Skip to main content

Top 10 Countries with Most GDPR Fines

The General Data Protection Regulation, or the GDPR, is the leading privacy law in Europe. It became effective in 2018, and since then, many companies have been fined for non-compliance. Some countries have issued a significant number of fines compared to others though.

For instance, Spain leads the pack with 273 sanctions – they account for almost a third of all GDPR penalties. On the other hand, the U.K. has only imposed about 5 since the regulation’s inception. Keep reading to learn which European countries have imposed the most GDPR fines!

Top 10 GDPR fines October 2021
Top 10 Countries with GDPR Fines October 2021

1. Spain – GDPR Fines

Spain has issued the most GDPR fines out of all the European countries, with an impressive 273 sanctions. They have imposed so many fines that they surpass the next country on the list by 200 incidences.

Of the 273 penalties that they have charged, the average was just over €118,000. The total amount fined to date is €32,440,810. So, which companies are included in this long list of fines?

The AEPD fined Vodafone Spain €8.15 million – which equates to $9.72 million. This was the largest single fine the country has given so far, as they were found guilty of violating the GDPR through their marketing activities. By failing to take sufficient measures to process personal data lawfully, they did not comply with the applicable regulations.

2. Italy – GDPR Fines

The country that has imposed the second most fines related to the GDPR is Italy. They have required companies to pay an impressive €84,493,770 across 75 individual sanctions. Unlike other countries that have a relatively low average, Italy’s average GDPR fine is €1,126,584.

For example, The Italian SA fined Gruppo TIM €27.8 million for breaching GDPR requirements for collecting and processing data for marketing purposes. This violation affected millions of individuals in the country, which is why the penalty was so significant.

3. Romania – GDPR Fines

Romania ranks third on our list of countries that have issued the most GDPR fines. They have imposed a total of 60 sanctions that add up to €699,550 in mandated payments. Although they have issued more penalties than most countries in the EU, the total dollar value is relatively low – so the average is just shy of €12,000 per fine.

They recently required World Class Romania S.A. to pay €2,000 after breaching Article 32 of the GDPR. The organization unlawfully published a former employee’s resignation request, and that violates the privacy regulations.

Cookie Consent Manager | Take a 2 week free trial

Take a 2 week free trial for our paid plans or create a free account …

Create an accountView our plans

4. Hungary – GDPR Fines

Hungary is next, with 43 fines that add up to €811,883. The NAIH is their data protection authority, and the average penalty they impose is €18,881.

Several of their sanctions have related to processes surrounding data retention, information management, and cybersecurity.

5. Norway – GDPR Fines

Coming in at number 5 on our list of top 10 countries with the most GDPR fines is Norway, with 31. Some of these sanctions include unlawful data transfers to third parties in China and other countries – they did not have a legal basis to process such transactions.

In total, these 31 sanctions amount to €1,535,350.

6. Germany – GDPR Fines

Germany is close behind with 28 imposed fines, averaging €1,756,673 apiece. That brings their total penalties to €49,186,833, though, which is significantly higher than many other countries on our list.

A notable case involved H&M, a popular global retailer. They were fined over €35 million in 2020 after they were caught unlawfully monitoring employees. They used meeting recordings to access private information like family issues and religious beliefs – then used that to make employment decisions.

7. Sweden – GDPR Fines

Another nation that makes the list of top 10 countries with the most GDPR fines is Sweden. To date, they have imposed 26 fines. Each of them has been rather significant – the average is €697,374! Likewise, that means the total dollar amount of penalties reached over €18 million.

The country recently made an example of Capio St. Goran, a healthcare provider. Their audit uncovered insufficient access controls, inappropriate risk management assessments, and more – so they were fined €2.9 million.

8. Belgium – GDPR Fines

When compared to other countries in the EU, Belgium comes in 8th in terms of imposing fines related to the GDPR legislation. They have charged an organization with breaching privacy regulations and forced them to pay as a result, a total of 25 times since the laws were enacted.

These penalties sum to €1,018,000, which means the average sanction was €40,720.

Are your an agency, webdesigner or another reseller?

Earn 30% commission, take a look at our reseller model or contact us for numbers larger than 500 clients

Calculate your revenue

9. Poland – GDPR Fines

Poland has imposed 24 fines on various organizations for failing to comply with the GDPR. When combined, these fines total €2,069,798.

One of their most notable sanctions involved a fine of €220,000 after a company failed to meet the transparency requirements set forth under privacy laws. Over six million individuals were affected by this breach.

10. Bulgaria – GDPR Fines

Last on our list is Bulgaria, which has issued 20 GDPR-related sanctions. These fines totaled €3,210,690, which puts their average penalty at €160,535.

It is important to note that the bulk of the money collected came from one fine imposed on the National Revenue Agency. They were charged €2.6 million after they had a data breach that affected 5 million residents. Sensitive data like their names and tax information were leaked, and the Bulgarian DPA ruled that the measures they had in place to protect their systems were not sufficient.

Other Notable GDPR Fines

Now that you know the top 10 countries that have issued the most GDPR fines, you might be thinking that they cover the largest penalties ever imposed. However, the most significant penalties did not come from the countries on this list.

Amazon received the largest sanction in the history of privacy regulations due to breaching the GDPR. They will need to pay a whopping €746 million – or $888 million – to the CNPD, which is Luxembourg’s data protection authority. The online retailer was accused of improperly processing the private information of its citizens.

Another significant fine that didn’t make this list is the one France’s data protection authority, or the CNIL, imposed on Google. The fine totaled €50 million, which is equal to $50 million, and was issued after their ad personalization process violated GDPR standards.


Get consent before loading third party tracking scripts

CookieFirst aims to make ePrivacy and GDPR compliance easy and quick to implement. The CookieFirst platform offers third-party script and consent management, statistics, periodic cookie scans, automated cookie declaration, banner customization, multiple language options, and more. Avoid large fines and get consent before loading third-party tracking scripts — try CookieFirst!