Industry-specific GDPR enforcement analysis with risk profiles, common violations, notable cases, and enforcement trends for compliance officers and DPOs.
Most common violation: Consent Violations
€3.8B
Total fines
23
Actions
79.0%
Share
Extremely high risk. Technology companies account for over 70% of all GDPR fines by value. The concentration of massive fines against Meta, Amazon, Google, TikTok, Uber, and LinkedIn reflects the scale of data processing in this sector and the regulatory focus on Big Tech's data practices.
Cross-border data transfers (Meta, TikTok, Uber), consent for advertising (Amazon, Google, LinkedIn), cookie consent (Google, Facebook, Microsoft, TikTok), and facial recognition (Clearview AI). The sector faces enforcement across virtually every GDPR violation category.
Meta holds the record for both the largest single fine (EUR1.2B for US data transfers) and the most cumulative fines (over EUR2B across multiple enforcement actions). Clearview AI has been fined EUR20M by three separate European DPAs for the same facial recognition scraping practices.
Increasing. AI-related processing will create new enforcement vectors under the interplay between GDPR and the EU AI Act. Cross-border transfer enforcement continues to escalate.
Most common violation: Consent Violations
€791.7M
Total fines
4
Actions
16.4%
Share
Moderate risk. Retail companies face GDPR enforcement primarily around marketing consent, loyalty programme data processing, and employee monitoring. The sector has seen several notable fines for both customer-facing and employee-facing violations.
Marketing without consent, loyalty programme profiling without adequate legal basis, employee surveillance (CCTV and productivity monitoring), and data breaches from e-commerce platforms. The growth of online retail has expanded data processing and associated compliance obligations.
Amazon Europe Core (EUR746M, 2021) for advertising consent failures — by far the largest retail fine. H&M (EUR35.3M, 2020) for systematic profiling of employees. notebooksbilliger.de (EUR10.4M, 2021) for two years of unlawful employee video surveillance. REWE International (EUR80K, 2022) for loyalty programme tracking without consent.
Stable. Enforcement continues around marketing consent and employee monitoring. The growth of retail media networks (where retailers sell advertising using customer data) may attract increased regulatory attention.
Most common violation: Consent Violations
€59.3M
Total fines
5
Actions
1.2%
Share
High risk. Telecommunications companies process large volumes of personal data including location data, communications metadata, and billing information. Italy has been particularly aggressive in fining telecom operators for unsolicited marketing practices.
Aggressive telemarketing and unsolicited communications (the dominant enforcement theme in Italy), inadequate security leading to data breaches, failure to honour opt-out requests, and data retention beyond lawful periods. Telecom companies also face ePrivacy Directive requirements alongside GDPR.
TIM/Telecom Italia (EUR27.8M, 2020) for millions of unwanted marketing calls. Wind Tre (EUR16.7M, 2020) for aggressive telemarketing and activating unsolicited paid services. Vodafone Espana (EUR8.15M, 2021) for persistent unsolicited communications. COSMOTE (EUR6M, 2022) for a data breach exposing subscriber location data.
Stable to increasing. 5G network expansion, IoT connectivity, and communications data retention continue to generate new compliance obligations. Italy's Garante remains highly focused on telecom enforcement.
Most common violation: Consent Violations
€43.6M
Total fines
5
Actions
0.9%
Share
Moderate risk. Energy companies face GDPR enforcement primarily through unsolicited marketing (particularly in Italy) and data breaches. Smart meter data and energy consumption profiling create additional compliance considerations.
Unsolicited telemarketing and commercial communications, data breaches from customer databases, and processing without valid consent chains through third-party data brokers.
Enel Energia (EUR26.5M, 2022) for aggressive telemarketing through complex data broker chains. Eni Gas e Luce (EUR11.5M, 2020) for telemarketing and activating contracts without consent. Fortum Marketing (EUR4.9M, 2022) for a data breach during IT migration. Electric Ireland (EUR450K, 2024) for a cyber attack exposing customer data.
Stable. Smart energy infrastructure and IoT-connected devices may generate new data processing activities that attract regulatory attention.
Most common violation: Consent Violations
€40M
Total fines
1
Actions
0.8%
Share
Moderate to high risk. Media and advertising companies face enforcement around advertising tracking, cookie consent, and programmatic advertising practices. The advertising technology ecosystem creates complex consent chains that are frequently found to be non-compliant.
Processing personal data for advertising without valid consent, cookie consent violations, inadequate transparency about data sharing with advertising partners, and failure to honour opt-out requests.
Criteo (EUR40M, 2023) for processing personal data for advertising without valid consent. This case is particularly significant for the adtech industry as it established that advertising technology companies bear direct responsibility for consent, not just their publisher partners.
Increasing. The deprecation of third-party cookies, the growth of retail media networks, and increased regulatory focus on advertising technology will drive more enforcement in this sector.
Most common violation: Inadequate Security Measures
€22.6M
Total fines
3
Actions
0.5%
Share
Largest fine: British Airways (€22.0M)
Most common violation: Inadequate Security Measures
€20.9M
Total fines
2
Actions
0.4%
Share
Largest fine: Marriott International (€20.4M)
Most common violation: Consent Violations
€19.6M
Total fines
5
Actions
0.4%
Share
Moderate to high risk. Financial institutions process highly sensitive data at scale, and supervisory authorities have shown increasing willingness to fine banks and insurers. Spain's AEPD has been particularly active, fining CaixaBank EUR6M, BBVA EUR5M, and numerous smaller financial institutions.
