EU companies paid more than €300 million in GDPR fines over 2020

EU companies paid more than €300 million in GDPR fines over 2020

GDPR key concepts

The GDPR (General Data Protection Regulation) is a European Union regulation which is the reference text for the protection of personal data. This regulation, which came into effect on 25 May 2018, improves the protection of individuals concerned by the processing of their personal data.

Data is considered personal when it can lead to the direct or indirect identification of a natural person. We can take, as an example, identity documents or photos, surname and first name as direct identification and fingerprints, IP addresses, telephone numbers as indirect identification.

Moreover, identification can be made on the basis of a single piece of data or by grouping several together. To illustrate identification by grouping data, we can cite the following example: a man living at a specific address, born on a particular day and belonging to a club. The aggregation of all this information could make it possible to identify the person concerned.

Who does the GDPR affect?

The GDPR applies to any organisation, public or private, which processes personal data for itself or not, provided that it is established in the European Union or its activity directly targets European residents.

We can take two examples to explain these two situations.

  1. A company based in Germany that exports eyewear to South Africa will have to comply with GDPR.
  2. A Canadian company that sells computer security software to its Spanish customers will also have to comply with GDPR for its Spanish customers.

Obviously, trade involving two EU members companies must also respect the GDPR.

How much does a GDPR fine cost?

Companies that are subject to this regulation but do not comply with it may be subject to significant sanctions.

GDPR fines can range from a simple call to order to a sanction of €20 million or 4% of worldwide turnover (whichever is higher). Other sanctions can be applied, such as temporarily or permanently limiting the processing of data or suspending the flow of data.

It is important to note that the companies sanctioned and the amount of the fine received may be made public, which may seriously damage their reputation.

Year 2020 in review

The year 2020 has just come to an end and it has been marked with many sanctions.

First of all, the total amount of GDPR fines for the past year amounts to more than €306 million.

Spain is the country that has sanctioned the most (128), followed by Italy (34) and Romania (26). France is the country with the highest total amount of sanctions (€138,309,000).

EU countries number of GDPR fines and total GDPR fine amount 2020
GDPR EU countries ranked by number of GDPR fines and total GDPR fine amount 2020

Here is the ranking of the companies that have suffered the heaviest sanctions in the past year:

  1. Google LLC with €60 million
  2. Google Ireland with €40 million
  3. H&M with more than 35 million euros
  4. Amazon Europe with also 35 million euros
  5. TIM with 27.8 million euros


For information, Google LLC generated a turnover of more than €133 billion in 2019. If the €60 million fine had taken place last year it would have represented only 0.045% of the turnover and 0.4% of the profits.

These outrageous amounts of money may lead us to believe that only large organizatioons are affected by sanctions. This is not necessarily the case, in the middle of the ranking, we can also find universities, municipalities, hotels, etc. Finally, at the bottom of the ranking for the year 2020, we find GDPR fines starting at €48 for individual businesses.

As we can see, all companies, whatever their sector or size, can be hit by sanctions if they do not comply with the GDPR.

What should your GDPR compliance next steps be?

To start with GDPR and avoid the aforementioned sanctions, 4 general best practices should be followed:

Make an inventory of your data

In order to comply with the GDPR, businesses must have a data register. At a minimum, it must include the purpose of the data (or finality), the category, the accessibility (who can access it and why?) and the retention period.

Sort your data

The GDPR emphasizes that each data item must be collected for a specific purpose and necessary for the functioning of the company’s activity. Deleting unnecessary or obsolete data will reduce the processing of data and therefore reduce or even eliminate certain tasks and costs.

Respecting people’s rights

Individuals whose data is processed must be informed by the business about the reason(s) for the collection, what allows them to do so, the duration of time the data is held and how individuals can exercise their rights.

Regarding the latter, it is necessary for organizations to make every possible effort to simplify the  way people can exercise their rights (right to information, opposition, access and modification, and finally deletion.

Securing data

Data security is a very broad field and is not limited to data encryption. It would be difficult to say what measures should be taken, as these can vary greatly depending on the company and the data being processed.

Nevertheless, some general rules common to all companies can be applied as:

In addition, we can mention some rules concerning data:

To sum up

There are many rules governing the implementation of the GDPR. Its implementation can be tedious and must be customised depending on the company and the data that it processes.

Nevertheless, a proper implementation will increase the efficiency of your treatments and protect you from disciplinary action.