€171 million imposed in 2020 for breach of GDPR: UK and Italy in the lead

Updated: Nov 8, 2021

Italy and Great Britain alone account for 59.5% of all sanctions resulting from the 299 GDPR infringements registered in the European Union in 2020


GCTI, your trusted cloud

These are the data that emerge from the GDPR Fines 2020 Report published by Finbold. This year, it is not France that occupies the first place on the podium but Italy that is the source of the highest penalties with 58.16 million euros resulting from 34 infringements of the GDPR.

At the end of January, the Italian supervisory authority (Garante per la protezione dei dati personali), for example, fined Eni Gas and Luce (EGL), an Italian electricity and gas supplier, €11.5 million for illegal marketing. Italian telecoms operator TIM was fined €27.8 million for a data breach incident.

For its part, the UK imposed nearly €44 million in fines in 2020 for just three breaches of the GDPR, the most notorious being that imposed on British Airways following a theft of personal data in 2018, a fine that was later reduced to €20 million by the UK CNIL due to the airline's economic difficulties. It is highly likely that with Brexit, the UK will no longer be able to impose such fines, unless it continues to provide a regulatory framework at least equivalent to the GDPR...

Germany ranks third in the ranking of the highest penalties, with a record fine of €35 million imposed on the H&M group by the German CNIL, for the illegal storage of employee data.


French CNIL more tolerant than its Italian and British counterparts


As for France, it is in 6th position, behind Sweden and Spain. France only recorded €3 million in fines, including those imposed on Carrefour France and Carrefour Banque in 2020. It would therefore seem that the French CNIL is more "tolerant" than the other European CNILs, with the exception of the record fines imposed on Amazon and Google, which are not linked to violations of the GDPR, but to non-compliance with the legislation on cookies.

While Ireland has imposed the lowest amount of fines in Europe in 2020 under the GDPR sanctions (€630,000), the DPC, the focal point of personal data protection, designated as a one-stop shop for the management of all litigation, is currently investigating WhatsApp's Irish subsidiary and the illegal sharing of data with Facebook, in violation of Articles 12 to 14 of the GDPR. The fine imposed by the Irish CNIL could amount to €77 million, requiring WhatsApp's Irish subsidiary to make provision for the subsequent payment of fines.


Find out more about the monitoring of GDPR sanctions by country


Source 1

Source 2

1 view