The General Data Protection Regulation (GDPR) aims to help protect the rights of EU citizens against the misuse of their data. It concerns public institutions, companies and companies that handle personal data of customers or employees.
The regulation entered into force in May 2018 and applies uniformly in all EU states and in Iceland, Norway and Liechtenstein. However, it also applies to companies that do business in this area, but have their headquarters elsewhere. Regulators can fine a company up to four percent of its annual global sales for violating GDPR rules.
746 million euros – July 2021
The American internet retailer Amazon received a record fine of 746 million euros (CZK 19 billion) from the EU so far for the transfer of personal data in violation of the rules for their protection; the fine was equivalent to roughly four percent of Amazon’s 2020 net profit of $21.3 billion. Amazon appealed.
Amazon received a huge fine of 19 billion crowns from the EU
405 million euros – September 2022
The American social network Instagram, which belongs to Meta, was fined 405 million euros (9.9 billion CZK) in Ireland. This is the second highest fine imposed under the European Union rules for the protection of personal data. An investigation by Ireland’s Data Protection Commission (DPC), which is Meta’s main regulator in the European Union, focused on how Instagram exposed the personal data of users between the ages of 13 and 17, including email addresses and phone numbers. The minimum age of Instagram users is 13 years. Meta said the fine is for old settings that it updated more than a year ago. He does not agree with the monetary penalty and intends to appeal against it.
Instagram fined ten billion in Ireland for data mishandling
Internet and PC
225 million euros – September 2021
The operator of the communication application WhatsApp was fined 225 million euros (CZK 5.7 billion) in Ireland for violating the right to privacy. According to Ireland’s Data Protection Commission (DPC), WhatsApp is breaking EU rules in how it handles users’ and others’ data, as well as how it shares it with other Facebook-owned apps. WhatsApp considers the announced fine to be unreasonable and has appealed.
50 million euros – January 2019
The American technology giant Google was fined 50 million euros (almost 1.3 billion CZK) by the French data protection authority CNIL. According to the office, the reason was a mistake in the handling of users’ personal data. Google appealed the French regulator’s decision, but the French Supreme Court upheld the fine last June.
35.3 million euros – October 2020
German authorities fined Swedish clothing retailer Hennes & Mauritz (H&M) 35.3 million euros (roughly 900 million crowns) for spying on employees. The surveillance of hundreds of workers at a service center in Nuremberg, Germany, including intimate details, violated privacy rules, according to authorities. “The amount of the fine is adequate to deter businesses from infringing on employees’ privacy,” said Hamburg’s data protection commissioner Johannes Caspar.
Fines for GDPR violations rose to 27 billion in the EU last year
Internet and PC
27.8 million euros – January 2020
The Italian mobile operator Telecom Italia (TIM) was fined 27.8 million euros (709 million crowns) by the Italian Office for Personal Data Protection. The fine was imposed on the basis of hundreds of complaints from 2017 to 2019 about unsolicited and harassing calls from the operator.
23 million euros – October 2020
British Airways has been fined 23 million euros (687 million crowns) by the British Data Protection Authority for failing to protect the personal and financial data of more than 400,000 customers in 2018. Before setting the final fine, the Information Commissioner’s Office (ICO) considered, among other things, the economic impact of the coronavirus crisis on its business. The final fine was thus significantly lower than the £183.4m the ICO had proposed a year earlier. British Airways announced in July this year that it had settled a dispute with clients and employees over a large-scale leak of personal data.
21.6 million euros – October 2020
The British ICO fined the hotel company Marriott International 21.6 million euros (550 million crowns) due to a large-scale data breach that may have affected up to 339 million guests. The data breach was the result of a cyberattack on the reservation system of the Starwood Hotels chain. The attack began in 2014 and was only discovered in 2018.
17 million euros – March 2022
The Irish Data Protection Commission (DPC) fined the American Internet company Meta Platforms 17 million euros (roughly CZK 420 million) in connection with a series of personal data security breaches in 2018. Meta Platforms operates the Facebook social network.
Cybersecurity standards will hit businesses in a similar way to GDPR, experts warn