1. Amazon – €746 million

Amazon was handed a mammoth €746 million EU GDPR fine by Luxembourg’s National Commission for Data Protection in July 2021 and it dwarfs all previous breaches. The online retail behemoth has its EU base in Luxembourg and it has come under scrutiny in recent years for compiling data on its customers and partners. Amazon has appealed the fine, stating that it “strongly” disagrees with the Commission’s findings. It isn’t the first time Amazon has fallen foul of data protection regulations. The French Data Protection Authority (CNIL) fined the company €35 million in late 2020 for its alleged failure to provide cookie consent and associated information to users on its website.

2. WhatsApp – €225 million

2021 wasn’t just notable for the biggest GDPR fine on record. It also saw the second-highest financial penalty when WhatsApp was given a massive €225 million fine in August by Ireland’s Data Protection Commission. This was as a result of breaches of transparency and data subject information obligations under articles 12, 13 and 14 of the GDPR. Specifically, WhatsApp came up short in providing information to data subjects “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” and “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing”. As was the case with Amazon, WhatsApp also decided to appeal this decision.

3. Notebooksbilliger.de – €10.4 million

2021 kicked off with a significant fine for German online electronics retailer notebooksbillger.de. On January 8, the data protection commissioner for the German state of Lower Saxony announced that the company would be subject to a €10.4 million fine for violating the GDPR’s data protection rules. For more than two years, notebooksbilliger.de had been monitoring its employees and customers with CCTV cameras while the recordings were stored for up to 60 days. While the GDPR does not prohibit the use of CCTV, surveillance must be a legitimate response and conducted with a proper legal basis.

4. Austrian Post – €9.5 million

September saw the largest GDPR fine in Austria’s history when the country’s national post service was slapped with a €9.5 million fine. The company was sanctioned for failing to enable people to make inquiries about stored personal data via email. This was despite the fact that Austrian Post has already made this possible through several mediums such as letter, online forms and customer service. However, the Austrian Data Protection Authority said that the post service should have allowed rights requests to be sent by any medium desired, including email.

Biggest GDPR fines by country

Check Also

EU court lowers requirements for imposing fines for data protection breaches

The European Court of Justice issued a landmark ruling on Tuesday (5 December) that is set…