While penalties haven't quite reached the magnitude of last year, fines have broken the hundred million euro mark. Violations have involved unauthorised access to personal data, the transfer of sensitive information and the collection of employee data. We investigate the breaches behind the fines so that your company can avoid similar penalties.
Top GDPR fines in 2024
- LinkedIn - €310m fine
- Uber Technologies Inc., Uber B.V. - €290m fine
- Meta Platforms Ireland Limited - €91m fine
- Enel Energia SpA - €79.1m fine
- Amazon France Logistique - €32m fine
- Clearview AI Inc. - €30.5m fine
- Avast Software - €13.9m fine
- Eni Plenitude S.p.A. - €6.4m fine
- Apoteket AB. - €3.2m fine
- Hellenic Post - €2.9m fine
- UniCredit S.p.a. - €2.8m fine
- Vinted - €2.3m fine
- TikTok - £1.8m fine
- Avanza Bank AB - €1.3m fine
- CAIXABANK, S.A - €1.2m fine
- mBank - €940k fine
- Postel S.p.A - €900k fine
- Verkkokauppa.com - €856k fine
- NTT Data Italia S.P.A - €800k fine
- Apohem AB - €698k fine
We continuously track the largest data protection fines yearly and have highlighted the biggest GDPR fines of all time.
The biggest 2024 GDPR fines in detail
1. LinkedIn - €310m fine
GDPR breaches - Art. 5 (1) a), Art. 6 (1) a), e), f), Art. 13 (1) c), Art. 14 (1) c)
The Irish Data Protection Commission (DPC) has fined LinkedIn Ireland €310 million and issued a reprimand following an investigation into the company's processing of personal data for behavioral analysis and targeted advertising.
The inquiry, initiated after a complaint from the French Data Protection Authority, found that LinkedIn’s data practices violated several provisions of the General Data Protection Regulation (GDPR).
The breaches included unlawful data processing, invalidly relying on consent, legitimate interests, and contractual necessity as legal bases for behavioral analysis and advertising. LinkedIn also failed to provide sufficient transparency about these practices, violating Articles 13 and 14, and breached the fairness principle under Article 5.
2. Uber Technologies Inc., Uber B.V. - €290m fine
GDPR breach - Art. 44
The Dutch Data Protection Authority (DPA) has fined Uber €290 million for violating the GDPR by transferring European taxi drivers' sensitive personal data to the United States without adequate protections. This data included payment details, identity documents, location data, and even medical and criminal records.
The DPA deemed the lack of safeguards, such as proper data transfer tools or contracts, a severe breach of GDPR, particularly since the invalidation of the EU-U.S. Privacy Shield in 2020 required heightened measures for cross-border data transfers.
The investigation was triggered by complaints from over 170 French drivers, with the DPA collaborating closely with French and other European regulators. While Uber has since rectified the violation, it plans to appeal the fine.
This marks Uber's third penalty from the DPA, following fines in 2018 and 2023. Under GDPR rules, penalties can reach up to 4% of a company’s global annual turnover which, for Uber, was €34.5 billion in 2023.
3. Meta Platforms Ireland Limited - €91m fine
GDPR breaches - Art. 5 (1) f), Art. 32 (1), Art. 33 (1), (5)
The DPC has fined Meta Platforms Ireland Limited (MPIL) €91 million for GDPR violations stemming from the mishandling of social media users' passwords. The investigation began in 2019 when Meta disclosed that certain user passwords were stored in plaintext on its internal systems without encryption, exposing them to potential misuse.
The DPC found that Meta failed to implement adequate technical and organisational measures to secure these passwords, breaching GDPR principles of integrity and confidentiality.
While Meta claimed no evidence of improper access or abuse, the DPC highlighted the heightened sensitivity of passwords due to their potential to grant access to users' accounts. Meta has since rectified the issue and cooperated with the investigation.
4. Enel Energia SpA - €79.1m fine
GDPR breaches - Art. 5 (1) f), Art. 5 (2), Art. 24 (1), Art. 25, Art. 28, Art. 32
The Italian data protection authority, the Garante, issued its largest GDPR fine of over €79 million against ENEL Energia for telemarketing misconduct. This follows the cancellation of a previous €26.5 million fine due to procedural delays.
The Garante criticised ENEL Energia for not implementing adequate measures to prevent telemarketing abuses but acknowledged the company's efforts to improve security.
The regulator found that Enel Energia violated GDPR Articles 5(1)(f) and 32 by failing to properly assess risks associated with its CRM interface and not implementing adequate measures to secure access credentials, preventing their sharing. This oversight allowed unauthorised agency employees to access and process personal data within Enel Energia's contractual system.
