Around six years ago, on May 25, 2018, the European Union's General Data Protection Regulation (GDPR) came into force. Research by Nordlayer, a network security company, has shown that during these six years, supervisory authorities have reported a total of 2072 breaches, resulting in fines of 4.5 billion euros.

German companies had the third highest number of fines at 186, which equates to 55 million euros in fines. The highest fine was imposed in October 2020. H&M's online store was fined 35 million euros for inadequate legal basis for data processing, according to Nordlayer.

Ireland is the leader in fines

Spanish companies violated the GDPR 842 times and paid 80 million euros as a result. Companies in Italy were convicted 358 times and paid almost 229 million euros. Companies based in Ireland have paid the most for their infringements. Since 2018, 2.8 billion euros have been paid in fines. The main reason for this is that several large tech companies such as Meta and TikTok have registered their European branches there and have been fined millions.

The largest companies and their violations

The highest fines per company after six years of GDPR, determined by GDPR Enforcement Tracker and provided by Nordlayer.

© GDPR Enforcement Tracker, Nordlayer

According to NodLayer, Meta is by far the most frequent violator of the General Data Protection Regulation. Of the ten highest fines, six are attributable to the company (four for Meta, one for Facebook and one for WhatsApp). The largest infringement cost the company 1.2 billion euros for an inadequate legal basis for data processing in 2023. Two other times, around 400 million euros had to be paid for non-compliance with the general principles of data processing.

In 2021, Amazon had to pay 746 million euros to the data protection authorities in Luxembourg. Last year, TikTok paid 345 million euros for violations of the GDPR. Google was held accountable twice in 2021 for non-compliance with the general principles of data processing and paid 90 million euros and 60 million euros respectively for the violations.

"Achieving and maintaining compliance with the GDPR is an ongoing task, not a one-off goal," says Carlos Salas, cybersecurity expert at NordLayer. "Data protection laws are evolving and cyber threats are becoming more complex, so companies need to remain proactive when it comes to data protection and security."

The methodology of the study

The above statistics were obtained by analyzing aggregated data from the GDPR Enforcement Tracker database (overview of fines for GDPR violations) from May 16. CMS, an international law firm, has analyzed all figures on the website.