GDPR Fines & Penalties so far

Total Fines:
∑ = 418.212.904

CountryFine [€]

A common problem when calculating gdpr fines is merging labels from google sheets to google docs. I’ve found a great solution that does exactly that. By the way, it also supports Avery labels. It’s called Foxy Labels.

Nine months after the entry into application of the GDPR, the members of the EDPB are of
the opinion that the GDPR cooperation and consistency mechanism work quite well in
practice. The national supervisory authorities make daily efforts to facilitate this cooperation,
which implies numerous exchanges (written and oral) between them.
These cooperation duties lead to extra workloads, additional time dealing with cases and have
an impact on the budget of the regulators. The handling of cross border cases takes time, due
to the cooperation, to the need to carry out thorough investigations and in order to national
procedural rules. The national SAs have to tackle these challenges regarding the harmonized
protection and enforcement of the GDPR.
Until now, there are 6 final One-Stop-Shop cases.
The experiences of the EDPB regarding consistency is – up to now – limited, as no dispute
resolution through this new EU body was necessary during the reported period.
I. Cooperation mechanism among SAs and the consistency mechanism of the EDPB
Cooperation mechanism
The GDPR requires close cooperation between SAs of EEA (EU-28 + Iceland, Norway and
Liechtenstein) in cases implying a cross-border component and supports this by using the
following tools:
 the mutual assistance,
 the joint operation,
 the One-Stop-Shop cooperation mechanism, which introduces the obligatory
intervention of a Lead Supervisory Authority for the cross-border cases.
The cooperation on cross-border cases (ie. on the basis of complaints from individuals) is
conducted by the national supervisory authorities. The EDPB does not deal with those cases
unless a dispute arises between the authorities or in the case of urgency.
Consistency mechanism
One of the main tasks of the EDPB is to ensure the consistent application of the GDPR.
One opportunity to ensure consistency is to provide general guidance on the interpretation
of the GDPR, which will contribute to a common understanding and application of the
provisions by the stakeholders, the supervisory authorities and the public in general. Since 25
May 2018, the EDPB has endorsed 16 guidelines prepared by the Article 29 Working Party
(predecessor of the EDPB) and has adopted 5 additional guidelines.
Another opportunity is to adopt consistency opinions and decisions. These decisions mainly
address the national supervisory authorities and ensures a consistent application and
enforcement of the GDPR.
Standardised communication:
To support the cooperation and the consistency mechanism among the EDPB members the
DG Grow of the EU Commission, together with the EDPB Secretariat and the EDPB members,
have customised an already existing IT system – the Internal Market Information system (IMI).
This system was operational on the first day of the entry into application of the GDPR. This
system provides a structured and confidential way to share information among the SAs.
The feedback of the national regulators on this system is really positive. A dedicated expert
subgroup has been created to ensure the continuous enhancement of the system on the basis
of the feedback collected via a dedicated IT Helpdesk support provided to the EDPB members
by the EDPB Secretariat.
Before a case is produced in the case register of the system, the competent authorities have
to be identified. This registry is the central database from which different procedures can be
started, such as the mutual assistance, joint operation and One-Stop-Shop mechanism.
The scheme in the appendix provides an overview of the functioning of the system.