5. Amazon France Logistique - €32m fine
GDPR breaches - Art. 5 (1) c), Art. 6, Art. 12, Art. 13, Art. 32
Amazon France Logistique has been fined €32m by the French Data Protection Authority (CNIL) for its excessively intrusive monitoring system of employee activity. In addition to this, the company was penalised for video surveillance processing and the failure to ensure the security of personal data.
The company oversees the management of Amazon's large warehouses in France. Employees are equipped with scanners to track tasks like item storage, retrieval, and packaging in real time.
Data from these scans is recorded and utilised to assess employee performance, including metrics on productivity, quality, and downtime. After media reports raised concerns about warehouse practices, the CNIL conducted investigations prompted by both media coverage and employee complaints.
The watchdog concluded that Amazon did not require access to the minor data captured by these scanners to plan work in its warehouses. In addition to not properly informing workers about video surveillance and the system being extremely intrusive, it was found that this put undue stress on its workforce.
6. Clearview AI Inc. - €30.5m fine
GDPR breaches - Art. 5 (1) a), Art. 6 (1), Art. 9 (1), Art. 12 (1), (2), Art. 14 (1), (2), Art. 27 (1)
The DPA has fined Clearview AI €30.5 million, with additional penalties exceeding €5 million, for serious GDPR violations. Clearview, a U.S.-based facial recognition company, illegally created a database of over 30 billion facial images, including those of Dutch citizens, by scraping photos from the internet without individuals’ knowledge or consent.
The company’s services, primarily marketed to law enforcement and intelligence agencies outside the EU, allow users to identify individuals from CCTV footage using its database.
The DPA found that Clearview violated GDPR by creating a biometric database without legal grounds, lacking transparency, and failing to comply with individuals’ requests to access their data. This practice is particularly concerning due to the highly sensitive nature of biometric data, which is legally protected under GDPR.
DPA Chairman Aleid Wolfsen emphasised that such technology should not be commercially exploited and must only be used by authorised authorities in exceptional cases, with strict oversight. The DPA warned against using Clearview’s services, citing the need to draw clear boundaries around the misuse of facial recognition technology.
7. Avast Software - €13.9m fine
The Czech Republic's Office for Personal Data Protection (ÚOOÚ) fined Avast Software approximately $14.8 million for violating GDPR. The investigation revealed that in 2019, Avast's Czech branch, Jumpshot, INC., processed personal data from Avast antivirus software and browser extensions without authorisation.
Avast transferred data from 100 million users to Jumpshot, which marketed insights into online consumer behaviour to third parties. ÚOOÚ found that Avast misled users about its anonymisation techniques, which allowed some data subjects to be reidentified.
Jiří Kaucký, Chairman of ÚOOÚ, highlighted that Avast, known for its cybersecurity expertise, unexpectedly compromised user data, potentially revealing identities, interests, preferences, and other personal details. Avast disputes the regulator’s findings and is considering further legal action.
Previously, in February, Avast agreed to a $16.5 million settlement with the Federal Trade Commission over similar charges. Avast ceased Jumpshot operations in 2020 and stopped selling browsing data for advertising purposes.
8. Eni Plenitude S.p.A. - €6.4m fine
GDPR breaches - Art. 5 (1) a), d), f), Art. 5 (2), Art. 6, Art. 24, Art. 25, Art. 28, Art. 130
In June 2024, the Italian Data Protection Authority (Garante) announced a €6.4 million fine against Eni Plenitude S.p.A. for GDPR violations.
The investigation, initiated after 108 reports and seven complaints, revealed the company conducted unwanted promotional calls to individuals without proper consent, including calls to numbers listed on the Do Not Call Registry.
The Garante found Eni Plenitude in breach of GDPR Articles 5(1)(a), (d), and (f), which address principles of lawfulness, accuracy, and data security in processing personal information. The case highlights the importance of obtaining proper consent and respecting privacy regulations in marketing practices.
9. Apoteket AB. - €3.2m fine
GDPR breach - Art. 32 (1)
The Swedish Data Protection Authority (IMY) fined Apoteket AB €3.2 million and Apohem AB €698,000 for GDPR violations stemming from the improper use of Meta's Pixel tool, which resulted in the unauthorised transfer of sensitive personal data to Meta's advertising platforms.
This data included non-prescription drug purchases, such as self-tests and treatments for venereal diseases. Both companies failed to detect and address the issue until it was externally reported, reflecting inadequate internal oversight.
This case is part of a broader regulatory push, with similar fines imposed on Avanza Bank AB (€1.3 million) for transferring sensitive financial data of up to 1 million customers over 18 months due to a misconfigured Meta Pixel.
Following these incidents, Apoteket and Apohem updated their procedures and reported the breaches to IMY in 2022, ensuring compliance with GDPR standards moving forward.
