone's marketing operations and its network of third-party call centers.
Read full caseMarriott International
Information Commissioner's Office (ICO) · Data Breach
The ICO fined Marriott £18.4 million (approx. €20.4M) following a cyber attack on Starwood guest reservation systems that exposed approximately 339 million guest records worldwide. The breach originated in 2014 (pre-GDPR) at Starwood Hotels, which Marriott acquired in 2016. Marriott failed to conduct sufficient due diligence during the acquisition and did not adequately secure the inherited systems.
Read full caseBritish Airways
Information Commissioner's Office (ICO) · Data Breach
The ICO fined British Airways £20 million (approx. €22M) after a data breach exposed personal data of approximately 400,000 customers. Attackers used a card-skimming attack (Magecart) on BA's website and mobile app, diverting customer payment details to a fraudulent website. The ICO found that BA should have identified and resolved the vulnerabilities that made the attack possible.
Read full caseH&M
Hamburg Commissioner for Data Protection · Data Minimization
The Hamburg DPA fined H&M €35.3 million for extensive surveillance of its employees at its Nuremberg service center. Managers conducted detailed interviews with returning employees after absences, recording information about vacations, illnesses (including symptoms and diagnoses), family problems, and religious beliefs. This data was stored on a shared network drive accessible to over 50 managers.
Read full caseWind Tre SpA
Garante per la Protezione dei Dati Personali · Consent Violation
Italy's Garante fined Wind Tre €16.7 million for extensive unlawful telemarketing and data processing violations. The telecommunications company engaged in aggressive promotional campaigns, making millions of unsolicited calls and SMS messages to individuals without valid consent. The investigation found that Wind Tre activated unsolicited premium services on customer lines without authorization, used a non-compliant consent mechanism in its apps that did not allow users to freely give or withhold consent for different purposes, and failed to implement adequate measures to honor data subjects' objections to marketing. The company's call center network operated with insufficient oversight regarding consent verification.
Read full caseTelecom Italia (TIM)
Garante per la Protezione dei Dati Personali · Consent Violation
Italy's Garante fined Telecom Italia €27.8 million for aggressive and unlawful telemarketing practices. The company made millions of unsolicited promotional calls, including to individuals on the national do-not-call registry. TIM also failed to obtain valid consent, processed data without proper legal basis, and did not honor opt-out requests from data subjects.
Read full caseDeutsche Wohnen SE
Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI) · Data Minimization
Berlin's data protection authority fined Deutsche Wohnen, one of Germany's largest residential real estate companies, €14.5 million for storing tenants' personal data indefinitely without any legal basis for continued retention. The company's archiving system did not allow for the deletion of data that was no longer needed. Personal data including salary statements, self-disclosure forms, employment contracts, tax and social security data, and bank statements of tenants were retained for years beyond their lawful retention period. Despite being warned by the DPA in 2017, Deutsche Wohnen failed to implement a data deletion concept. This case became a landmark for the principle that companies can be directly fined under GDPR.
Read full caseÖsterreichische Post AG
Datenschutzbehörde (DSB) · Insufficient Legal Basis
Austria's DSB fined Österreichische Post AG (Austrian Post) €18 million for creating profiles on the political party affinities of approximately 3 million Austrians without their knowledge or consent. The postal service used an algorithm to estimate political preferences based on demographic data, addresses, and other factors, then sold these profiles to political parties for targeted election campaigns. The DSB found this processing of data revealing political opinions constituted special category data under Art. 9 GDPR, which requires explicit consent. Austrian Post had no legal basis for creating or selling these profiles.
Read full caseMorele.net Sp. z o.o.
Urząd Ochrony Danych Osobowych (UODO) · Data Breach
Poland's UODO fined Morele.net, a popular Polish online electronics retailer, PLN 2.83 million (approximately €660,000) after a data breach exposed the personal data of approximately 2.2 million customers. The breach occurred when attackers exploited a vulnerability in Morele.net's systems to access the customer database, which included names, email addresses, phone numbers, and delivery addresses. The UODO found that the company had failed to implement adequate technical and organizational security measures, including insufficient access controls, lack of multi-factor authentication for administrative access, and inadequate network segmentation. As an SMB-sized e-commerce company, this case demonstrated that smaller businesses face the same GDPR obligations as large enterprises.
