Every Major GDPR Fine,Searchable Decision Register

Record-breaking fine for transferring EU user data to the United States without adequate safeguards following the Schrems II ruling. The DPC found that Meta's reliance on Standard Contractual Clauses was insufficient to protect EU citizens' data from US surveillance programs.

Luxembourg's CNPD imposed this fine for Amazon's advertising targeting system processing personal data without proper consent. The complaint was originally filed by La Quadrature du Net, a French digital rights group, and related to how Amazon processed data for personalized advertising.

The DPC fined TikTok for transferring European user data to China without adequate protections and for misleading the DPC about data storage practices. The investigation found that TikTok staff in China had access to EEA user data without equivalent protection measures.

Two combined fines (Facebook €210M + Instagram €180M) for forcing users to accept personalised advertising as a condition of using the service. The EDPB directed the DPC to investigate the lawful basis for processing, finding that Meta could not rely on 'contractual necessity' for behavioural advertising.

LinkedIn was fined for processing user data for behavioural analysis and targeted advertising without a valid legal basis. The DPC found that LinkedIn's reliance on legitimate interest and consent for behavioural advertising did not meet GDPR requirements, and transparency obligations were not fulfilled.

The Dutch DPA imposed the largest-ever fine by a non-Irish regulator for Uber's transfer of European driver data to the US without adequate protections. French drivers filed the initial complaint through the LQDN rights group, and the Dutch AP acted as lead supervisory authority given Uber's EU headquarters.

Facebook's personal data of over 533 million users from 106 countries was scraped and leaked online. The DPC found that Facebook failed to implement appropriate technical measures (data protection by design and default) to prevent the mass scraping of user data through its contact importer and search features.

WhatsApp was fined for failing to meet transparency obligations regarding how it shared user data with other Meta companies. The initial DPC proposed fine was significantly lower, but the European Data Protection Board (EDPB) used its dispute resolution mechanism to increase it.

CNIL fined Google for making it difficult for users to refuse cookies on google.fr and youtube.com. While accepting all cookies required one click, refusing them required multiple steps across several pages, which the CNIL deemed a violation of free consent principles.

Meta was fined after an investigation found that hundreds of millions of Facebook user passwords had been stored in plaintext on internal systems since 2012. The investigation was triggered by Meta's own notification to the DPC in 2019.

CNIL fined Google Ireland €90M (alongside Google LLC's €150M) for making it difficult for youtube.com users to refuse cookies compared to accepting them. The restricted formation noted that the refusal mechanism required several clicks while acceptance was a single click.

CNIL fined Microsoft for depositing advertising cookies on users' computers visiting bing.com without prior consent. The CNIL found that Microsoft placed cookies for advertising purposes before users could express their preferences.

CNIL fined Facebook for making it overly complex for facebook.com users in France to refuse cookies. While a single click accepted all tracking, refusing required navigating through multiple settings pages, violating the requirement for freely given consent.

The first major GDPR fine. CNIL found that Google's consent architecture for personalised advertising lacked transparency and valid consent. Information about data processing was spread across multiple documents, and consent for ad personalisation was pre-checked by default.

Criteo, a major advertising technology company, was fined for processing personal data for advertising purposes without valid consent. Users' data was collected via cookies placed by Criteo's partners without proper information or freely given consent.

H&M's Nuremberg service centre recorded extensive personal details about employees including health issues, family problems, and religious beliefs during return-to-work interviews. This data was stored and accessible to managers for profiling employees.

TIM conducted millions of unwanted marketing calls, including to numbers registered on the national opt-out list. The Garante identified systematic failures in consent management, data retention, and a failure to honour data subjects' opt-out requests.

Enel Energia was fined for aggressive telemarketing using personal data without valid consent. The investigation uncovered a complex chain of data brokers and call centres operating with inadequate consent management, resulting in millions of unsolicited calls.

British Airways suffered a data breach in 2018 where attackers exploited vulnerabilities to skim payment card details from the ba.com website and mobile app. The ICO initially proposed a GBP183M fine but reduced it to GBP20M citing COVID-19 economic impacts and BA's cooperation.

Marriott's Starwood guest reservation database was breached, exposing approximately 339 million guest records globally, including 30 million EEA residents. The breach originated from a 2014 compromise of Starwood systems that Marriott failed to detect during its 2016 acquisition due diligence.

Clearview AI was fined for collecting biometric data by scraping publicly available images from the internet to build a facial recognition database. The Garante found this processing had no legal basis and violated principles of fairness, lawfulness, and transparency.

CNIL's independent fine against Clearview AI for its facial recognition system that scraped over 20 billion images from the internet without consent. Clearview also failed to respond to individuals' data access and deletion requests from French residents.

Greece's HDPA imposed a €20M fine on Clearview AI for unlawful collection of biometric data through web scraping of facial images. This was the third major European DPA to independently fine Clearview for the same practices.

The DPC fined Meta €17M for failing to have appropriate technical and organisational measures in place to demonstrate compliance. The investigation examined twelve data breach notifications received between June 2018 and December 2019.

Wind Tre, Italy's third-largest mobile operator, was fined for aggressive telemarketing practices including contacting individuals on the national opt-out register and processing data without valid consent. The company also activated unsolicited paid services on customer accounts.