Firms have paid out more than $4.8 billion in GDPR fines since 2018

Data protection and GDPR concept image showing multiple padlocks on a green background with one opened padlock.
(Image credit: Getty Images)

Businesses have forked out €4.5 billion for GDPR violations over the last six years, with Spain, Italy, and Germany imposing the biggest fines.

Research from security firm Nordlayer shows that individual data protection authorities (DPAs) have between them issued 2,072 violation decisions since 2018 under the legislation.

"We've witnessed businesses across industries change their data handling practices and invest in security measures to achieve compliance," said Carlos Salas, cyber security expert at NordLayer.

"While full compliance has been challenging for many companies, the GDPR's impact in empowering individuals and holding organizations accountable for data mishandling cannot be overstated. It has reshaped the digital landscape, forcing a much-needed prioritization of privacy rights."

Spanish businesses were the worst offenders, violating GDPR 842 times and paying out €80 million in fines since 2018. 

Italy was second on the list; while the country's organizations have received half the number of GDPR violations compared with Spain, they've paid nearly three times as much in fines. Companies in Italy, meanwhile, were issued 358 fines and paid nearly €229 million.

German organizations fell victim to 186 fines, resulting in €55 million worth of penalties. Romanian businesses weren't far behind with 179 fines - but have paid only €1.1 million in fines. Poland rounds out the top five, with companies receiving 73 fines, resulting in nearly €4 million losses.

Ireland isn’t scared to dish out GDPR fines

In terms of the biggest payouts, it's Ireland that stands out, with €2.8 billion in fines issued since 2018. The main reason, of course, is that many of the largest tech companies, such as Meta and TikTok, have registered their European subsidiaries there and have been hit with multi-million-dollar fines.

Indeed, it's Meta that's far and away the biggest violator of GDPR, having been slapped with six of the EU's ten biggest fines.

The biggest cost the company €1.2 billion, for insufficient legal basis for data processing in 2023. There were also two fines of around €400 million for non-compliance with general data processing principles.

In 2021, Amazon had to pay €746 million to Luxembourg’s data protection authorities; while last year, TikTok paid €345 million. Google was punished twice in 2021 for having insufficient legal basis for data processing, and paid €90 million and €60 million for separate violations.


Data governance for data-driven organizations whitepaper

(Image credit: IBM)

Master your data management

And it's insufficient legal basis for data processing that's the most common reason for a fine, with 635 cases since 2018, costing companies €1.6 billion. For non-compliance with general data processing principles, organizations were fined 578 times and paid over €2 billion.

"Achieving and maintaining GDPR compliance is an ongoing journey, not a one-time destination," Salas said.

"Data protection regulations evolve, and cyber threats become more sophisticated, so businesses must remain proactive in their data privacy and security approach."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.