Any organization that doesn't adhere to the European Union's General Data Protection Rule (GDPR) can be subject to a fine. The document applies to any organization — be it a small one or multinational functioning in more than one country — and regulates the behaviour towards the personal data customers trust in these companies. If the company fails to adhere to the regulations, it can receive certain fines, most of which are relatively flexible.
Generally, the violations of the GDPR are divided into two types: less severe and more serious. Both are administrative infringements, excluding instances when the customers seek compensation from the company that violated the security of their data.
There are some breaches to the GDPR that the data protection regulators consider as the less serious ones. The GDPR connects this type of violations to the work of controllers of the data, certification and monitoring bodies. In detail, it can be referred to such articles of the GDPR:
The set of Articles 25-39 regulates the work of companies around the safety of the data they operate.
Suppose the company showed any activity subject to the administrative fine of this type. In that case, it will have to pay up to €10 million, or 2% of its worldwide annual revenue from the preceding financial year, if it is higher.
The violations described below are considered more serious, which is why the company will have to pay the double fine that is set for the less severe ones — €20 million. The same is with the percentage of the worldwide annual revenue from the preceding financial year — it doubles in two, going up to 4%. Therefore, the company will have to pay either the fixed amount of money or the percentage — it depends on what amount is higher.
When the first type of the violation concerns only the failure to overlook the principles of the data security, the second type involves the violations that cause the data breaches.
In addition to all stated above, the severe consequences can be faced by the company in two more cases:
It is tough to know how much you can be fined for the different activities because the individual data protection regulators primarily undertake the determination of the fines in each EU country. The regulators must assess if the violation took place and what amount of money the company will have to pay.
However, all the regulators have to take a similar set of criteria for their assessment:
Sometimes the regulators can find more than one violation of the GDPR in one company. If that happens, it will choose the most serious one and pay the fine connected to it.
The regulators are responsible for determining the fine for GDPR violation, as you already know. Data protection is an important and complicated topic, which is why any company risks receiving a fine. Even the most prominent international firms have been there in the past.
In 2018, the UK's data protection entity found that the personal data of more than 400,000 British Airways customers was breached. The information included names, addresses, and even CVV numbers of their credit cards. The company reported the incident to the monitoring organization but was still subject to a fine. The regulators determined that British Airways didn't take enough measures to protect their customers' data. In 2019, the company received a fine of €183 million, but in 2020 this sum was reduced to €20 million because of the COVID-19.
While the previous company received a fine for the breach of its customers' data, the retailer H&M violated the employees' data security. The store managers recorded the employees' conversations and stored the videos in the free access to their colleagues without notifying them they did it. For this, the company received a fine of €35 million.
In 2019, the search engine company Google received a fine of €50 million for the improper notification of customers about collecting and processing their data. The company has been attracting the eyes of the regulators for a long time with its targeted advertisements that magically knew what might interest the person searching. And this fine isn't the last on their account. In January 2022, the French regulators of data security fined the company €150 million for mistreating the cookie policies.
In 2022, Irish data security regulators fined Facebook's parent company, Meta, for the inability to have proper technological and organizational measures to protect their users' data privacy. The company received a fine of €17 million after the regulators were notified of 12 data breaches in 6 months.
Amazon received the most extensive fine in 2021 — €746 million. The company was found improperly dealing with the customers' data without consent for their targeted advertisements. Moreover, the French data security regulators found Amazon guilty of the same reason back in 2020 and fined the company €35 million. However, the company appealed the accusations, stating that its data security behaviour is perfect.
Data security is one of the essential parts of managing a company. Whether it is the data you have and don't want to share with the competitors or the information your customers trust you — you must look after it very closely. In the case of the GDPR penalties, no company in the world can avoid getting them without thoroughly preparing data protection measures. As much as it sounds easy, the wrong attitude toward the regulations leads the biggest companies in the world to pay enormous fines. The thorough preparation here cannot go without the help of a lawyer. At AVITAR, we can help you to be one step ahead, calculate all the risks and give a consultation on the necessary measures to take to care for the data security at your company. Feel free to email us at business@avitar.legal, and we will set you up with one of our specialists.