10. Hellenic Post - €2.9m fine
GDPR breach - Art. 5 (1) f), Art. 32
The Hellenic Data Protection Authority (HDPA) fined Hellenic Post S.A. (ELTA) €2,995,140 for GDPR violations following a data breach. The breach, caused by a malicious cyberattack, resulted in leaked personal data being published on the dark web.
Attackers exploited weaknesses in ELTA's system, gaining unauthorised remote access to workstations and files, compromising network management account passwords, and installing malicious processes.
The HDPA's investigation revealed that ELTA failed to implement adequate technical and security measures, violating Article 32 of the GDPR. Additionally, ELTA did not restrict access to personal data to authorised individuals only, breaching Article 5(1)(f).
This case underscores the importance of robust cybersecurity and strict access controls to protect personal data.
11. UniCredit S.p.a. - €2.8m fine
GDPR breaches - Art. 5 (1) f), Art. 32 (1), (2)
The Italian data protection authority, Garante, fined UniCredit S.p.A. €2.8 million for breaching the General Data Protection Regulation (GDPR). UniCredit reported a data breach in October 2018 following a cyberattack on its mobile banking system.
Personal data, excluding bank details, of certain customers were compromised. The breach posed a high risk to customers' rights and freedoms, requiring UniCredit to notify affected individuals.
Garante's investigation showed that UniCredit failed to ensure compliance with data processing standards and implement proper technical measures to limit unauthorised access to personal data. Despite no complaints from affected individuals and immediate security improvements post-breach, UniCredit was fined for GDPR violations and given 30 days to pay the fine.
12. Vinted - €2.3m fine
GDPR breaches - Art. 5 (1) a), Art. 5 (2), Art. 12 (1), (4)
The Lithuanian State Data Protection Inspectorate (SDPI) fined Vinted UAB €2,385,276 in July 2024, for violating GDPR principles regarding user data rights. The investigation stemmed from complaints filed by French and Polish data protection authorities about Vinted's mishandling of data erasure requests and user data access.
Vinted denied users' right-to-be-forgotten requests without valid grounds, failed to explain its continued data processing, and engaged in "shadow blocking"—processing personal data of flagged users without their knowledge to encourage them to leave the platform.
Additionally, Vinted lacked sufficient technical measures to demonstrate compliance with data access rights. The SDPI's fine considered Vinted's cross-border operations, the large number of users impacted, and the prolonged nature of the infringements.
The decision was coordinated with data protection authorities across multiple EU countries, including France, Germany, and Poland, under GDPR’s one-stop-shop mechanism.
13. TikTok - £1.8m fine
GDPR breaches - s368Z10 & s368Y of the Communications Act 2003
The Office of Communications (Ofcom) fined TikTok Information Technologies UK Limited £1.875 million for inaccurately responding to a formal request about its parental controls safety feature.
Ofcom needed this information to assess the feature's effectiveness and produce the Child Safety Report. TikTok initially responded on September 4, 2023, but admitted on December 1, 2023, that the data was inaccurate.
An investigation revealed TikTok's insufficient checks and slow error correction, with accurate but incomplete data submitted over seven months late. Ofcom found TikTok in breach of the Communications Act and imposed the fine, which includes a 25% reduction due to TikTok's acceptance of the findings and case settlement.
14. Avanza Bank AB - €1.3m fine
GDPR breaches - Art. 5 (1) f), Art. 32 (1)
The Swedish Authority for Privacy Protection (IMY) has fined Avanza Bank AB SEK 15 million for GDPR violations after the bank’s use of the Meta pixel resulted in the unauthorised transfer of sensitive customer data to Meta.
The breach, which occurred between November 2019 and June 2021, exposed personal information of up to one million individuals, including securities holdings, account numbers, loan amounts, and social security numbers.
The incident was caused by Avanza inadvertently activating additional functionalities of the Meta pixel on its website and app, which it had been using to optimise marketing on Facebook.
IMY’s investigation concluded that Avanza failed to implement adequate technical and organisational measures to protect customer data, violating GDPR’s security requirements.After identifying the issue, Avanza deactivated the pixel and confirmed with Meta that the collected data had been deleted.
The bank has since improved its internal procedures to strengthen data protection and ensure compliance with GDPR.
15. CAIXABANK, S.A - €1.2m fine
GDPR breaches - Art. 6 (1)
The Spanish Data Protection Authority (AEPD) has fined CaixaBank Payments & Consumer EFC, EP, S.A.U. €2 million, later reduced to €1.2 million, for violating the GDPR following a complaint.
The issue arose when CaixaBank required the complainant to consent to the retrieval of their data from the General Treasury of Social Security (TGSS) as part of a non-negotiable clause in a form, threatening to block the complainant's account if they did not comply.