  1. Cooperation Mechanism
    a. Preliminary procedure to identify the lead and concerned supervisory authorities
    Before starting a One-Stop-Shop procedure for cross-border cases, it is necessary to identify
    the authority that will lead the cooperation (Lead SA), and the other Concerned supervisory
    authorities (Concerned SA). The Lead SA will have to lead the cooperation procedure, draft
    the decision and the Concerned SAs will have the opportunity to raise objections.
    The Lead SA is the authority within the EEA where the organisation subject to the
    investigation has its main establishment. The main establishment is identified as the central
    administration of the investigated company/organisation in the EU.
    The EDPB created workflows in the IMI system to enable the SAs to identify their respective
    roles. The main purpose of this procedure is to define the roles at an early stage and to avoid
    objections on the question of competences at a later stage of the procedure.
    In case of conflicting views regarding which authority should act as Lead SA, EDPB has the role
    of a dispute resolution body and issues a binding decision.
    Since 25 May 2018, 642 procedures have been initiated to identify the Lead SA and the
    Concerned SAsin cross-border cases. Out of the 642 procedures, 306 are closed and the Lead
    SA identified.
    Up to now, no dispute arose on the selection of the Lead SA.
    24 EEA countries already initiated procedures and 26 SAs were proposed to act as lead SA.
    b. Data base regarding cases with cross-border component
    These cases will be registered in a central database from which different procedures can be
    initiated, such as the mutual assistance, joint operation and One-Stop-Shop mechanism.
    Since 25 May 2018, 30 different EEA SAs have registered a total amount of 281 cases with
    cross-border component in the IMI system.
    The large part of the opened cases derived from complaints by individuals (194 cases). The
    rest of the cases (87) has other origins.
    The three main topics of the cases are related to the exercise of the data subjects’ rights, to
    the consumer rights and to data breaches.
    c. One-Stop-Shop Mechanism
    The GDPR provides a specific cooperation procedure (One-Stop-Shop) for cross-border cases.
    A cross border case emerges where the controller or the processor has an establishment in
    more than one Member State or where the data processing activity substantially affects
    individuals in more than one Member State.
    The One-Stop-Shop mechanism implies a cooperation between the Lead SA and the
    Concerned SA. The Lead SA will lead the cooperation procedure and plays a key role in the
    process to reach consensus between the Concerned SAs and to reach a coordinated decision
    with regard to a data controller or processor.
    The Lead SA first has to investigate the case while observing its national procedural rules (eg.
    provide the right to be heard to the affected persons). During this investigation phase, it can
    gather information from another supervisory authority via mutual assistance or conduct joint
    investigation, where foreseen in the respective national law.
    The IMI system also offers the opportunity for the Lead SA to launch – if necessary – an
    informal communication with all the Concerned SAs to collect information to prepare its
    draft decision.
    Once the Lead SA has completed the investigation, it prepares a draft decision and
    communicates it to the Concerned SAs. These can object to the draft decision, which either
    leads to a revised draft decision or triggers the dispute resolving mechanism of the board.
    If a dispute arose on the draft decision and no consensus is found, the consistency mechanism
    is triggered and the case is referred to the EDPB. The EDPB will then act as a dispute resolution
    body and issue a binding decision on the case. The Lead SA will have to adopt its final decision
    on the basis of the decision of the EDPB.
    If the Concerned SAs do not object to the initial draft decision, or the revised one, they are
    deemed in agreement with the draft decision. So, the Lead SA can adopt its final decision.
    The IMI system offers different procedures to handle the One-Stop-Shop cases:
  2. Informal consultation procedures,
  3. Draft decisions or revised decision submitted by the Lead SA to the Concerned
  4. Final One-Stop-Shop decisions submitted to the Concerned SAs and to the
    Since 25 May 2018, 45 One-Stop-Shop procedures were initiated by SAs from 14 different
    EEA countries. The 45 procedures are at different stages: 23 are at the informal consultation
    level, 16 are at draft decision level and 6 are final decisions.
    These first final One-Stop-Shop decisions relate to the exercise of the rights of individuals
    (such as the right to erasure), the appropriate legal basis for data processing and data breach
    The limited number of One-Stop-Shop procedures can be explained because the circulation
    of the draft decision is the result of the investigations conducted by the Lead SA respecting
    national administrative procedural laws. The number of One-Stop-Shop procedures are
    increasing steadily.
    d. Mutual assistance
    The mutual assistance procedure allows each SAs to ask for information to other SAs but also
    to request any other measures for effective cooperation (such as prior authorisations,
    investigations, etc.).
    The mutual assistance can be used for cross-border cases subject to the One-Stop-Shop
    procedure (as part of the preliminary phase to gather elements necessary before drafting a
    decision), or can also be used for national cases with cross-border component.
    The IMI system enables the use of informal mutual assistance, without any legal deadline or
    the use of formal mutual assistance where the requested SA has a legal deadline of 1 month
    to reply to the request.
    Since 25 May 2018, 444 mutual assistance requests (formal and informal) have been
    triggered by SAs from 18 different EEA countries.
    In 353 cases out of the 444 mutual assistance requests, the answers were sent within 23
    days. The remaining 91 cases are ongoing, not yet answered by the requested SA.
    e. Joint operations
    The GDPR allows the SAs of different member states to carry out joint investigations and joint
    enforcement measures. The joint operations can be used in the context of cross-border cases
    subject to the One-Stop-Shop procedure (as part of the preliminary phase to gather elements
    necessary before the drafting a decision), or can also be used for national cases including a
    cross-border component.
    Since 25 May 2018 to 31 January 2019, no joint operations have been initiated.
    f. Assessment of the cooperation mechanism and suggestions for improvement by the
    In comparison with the EC Directive 95/46/EC where SAs were working separately even on
    cross border cases, the GDPR foresees a duty for the SAs to cooperate in order to provide a
    consistent application of the GDPR.
    The national regulators adapted to this new situation. One of the advantages of the GDPR is
    to let some margin of manoeuvre for the SA to address those challenges.