Consent failures for marketing communications, excessive data collection (data minimisation violations), inadequate security measures, and failure to honour data subject rights. Financial institutions often struggle with legacy systems that make data deletion and portability challenging.
CaixaBank (EUR6M, 2021) for processing data without consent after its merger with Bankia. BBVA (EUR5M, 2023) for persistent marketing communications without consent. ID Finance Spain (EUR6.1M, 2021) for a data breach exposing 150,000 client records. Banca Transilvania (EUR100K, 2019) for excessive data collection.
Increasing. Open banking, digital transformation, and the growth of fintech are creating new data processing activities that attract regulatory scrutiny. Expect more enforcement around automated credit decisioning and customer profiling.
Most common violation: Data Minimisation Violations
€14.9M
Total fines
2
Actions
0.3%
Share
Largest fine: Deutsche Wohnen SE (€14.5M)
Most common violation: Inadequate Security Measures
€2.9M
Total fines
3
Actions
0.1%
Share
Moderate risk. Public sector organisations are subject to GDPR and can be fined, though some member states have opted to exclude public authorities from the highest fine tiers. Key enforcement areas include public health data, social security data, and government surveillance.
Data breaches exposing citizen data, inadequate security for sensitive government databases, excessive data retention, failure to conduct DPIAs for public surveillance systems, and improper data sharing between government agencies.
Bulgaria National Revenue Agency (EUR2.6M, 2019) for a massive breach exposing nearly every adult citizen's tax and financial data. Romania National Electoral Office (EUR100K, 2022) for inadequate voter registration security. Finnish Customs (EUR150K, 2024) for failing to conduct required DPIAs.
Increasing. Government digitalisation, public health data processing (accelerated by COVID-19), and the expansion of surveillance technologies are creating new enforcement opportunities. Several DPAs have announced public sector enforcement as a priority area.
Most common violation: Data Breach Notification Failures
€1.8M
Total fines
4
Actions
0.0%
Share
High risk due to special category data. Healthcare organisations process some of the most sensitive personal data under GDPR (health data, genetic data), which means both higher fines and stricter requirements under Article 9. Even relatively small breaches can result in significant penalties.
Data breaches exposing patient records, inadequate security for health data, failure to conduct DPIAs for health data processing, and unauthorised disclosure of patient information. Healthcare organisations also face challenges with data sharing between providers and research use of patient data.
Type 1 Diabetes Foundation (EUR1.1M, 2021) for a breach exposing sensitive patient health data. Affidea Healthcare Hungary (EUR350K, 2023) for a ransomware attack compromising diagnostic records. Tuscan Health Authority (EUR120K, 2022) for exposing COVID-19 test results through an insecure API. Paradigm Health (GBP180K, 2024) for improper disposal of paper mental health records.
Increasing. The acceleration of digital health, telemedicine, and health data sharing since COVID-19 has expanded the attack surface and regulatory attention. AI in healthcare diagnostics will create additional compliance challenges.
Most common violation: Failure to Appoint DPO
€900K
Total fines
1
Actions
0.0%
Share
Largest fine: Interseroh (€900K)
Calculate your organisation's fine exposure based on your industry and specific risk factors.
Open Fine CalculatorTechnology and social media companies dominate GDPR fines by total monetary value, accounting for over 70% of all fines. This is driven by a small number of extremely large fines against Meta, Amazon, Google, TikTok, Uber, and LinkedIn. However, by volume of individual enforcement actions, telecommunications and finance see more total fines. Italy's Garante has issued dozens of fines to telecom companies for telemarketing violations, while Spain's AEPD frequently fines financial institutions for marketing consent failures. The concentration of massive fines in the tech sector reflects both the scale of data processing and the regulatory focus on Big Tech's compliance with fundamental GDPR principles like consent and cross-border data transfers.
Yes, healthcare organisations are regularly fined under GDPR, and they face elevated risk because they process special category data (health data) under Article 9, which carries stricter requirements and higher regulatory expectations. Healthcare fines typically relate to data breaches exposing patient records, inadequate security for health IT systems, improper disposal of paper records, and unauthorised disclosure of patient information. Notable cases include the Type 1 Diabetes Foundation (EUR1.1 million), Affidea Healthcare Hungary (EUR350,000), and several hospital trusts across Europe. The healthcare sector's relatively lower total fines compared to technology reflect smaller organisational turnover rather than lower enforcement attention.
Yes, banks and financial institutions receive GDPR fines regularly. Spain has been the most active jurisdiction for financial sector enforcement, with CaixaBank receiving a EUR6 million fine in 2021 for processing customer data without consent following its merger with Bankia, and BBVA receiving a EUR5 million fine in 2023 for persistent marketing without consent. Fintech companies have also been targeted, with ID Finance Spain receiving a EUR6.1 million fine after a data breach. Banks face particular compliance challenges around data minimisation (collecting only necessary data), consent management for cross-selling, automated credit decisions, and data portability requirements under open banking regulations.