The AEPD found no legal basis for CaixaBank to demand such data without proper consent and determined that the claimant should have been able to withdraw consent without consequences.
This led to the conclusion that CaixaBank violated Article 6(1) of the GDPR for processing data without a legal basis. The fine was reduced after CaixaBank utilised the voluntary payment procedure and acknowledged its responsibility.
16. mBank - €940k fine
GDPR breaches - Art. 34 (1), (2)
mBank has been fined PLN 4,053,173 by the President of the Personal Data Protection Office for failing to notify customers of a data breach, which is a violation of GDPR. The incident occurred on 30 June 2022, when an employee mistakenly sent customer documents to an unauthorised financial institution.
Although the documents were returned, they were opened, which means third parties could have accessed sensitive personal information, including names, bank account numbers, PESEL numbers, and other financial details.
Despite being required to notify the affected individuals, mBank did not inform its customers, arguing that the documents were sent to a trusted institution bound by banking secrecy, which the bank believed negated the need for disclosure.
However, the Personal Data Protection Office stated that the "trusted entity" argument was insufficient, as it is not the recipient’s trust status but the nature of the relationship between the sender and recipient that determines whether the breach should be reported.
The President emphasised that the failure to notify the data subjects about the breach left them unable to mitigate the potential harm.
17. Postel S.p.A - €900k fine
GDPR breaches - Art. 5 (1) f), Art. 25, Art. 32, Art. 33
The Italian data protection authority (Garante) imposed a €900,000 fine on Postel S.p.A. for GDPR violations following a ransomware cyberattack. The attack, which occurred on 17 August 17 2023, led to the exfiltration and publication of personal data on the dark web.
The affected data included sensitive information about workers, job candidates, and company representatives, impacting around 25,000 individuals.
The Garante found that Postel failed to include all necessary details in its breach notification, did not implement sufficient security measures, and neglected to address vulnerabilities identified by Microsoft and the National Cybersecurity Agency in 2022.
As part of the enforcement, Postel was ordered to assess its system vulnerabilities, create a detection and management plan, and ensure faster detection and response to future risks.
18. Verkkokauppa.com - €856k fine
GDPR breaches - Art. 5 (1) e), Art. 25 (2)
The Office of Data Protection Ombudsman (Ombudsman) has imposed a fine of €856,000 on Verkkokauppa.com Oyj for breaching the GDPR following a customer complaint.
The investigation stemmed from a customer's complaint about Verkkokauppa's requirement for creating a customer account before online purchases. It was also found that Verkkokauppa was indefinitely storing customer data, relying on customer deletion requests to determine the length of data retention time.
The Ombudsman found Verkkokauppa in violation of GDPR for mandating customer account creation unnecessarily and lacking a defined retention period for customer data. They were fined and instructed to establish a proper data retention policy and revise account creation procedures. Additionally, Verkkokauppa received a notice for violating data protection regulations.
19. NTT Data Italia S.P.A - €800k fine
GDPR breaches - Art. 28 (2), Art. 33 (2)
The Italian data protection authority, Garante, fined NTT Data Italia S.P.A €800,000 for GDPR violations. This fine relates to the above-mentioned Unicredit penalty.
Garante revealed that UniCredit reported a cyber attack in October 2018 involving its mobile banking system, leading to unauthorised access to customers' personal data, excluding bank details. Garante deemed it a high-risk breach and mandated UniCredit to inform affected customers.
Additionally, Garante investigated NTT Data Italia, responsible for UniCredit's security assessments from October 1 to 26, 2018. It found that NTT Data Italia subcontracted assessment tasks without proper authorisation from UniCredit, breaching GDPR Article 28(2).
The Garante noted that NTT DATA Italia received the vulnerability assessment and penetration testing report from the third party they had contracted but failed to inform UniCredit of the findings promptly.
20. Apohem AB - €698k fine
GDPR breach - Art. 32 (1)
The Swedish Data Protection Authority (IMY) imposed significant fines on two companies, Apoteket AB and Apohem AB, for GDPR violations related to their use of the Meta Pixel tool on their websites.
Apoteket reported that personal data, including names, social security numbers, and email addresses, was mistakenly transferred to Meta due to incorrect settings in the Meta Pixel tool, which was being used for marketing optimisation.
Apohem made a similar report regarding the unauthorised transfer of customer data, including names, IP addresses, and phone numbers, also caused by improper settings in the Meta Pixel.
IMY found both companies in violation of GDPR Article 32(1) for failing to implement adequate technical and organisational measures to ensure the security of personal data. As a result, Apoteket was fined SEK 37 million (approx. $3.6 million), and Apohem was fined SEK 8 million (approx. $780,000).
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.
