Spain tops list of EU countries for number of GDPR fines issued

The study, published by Proxyrack, looked at all the fines issued under the General Data Protection Regulation (GDPR) since the laws were first established in the European Union in 2018.

Based on this data, it has revealed the countries issuing the most GDPR fines; the countries handing out the largest average fines; the company’s that have been hit with the heaviest fines to date, and the most common types of GDPR breaches.

In the past four years, EU governments have handed out fines totaling over £2.5bn, with the largest-ever individual fine being the one imposed by Ireland's Data Protection Commission (DPC) on Meta last May regarding the way the company transferred data between country borders. The fine was £1.04bn.

Out of the 28 nations in the EU, Spain is the country that has issued the largest number of GDPR-related fines (651). The latest significant sanction was that imposed on Google for unlawfully disclosing information to another company, with a fine of €10m (£8.5m).

Italy, Germany, Romania, Hungary and Greece are the next countries on the list, issuing 148, 144, 67 and 57 fines respectively.

The Proxyrack analysis also looked at the countries that had imposed the largest average fines.

Ireland was at the top of this list, with an average of over £90.9m GDPR fines in the past four years. The country has been on a years-long battle with Meta over its handling of user data, which has resulted in numerous multi-million euro fines against the owner of Facebook, Instagram and WhatsApp.

In January this year, it was revealed that Meta alone was required to pay over 80 per cent of all fines levied by the EU in 2022 for GDPR violations, with its bill running to over £500m. To date, Meta has paid around €1bn for GDPR violations.

The next countries on this list are Luxembourg (£20.9m), France (£7.4m), and the United Kingdom (£5.7m).

Further findings from the study have revealed the most common type of GDPR data breach is an “insufficient legal basis for data processing” - totalling 541 cases. This is the fine that is imposed on companies that obtain users' data for advertisement purposes without their consent. 

The second and third most-common reasons for fines are non-compliance with general data processing principles (425) and insufficient technical and organisational measures to ensure information security (318). 

Earlier this year it emerged that three-quarters of GDPR-related decisions made by the DPC in EU-wide cases since 2018 were subsequently overruled by the European Data Protection Board (EDPB), which felt that the Irish watchdog’s decisions were not sufficiently stringent.

In the UK, the government has begun moves to reform GDPR data protection laws, claiming that the purported post-Brexit freedoms would remove the “unnecessary bureaucracy” of data protection laws inherited from the EU.