If you’ve read about the Global Data Protection Regulation (GDPR), you may know that companies who improperly collect, store and process data from European Union residents are subject to strict fines and penalties for breaches. What are the GDPR fines—and how can you avoid them?

The GDPR is one of the world’s strictest privacy policies. Any company collecting, storing, and processing data from EU and UK residents must adhere to the standard. Your business must create and follow a GDPR privacy policy whenever you collect information from applicable countries, whether that’s your email marketing list or other sensitive customer data.

Which countries do GDPR fines and penalties apply to? 

The GDPR protects all EU member states plus the United Kingdom, who adopted the law before Brexit. Keep in mind that EU membership can change: for instance, Ukraine has recently applied to join the EU. Should they be accepted, data collected from their residents will be protected by the GDPR.

When it comes to fines and penalties, however, any company from any country could be penalized. A United States-based company found in breach could be fined or penalized, even if they do not have any physical locations in Europe, nor cater to EU customers.

Here is a current list of countries protected by the GDPR:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • The Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • United Kingdom*

*The United Kingdom is an outlier. Despite the fact that the UK has left the EU as of January 2020, the GDPR was adopted before Brexit and is still considered good UK law.

What Are the Penalties and Fines for GDPR Breaches?

If a company breaches GDPR policies, they can be fined up to €20 million or four percent of worldwide turnover for the preceding financial year, whichever is higher. That’s a significant chunk of income for most companies. It’s better to create and adhere to a comprehensive GDPR policy up front, so you can avoid the problem entirely.

According to Tessian, about 900 fines have been levied since the GDPR took effect in May 2018. In fact, “The sum total of GDPR fines levied in Q3 2021 hit nearly €1 billion—20 times greater than the totals for Q1 and Q2 2021 combined.”

The biggest penalties for GDPR breaches include:

  • Amazon, €746 million ($877 million)
  • WhatsApp,  €225 million ($255 million)
  • Google Ireland, €90 million ($102 million)
  • Facebook, €60 million ($68 million)
  • Google LLC, €60 million ($68 million)
  • Google, €50 million ($56.6 million) 

As you can see from the fines—and how often Google appears—the GDPR penalties are harsh. Even innovative global tech companies can run afoul of the law, whether accidentally or intentionally. While some fines might be a drop in the bucket compared to the company’s bottom line, they could devastate smaller businesses.

The most common violations are data breaches, in which sensitive customer data is exposed. However, many companies also run into issues with tracking cookies on their websites or collecting and storing data. Some, like the €12.3 million ($14.5 million) Vodafone Italia fine, were levied because the company violated numerous provisions of the GDPR. This included “failing to properly secure customer data, sharing personal data with third-party call centers, and processing without a legal basis.”

What’s the Solution?

These fines are severe for a reason: Europe takes customer data protection seriously. The higher the penalty, the more likely companies will take care to adhere to the rules—wherever they’re located.

Luckily, there’s no reason for you to spend billable hours on writing a GDPR policy. SixFifty’s legal software makes it quick and easy to create your own. Pairing automation with real legal expertise, all you have to do is answer a few questions about your company and its practices. We’ll generate a comprehensive GDPR policy that will cover your business. Once your lawyer approves, you’re all set. Should you run into a violation or data breach, you’ll rest assured knowing that a plan is in place, and your business is protected.

SixFifty’s customizable documents, like our GDPR privacy policies, are updated as laws and guidelines change. If any changes occur to the GDPR, you’ll be able to tell whether your current documents are out of date. Simply update, generate a new policy, and download for immediate use.

That’s all there is to it—compliance has never been so simple.

For more information about SixFifty’s privacy products, including GDPR, PIPL and CCPA policies, reach out to us today. We’d love to schedule a demo and show you how our products can save you time and money!


Meili Bell

Written by Meili Bell

Meili Bell is the Content Manager at SixFifty. She spends her workdays writing, editing, project managing and reading about the intersection of law and technology. Meili comes to SixFifty from Gifted Music School, a nonprofit music school for the most dedicated young musicians in the region, where she was program director of the school’s flagship program for the last ten...

Full Bio and other articles by