    However, the GDPR has been in application only for 9 months and there is still work to be
    done at the EDPB level to further streamline the procedure to make the system even more
    efficient. The question of the resources allocated to the authorities (and the possibility to
    recruit staff speaking also English) has impacts on the global efficiency of the system.
  5. Consistency Mechanism
    a. Consistency opinion
    For some type of decisions, the national SAs have to require an opinion of the EDPB before
    being entitled to adopt its decision. This applies for instance to the approval of cross-border
    codes of conducts, the adoption of standardised contractual clauses, or the adoption of
    national lists describing the type of processing that must be subject to a Data Protection
    Impact Assessment.
    The purpose of the consistency opinion issued by the EDPB is to guarantee the consistent
    application of the GDPR in cases where a competent SA wants to adopt those specific
    Each national SA, the Chair of the EDPB or the Commission can ask the EDPB to issue a
    consistency opinion on any matter of general application or producing effects in more than
    one Member State.
    Since 25 May 2018, 28 opinions on the national lists of processing subject to a Data Protection
    Impact Assessment and 1 opinion on a draft administrative arrangement for the transfer of
    personal data between financial supervisory authorities (in the EEA and outside of the EEA)
    have been adopted by the EDPB. Currently there are 3 ongoing procedures which are related
    to binding corporate rules, to a draft standard contract between Controllers and Processors
    and to the interplay between the GDPR and the ePrivacy Directive, in particular as regardsthe
    competence of the national data protection supervisory authorities.
    b. Dispute resolution
    The EDPB intervenes as dispute resolution body and adopt binding decisions, in order to
    ensure the consistent application of the GDPR, in following cases:
     A dispute takes place within the One-Stop-Shop mechanism (a Concerned SA raises a
    relevant and reasoned objection which is not followed by the Lead SA);
     A disagreement takes place on the determination of the Lead SA;
     A SA does not request or does not follow a consistency opinion of the EDPB.
    From 25 May 2018 to 18 February 2019, no dispute resolutions were initiated. This means
    that up to now, the SAs were able to reach consensus in all current cases, which is a good sign
    in terms of cooperation.
    c. Assessment of the consistency mechanism and suggestion for improvement by the
    The following analysis reflects the views and impressions of the authorities in the context of
    this report.
    Up to now, the EDPB did not have to act as a dispute resolution body, also due to the fact that
    the number of decisions resulting from the One-Stop-Shop cases is still relatively small.
    Since the EDPB has so far focused mainly on the preparation of consistency opinions on
    national DPIA lists (on the national lists of processing subject to a Data Protection Impact
    Assessment) most authorities emphasised that the experience of the EDPB with the
    consistency mechanism in other areas is still limited. However, it is planned that in the coming
    months other types of national measures, such as BCRs, codes of conducts, standard contracts
    and issues related to certification will be submitted to the EDPB and thus trigger the
    consistency mechanism in other fields.
    It was indicated that, already on the basis of the first experiences the consistency mechanisms
    was found to require many resources, to be time-consuming and to require the authorities to
    act swiftly within the given timeframe. In this context, a possible need to extend the deadlines
    was addressed.
    II. Means and powers of the national supervisory authorities
  6. Budget and human resources
    Under the new legal framework, SAs wear two hats. They not only deal with their enhanced
    enforcement powers but are required to become more engaged, which implies the need for
    more budget and staff.
    a. Budget
    While, based on information provided by SAs from 26 EEA countries and the EDPS, in most
    cases an increase in the budget for 2018 and 2019 was observed, in two cases a decrease and
    in 3 cases no changes in the budget were noticed. According to information provided by the
    respective SAs, the latter phenomena can be explained by biannual plans for this period of
    Although the majority of the 17 replying SAs stated that they would need an increase in the
    budget of 30-50%, almost none of them received the requested amount. There are some
    extreme examples where this need is close to or even 100 %.
    b. Human resources
    Based on information provided by SAs from 26 EEA countries and the EDPS, the majority of
    SAs have experienced an increase in the number of staff, while for 8 SAs the human resources
    did not change. For one SA, there was even a decrease in personnel.
    Given the different scope of competences of the SAs (GDPR, e-Privacy, Freedom of
    Information), the requirements for more personnel also vary.
  7. Implementation and enforcement of the GDPR at national level
    The total number of cases reported by SAs from 31 EEA countries is 206.326. Three different
    types of the cases can be distinguished, namely cases based on complaints, cases based on
    data breach notifications and other types of cases. The majority of the cases are related to
    complaints, notably 94.622 while 64.684 were initiated on the basis of data breach
    notification by the controller.
    52 % of these cases have already been closed and 1 % of these cases challenged before
    national court.
    Corrective powers:
    Regarding the corrective powers, the SAs have different measures to use:
     to issue warnings to a controller or processor that intended processing operations are
    likely to infringe the GDPR,
     to issue reprimands to a controller or a processor where processing operations have
    infringed the GDPR,
     to order the controller or the processor to comply with the data subject’s requests or
    to bring processing operations into compliance with the GDPR,
     to impose administrative limitations, bans and fines.
    SAs from 11 EEA countries have already imposed administrative fines according to Article 58.2
    (i) GDPR. The total amount of the imposed fine is 55.955.871 EUR.
    III. Conclusion
    Nine months after the entry into application of the GDPR, the members of the EDPB are of
    the opinion that the GDPR works quite well in practice making use of the new way of
    cooperation including numerous daily exchanges. The One-Stop-Shop cases that have already
    led to an outcome tested some of the core principles of the GDPR and were resolved
    smoothly. So far, not a single cross-border case has been escalated to the EDPB level.
    Despite the increase in the number of cases in the last months, the SAs reported that the
    workload is manageable for the moment, in large part thanks to a thorough preparation
    during the past two years by SAs, the Article 29 Working Party and by the Board.