- Highest GDPR fine of 1.2 billion euros imposed by the Irish data protection authority in May 2023 for a breach of the rules on international data transfers. Further fines imposed by this authority in 2023 amounted to hundreds of millions of euros.
- The main violations are "Insufficient legal basis for data processing" and "Failure to comply with the general principles of data processing". The next most common violation is "Insufficient technical and organizational measures to ensure information security".
- Spain tops the list of countries with the most fines for the fifth year in a row, followed by Italy and Romania. Ireland, Luxembourg and France have the highest average fines and total amounts per country.
Berlin – Today, international law firm CMS has published the fifth edition of its annual Enforcement Tracker Report. The English-language report shows the developments of all publicly known GDPR fines based on CMS's own online database, GDPR Enforcement Tracker.
The current edition of the report covers the analysis period between March 2023 and March 2024. 510 fines were added for the past year as of the editorial deadline on 1 March 2024. This brings the total number of data protection fines since the GDPR came into effect in May 2018 to 2,225, or 2,086 if only fines with full details such as the amount of the fine, date and authority are counted.
The total amount of fines since the start of the survey is around 4.5 billion euros. This means that fines of around 1.7 billion euros have been added compared to last year's Enforcement Tracker Report. This shows that authorities are no longer shying away from imposing high fines. The average fine for the entire reporting period was around 2.1 million euros - with high fines against "big tech" companies in 2021/22 and the first fine in the billions in 2023 having a particularly heavy impact.
"At the top of the list of GDPR fine triggers is, once again, insufficient legal basis and non-compliance with the general data processing principles as well as insufficient technical and organisational measures. Companies should pay particular attention to this," says Christian Runte, lawyer and partner at the international commercial law firm CMS Germany.
Dr Alexander Schmid from the Enforcement Tracker team at CMS Germany adds: "In addition to data protection authorities, the courts have also increasingly dealt with the interpretation of the GDPR. For example, the Court of Justice of the European Union has further clarified the scope of data subjects' right of access. "These rulings create more clarity, but at the same time tighten the requirements for companies, which is why, in addition to a viable compliance concept, current developments will also be decisive for them in practice in the future."
Read the full Enforcement Tracker Report here; a summary can be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.