If you're in business, you'll be well aware of GDPR – the legally binding EU regulation on data protection. As a result of this regulation, which in the UK was implemented under the Data Protection Act 2018, handling personal data has never been treated more seriously.

Since Brexit, GDPR no longer has a direct effect in UK law, but at the time of writing the DPA remains legally binding.

In EU states, companies who violate GDPR can face eye-watering fines. These vary in magnitude, but in the most serious cases can reach up to €20 million, or up to 4% of the total global turnover of the preceding financial year. Clearly, the EU means business when it comes to clamping down on data mishandling.

Before we take a look at some examples of companies fined under GDPR, here's a quick recap of what GDPR expects of European businesses.

GDPR: a rundown

GDPR applies to all companies who handle personal data, from sole traders to SMEs, from microenterprises to big tech.

Any personal data held by companies must be processed "fairly, lawfully and transparently" for a declared purpose. Data must be accurate, secure, and deleted when no longer needed.

GDPR provides stronger protections for our "sensitive information". This means that if a company stores information about your race, political opinions, or religious beliefs – to cite just a few examples – it must satisfy certain conditions.

GDPR also strengthens the rights of individuals to access, update, erase and restrict the processing of their data.

Who has been fined?

When GDPR was rolled out in 2018, regulators showed they meant business with a series of high-profile fines. Since the very first of these – levied against the Hospital do Barreiro in Portugal for allowing unauthorised staff to access patient files – European data protection authorities have collected €272 million in fines.

These have ranged from a Spanish landlord who spied on tenants to a Polish football club that shared personal details of referees on its website – all the way up to household names like Google, WhatsApp, and Amazon.

Google, 2019

In 2019, the French data regulator CNIL issued a fine of €50 million against Google. This was levied in response to Google's personalisation of ads. The regulator judged that users were "not sufficiently informed" about the ways that Google collected personal data to personalise ads. There was, it said, a lack of clarity surrounding these activities, with essential information only available to users after several steps.

Google had spread the relevant information across documents, making it difficult for users to grasp the extent of Google's data processing. On top of that, they had "pre-ticked" the option to personalise ads. This, the watchdog argued, was in breach of GDPR as it meant that Google had failed to obtain "genuine consent" from users before processing their data.

This was the first fine issued against a major tech company, and it was paid after an unsuccessful appeal.

British Airways, 2019

Where Google was fined over the issues of transparency and consent, British Airways was punished for inadequate security practices that resulted in a major data breach.

BA's system was compromised by a "web skimming" attack – a form of cyberattack where the attacker harvests data from online forms. In the case of BA, this affected more than 400,000 customers as the hackers skimmed masses of data, including login details, card numbers, names, and addresses.

An investigation found that BA lacked sufficient security measures such as multi-factor authorisation. The ICO – the British data protection body – threatened a fine of £183 million in 2019. This was reduced in 2020 to £20 million, a decision justified as reflecting the economic impact of the pandemic.

H&M, 2020

In 2020, Sweden's H&M was fined €35 million by the Data Protection Authority of Hamburg. This came after a probe into illegal management practices at H&M's customer service centre in Nuremberg.

H&M collected and stored an "excessive" quantity of information about its workforce. This included data on their family lives, religious practices, medical issues, and other sensitive areas. This was acquired through staff surveys as well as informal chats. The data was used by H&M in a way that affected work performance appraisals.

As a result of this fine, H&M publicly accepted responsibility for the violations. It claimed to be taking "forceful measures" to remedy its failings and offered financial compensation to some workers.

WhatsApp, 2021

In 2021, WhatsApp was fined €225 million by the DPC, Ireland's data watchdog. This was the largest fine issued by the DPC, and second only to the fine against Amazon in the same year.

The fine was a long time coming. Investigations began in 2018 and, as with Google in 2019, centred on questions of privacy and transparency. The watchdog wanted to know whether WhatsApp's privacy policies were clear enough to users and whether it was sufficiently transparent about how it handled data. The answer, as discovered, was "no".

Along with the fine, the DPC imposed a reprimand that ordered WhatsApp to comply with GDPR. WhatsApp is appealing the fine and is unlikely to pay up soon. In the meantime, it's tweaking its policy documents in Europe and UK to ensure compliance.

Amazon, 2021

The largest fine to date – €746 million – was imposed by Luxembourg's data commission on Amazon. The commission found that the company's processing of personal data for targetted advertising was in violation of GDPR.

Like WhatsApp and Google, Amazon is appealing the fine, arguing that the commission's judgment is "without merit" and reliant on "subjective" European privacy laws.

This final example shows the tension that exists between GDPR and multinational tech giants. It's a tension that isn't going away, and neither is GDPR. At the time of writing, millions of euros of fines have already been issued in 2022.

Is your company GDPR compliant? Do you want straightforward, jargon-free advice to help protect your business from fines? Our company and commercial law specialists are here to help.