Feb 23
GDPR Fines - Trends in Enforcement - Q4 2021

GDPR Fines – Trends in Enforcement – Q4 2021

Following our original post, GDPR Fines – Trends In Enforcement, we’re checking what happened next.

The total

In the last quarter of 2021, data protection authorities have steadily continued dishing out fines. These fines across the EEA amounted to 17.2 million euros (93 fines in total).

Most common fines by violation type

By total fine amount

The by far leading violation type in terms of fines continues to be the insufficient legal basis for data processing amounting to 12.4 million euros.

Number two and three have switched places compared to our previous analysis:

#2 Non-compliance with general data processing principles (2.1 million euros)

#3 Insufficient technical and organisational measures to ensure information security (1.7 million euros).

By number of fines

Insufficient legal basis for data processing (18 fines) is still in the lead for #1 most common fine type by number of individual cases.

When we compare the data to the number of individual fines issued until our previous blog post in September 2021, we see that also here #2 and #3 of the most common fine types have changed positions:

#2 Non-compliance with general data processing principles (15 fines)

#3 Insufficient technical and organisational measures to ensure information security (12 fines)

Most active data protection authorities

The Norwegian authorities have stepped up their fines game and are leading the fines ranking in terms of the fine sum total (6.8 million euros). This is due to the 6.3 million euros fine imposed on the dating app Grindr for the unlawful sharing of personal data with third parties for marketing purposes.

In second place we see the Spanish authorities with issued fines amounting to 3.4 million euros. Again, this number is heavily influenced by a single fine – namely, a 3 million euros fine against Caixabank based on insufficient legal basis for data processing.

And in third place we have the Netherlands with fines issued amounting to 3.15 million euros. The Dutch authorities issued two prominent fines: 2.75 million euros against the Ministry of Finance (insufficient legal basis for data processing) and 400 000 euros against the airline Transavia (insufficient technical and organisational measures to ensure information security).