Here's how often DPAs impose fines for breach of GDPR

In 2018, the European legislator laid the legal foundation for data protection in the EU with the General Data Protection Regulation (GDPR). Today, it already serves as a model for other jurisdictions around the world.

As a result, companies operating in the European market, regardless of size and industry, have been saddled with the obligation to adapt their internal processes to the far-reaching requirements of the GDPR. Even for large corporations, this has proven to be a time-consuming and resource-intensive challenge. Not to mention small and medium-sized businesses.

The GDPR imposes strict penalties for infractions, calculated as a percentage of global revenue, which can reach many millions for large companies.

Initially, European data protection authorities seemed to focus on information and cooperation instead of warnings and fines – which led to some relaxation in many companies. However, in 2020, data protection authorities ramped up enforcement considerably.

Number of fines according to GDPR Enforcement Tracker (cumulated)

Number of fines according to GDPR Enforcement Tracker (cumulated)

Overall sum of fines according to the GDPR Enforcement Tracker (cumulative)
This statistical data reflects the publicly known cases. However, most of the proceedings of the data protection authorities take place behind closed doors, so the actual number of fines imposed remains largely unknown.

GDPR fine iceberg, inspired by CMS Legal

According to a recent study by DLA Piper, more than 130,000 personal data breaches were reported to European data protection authorities in 2021 alone – an average of 356 notifications per day, an 8% increase from the average of 331 notifications per day in 2020.

As a logical consequence, total fines have increased almost sevenfold compared to the previous year, reaching the billion mark, according to the study.

In a national comparison, Germany takes the top spot in terms of the number of data protection violations reported and, at 35 million euros, is also among the countries with the highest individual fines imposed.

According to published decisions of data protection authorities, insufficient legal basis for data processing and disregard of General Data Protection Principles are the most frequently fined offences.

The third most common offence is insufficient information security measures – a data protection breach that has attracted the attention of supervisory authorities in Austria, France, Italy, and Denmark in light of the CJEU’s Schrems II ruling.

Links:

For further information on how to avoid fines, we recommend the comprehensive guide by the legal experts of DataGuard: Fines and GDPR: How to avoid penalties.

Sources:
DLA Piper Studie zu DSGVO-Bußgeldern |  GDPR Enforcement Tracker Report | enforcementtracker.com  | DLA Piper GDPR fines and data breach survey