Read full caseGoogle LLC / YouTube
Federal Trade Commission (FTC) · Consent Violation
The FTC and the New York Attorney General fined Google and YouTube $170 million ($136 million from FTC, $34 million from NY AG) for illegally collecting personal information from children on YouTube without parental consent, in violation of COPPA. YouTube tracked children who watched child-directed channels using cookies and persistent identifiers, then used this data to deliver targeted advertising to these children. Google had marketed YouTube to toy companies and other child-directed advertisers as a top destination for children, yet simultaneously told the FTC that YouTube was a general-audience site not subject to COPPA. The settlement required YouTube to create a system for channel owners to identify child-directed content and to stop serving targeted ads on content directed at children.
Read full caseNational Revenue Agency (NRA)
Commission for Personal Data Protection (CPDP) · Data Breach
Bulgaria's CPDP fined the National Revenue Agency (NRA) BGN 5.1 million (approximately €2.6 million) after a massive data breach exposed the personal data of approximately 5 million Bulgarian citizens — nearly the entire adult population. In July 2019, a hacker gained unauthorized access to NRA databases and published the stolen data online. The breach included names, personal identification numbers (EGN), addresses, income data, and tax information. The CPDP found that the NRA had failed to implement adequate technical and organizational security measures. Despite handling the most sensitive financial data of virtually all Bulgarian citizens, the agency's cybersecurity practices were insufficient to prevent the breach.
Read full caseSergic
Commission Nationale de l'Informatique et des Libertés (CNIL) · Security Measures
The CNIL fined Sergic, a French real estate management company, €400,000 for a security vulnerability that exposed tenants' and rental applicants' personal documents online. The company's website allowed users to upload identity documents, tax returns, bank statements, and other sensitive files as part of rental applications. However, a vulnerability in the system meant that by simply modifying a URL, anyone could access documents uploaded by other users without authentication. The flaw exposed highly sensitive personal data of thousands of individuals. Despite being alerted to the vulnerability, Sergic took several months to fix it. The CNIL also found that the company retained personal data of unsuccessful applicants for excessive periods.
Read full caseLaLiga (Liga Nacional de Fútbol Profesional)
Agencia Española de Protección de Datos (AEPD) · Data Minimization
Spain's AEPD fined LaLiga, the Spanish football league, €250,000 for using its official mobile app to covertly access users' microphones and GPS location to detect bars and restaurants illegally broadcasting football matches without a commercial license. The app activated the device microphone once per minute during match times to capture ambient audio and match it against official broadcast signals. While LaLiga argued this was disclosed in the privacy policy, the AEPD found the consent mechanism was buried in terms of service and not sufficiently transparent. The practice affected approximately 10 million app users who were unknowingly turned into surveillance tools for copyright enforcement.
Read full caseGoogle LLC
Commission Nationale de l'Informatique et des Libertés (CNIL) · Transparency
France's CNIL fined Google €50 million for lack of transparency and inadequate consent mechanisms for ad personalization. Users were not clearly informed about how their data was used for personalized advertising, and consent was not freely given — it was buried in multiple layers of settings with pre-checked boxes.
Read full caseIntegrated Health Information Systems (IHiS)
Personal Data Protection Commission (PDPC) · Security Measures
The PDPC imposed its then-largest ever financial penalty of S$750,000 on IHiS, the technology agency responsible for managing the IT systems of Singapore's public healthcare sector, for its role in the SingHealth data breach. As the IT vendor and data intermediary responsible for maintaining SingHealth's database systems, IHiS was found to have failed in several critical security areas: staff did not respond adequately to the initial signs of the cyber attack, vulnerabilities in the network were not remediated in a timely manner despite being known, and the organization lacked a proper incident response framework. The PDPC determined that IHiS bore a greater degree of responsibility than SingHealth as it was directly responsible for the IT systems that were compromised.
Read full caseSingHealth Pte Ltd
Personal Data Protection Commission (PDPC) · Data Breach
Singapore's PDPC fined SingHealth, the country's largest public healthcare group, S$250,000 for failing to make reasonable security arrangements to protect the personal data of 1.5 million patients. In June-July 2018, attackers exploited vulnerabilities in SingHealth's IT systems to exfiltrate patient records including names, NRIC numbers, addresses, dates of birth, and the outpatient medication records of 160,000 patients — including Singapore's Prime Minister Lee Hsien Loong, who was specifically targeted. The PDPC found that SingHealth failed to adopt adequate security measures, including insufficient network segmentation, failure to patch known vulnerabilities, and inadequate monitoring of database access. The breach was the largest in Singapore's history.
Read full caseGet enforcement alerts for your industry
We track GDPR fines across Europe. Enter your email to get notified when companies in your sector get penalized.