The EU has issued a total of 648 penalties since the regulation was introduced three years ago

According to the recent Atlas VPN team findings, the cumulative sum of the GDPR fines imposed on the EU countries over the past three years has reached €283,673,083. Since May 2018 the European Union has issued a total of 648 penalties against organisations violating the data protection law.

The biggest GDPR fine so far was issued in January 2019. The French regulator CNIL fined Google €50 million for failing to provide transparent information on its consent policies and the way it handles ad personalisation. At this point, only 12 penalties had been issued for the violation of GDPR since its implementation.

After that, another massive increase in penalties happened between October 2019 and January 2020. During this period, two Italian companies, TIM (telecommunications operator) and Eni Gas e Luce (energy industry), were fined €27.8 million and €8.5 million each. 

In 2020, from July to October, there was a significant increase in the sum of fines. Three out of five of the biggest penalties were issued in October. One of the fines for €35.3 million was imposed in Germany, and two other violations combining for a total of €42.5 million were given to organisations in the UK.

Cybersecurity writer and researcher at Atlas VPN William Sword commented: “GDPR has empowered EU citizens to be more actively involved in what is happening with their data and understand their privacy rights. As for organisations, complying with data protection rules will create a more trustworthy environment between them and consumers.”

“European citizens have benefited from this regulation as companies have become more transparent regarding privacy. GDPR will only continue to improve in the coming years as more experience comes.”

GDPR violations in specific countries

To date, Italy has received the most severe fines over the past three years — a total of €76.3 million. In addition to the penalties against TIM and Eni Gas e Luce, two telecom giants - Wind Tre and Vodafone Italia - were fined for an insufficient legal basis and non-compliance with general data processing principles. So far, Italian firms have been penalised 77 times for falling foul of the regultion.

France is in second place with €54.7 million in fines. In addition to the record Google fine, 13 further violations were recorded through three years.

In third place sits Germany, where GDPR violations have cost companies €49.2 million. One of the most significant fines in Germany was recorded in January this year, when laptop retailer was fined €10.4 million for unlawful video surveillance of staff and customers.

The United Kingdom ranks fourth with €44.2 million in fines, through just four violations of GDPR law. Although the EU GDPR no longer applies in the UK after Brexit, the new ‘UK GDPR’ regime will soon come into place, with a framework that closely follows EU GDPR regulations.


The data is based on GDPR Enforcement Tracker statistics. CMS — International Law Firm tracked all of the numbers provided on the website.