11. November 2022

Public GDPR fines are just the tip of the iceberg

The number of publicly known GDPR fines handed down each month has reached a significant level. However, analyses suggest that the published cases are only the tip of the iceberg.

In 2018, the European legislator laid the legal foundation for data protection in the EU with the General Data Protection Regulation (GDPR). Today, it already serves as a model for other jurisdictions around the world.

As a result, companies operating in the European market, regardless of size and industry, have been saddled with the obligation to adapt their internal processes to the far-reaching requirements of the GDPR. Even for large corporations, this has proven to be a time-consuming and resource-intensive challenge. Not to mention small and medium-sized businesses.

The GDPR imposes strict penalties for infractions, calculated as a percentage of global revenue, which can reach many millions for large companies.

Initially, European data protection authorities seemed to focus on information and cooperation instead of warnings and fines – which led to some relaxation in many companies. However, in 2020, data protection authorities ramped up enforcement considerably.

Number of fines according to GDPR Enforcement Tracker (cumulated)

Number of fines according to GDPR Enforcement Tracker (cumulated)

Overall sum of fines according to the GDPR Enforcement Tracker (cumulative)
This statistical data reflects the publicly known cases. However, most of the proceedings of the data protection authorities take place behind closed doors, so the actual number of fines imposed remains largely unknown.

GDPR fine iceberg, inspired by CMS Legal

According to a recent study by DLA Piper, more than 130,000 personal data breaches were reported to European data protection authorities in 2021 alone – an average of 356 notifications per day, an 8% increase from the average of 331 notifications per day in 2020.

As a logical consequence, total fines have increased almost sevenfold compared to the previous year, reaching the billion mark, according to the study.

In a national comparison, Germany takes the top spot in terms of the number of data protection violations reported and, at 35 million euros, is also among the countries with the highest individual fines imposed.

According to published decisions of data protection authorities, insufficient legal basis for data processing and disregard of General Data Protection Principles are the most frequently fined offences.

The third most common offence is insufficient information security measures – a data protection breach that has attracted the attention of supervisory authorities in Austria, France, Italy, and Denmark in light of the CJEU’s Schrems II ruling.

DLA Piper Studie zu DSGVO-Bußgeldern |  GDPR Enforcement Tracker Report | enforcementtracker.com  | DLA Piper GDPR fines and data breach survey

Mehr Beiträge


How to update your Standard Contractual Clauses

By the end of 2022, businesses must have updated their Standard Contractual Clauses. Here's how to do it.


The Beginner's Guide to Standard Contractual Clauses (SCCs)

Standard Contractual Clauses are an essential measure mandated by the GDPR. Find out what they are about in our Beginner's Guide.


JENTIS wins the EIT Challenge 2022

20 European scaleups pitched for the main prize in one of Europe's major pitch competitions. JENTIS gains access to the EIT's prestigious accelerator program.