Who was fined $20 million for breaching GDPR?

Asked by: Jameson Batz  |  Last update: January 27, 2026
Score: 5/5 (33 votes)

British Airways was fined £20 million (around $26 million) by the UK's Information Commissioner's Office (ICO) in October 2020 for a major 2018 data breach that exposed over 400,000 customers' personal and financial details due to inadequate security measures, making it the largest GDPR penalty imposed by the ICO at the time, despite being a significant reduction from the initially proposed fine.

What is the largest GDPR fine ever?

1. Meta GDPR fine- €1.2 billion. In May 2023, in a groundbreaking decision in the past five years of GDPR enforcement, the Irish Data Protection Commission (DPC) imposed a historic fine of €1.2 billion on US tech giant Meta.

Has anyone been fined under GDPR?

The UK DPA has imposed a fine of £ 1,228,283 (EUR 1,400,000) on LastPass UK Ltd. The controller suffered a succesfull cyber attack due to insufficient technical and organisational measures to ensure data security. The Romanian DPA has imposed a fine of EUR 15,000 on Crowd Entertainment Limited.

What is the GDPR fine for 20 million?

Higher level of GDPR penalties

Fines of up to £17.5 million under the UK GDPR, €20 million under the EU GDPR or 4% of annual global turnover can be issued for infringements of articles: 5 (data processing principles); 6 (lawfulness of processing); 7 (conditions for consent);

Was British Airways fined 20 million?

In 2019 the ICO announced its intention to fine British Airways £183.39 million; after further analysis and consideration of mitigating factors this was reduced to a £20 million penalty issued in October 2020.

TikTok fined £12.7m for data protection breaches

32 related questions found

What is the fine for not having a data protection officer?

It is not just in the case of data breaches or violations where you could face fines, you could also face fines if you fail to appoint a data protection officer where required. Under the UK GDPR the fines can be as high as £17.5 million or 4% percent of company's global annual revenue.

How can I tell if I was part of a data breach?

To know if you've been in a data breach, check websites like Have I Been Pwned (HIBP) by entering your email, look for signs like unexpected password resets or strange account activity, and monitor credit reports for unfamiliar accounts, while also watching for targeted phishing attempts. 

Who gets the money from GDPR fines?

Each year, the income from these fines is passed to the Government's Consolidated Fund. However, from 1 April 2022, the HM Treasury has allowed the ICO to retain funds to cover pre-agreed, specific and externally audited enforcement and litigation costs.

What are some famous GDPR breach examples?

  • Meta's 1.2 billion euro fine: The cross-border data transfer debacle.
  • Google's violation of GDPR's right to be forgotten.
  • Twitter's failure to notify the breach.
  • Cathay Pacific: A wake-up call for the industry.
  • TIM S.P.A – failure to uphold data subjects' rights.
  • Make GDPR compliance easy and your default state with Sprinto.

What is the highest penalty for a breach of the GDPR?

For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. But even the catalogue of less severe violations in Art.

How to avoid GDPR fines?

Checklist: How to avoid GDPR fines

Obtain freely given, specific, informed, and unambiguous consent, and make it as easy to withdraw as to give. Collect and process data only for a defined, legitimate purpose. Collect and store only the minimum amount of data needed for the purpose.

What is the biggest data breach in the UK?

The Biggest UK Data Breaches Ranked by Impact

  • Dixons Carphone. Date: July 2017 – April 2018. ...
  • Equifax. Date: 2011–2016. ...
  • Electoral Commission. Date: August 2021 (not discovered until October 2022) ...
  • EasyJet. Date: October 2019 – March 2020. ...
  • Marriott International. ...
  • Uber. ...
  • The National Health Service (NHS) ...
  • Virgin Media.

What's the maximum fine under UK GDPR?

Fines for infringement of the UK GDPR

a maximum fine of £17.5 million or 4 per cent of annual global turnover - whichever is greater - for infringement of any of the data protection principles or rights of individuals.

How did Facebook violate GDPR?

Facebook has tried different strategies of circumventing the intent of the GDPR. In the first case, it complied with the timeline set out by the GDPR but left out crucial details. In the second case, Facebook interpreted the GDPR to say that a company has an unlimited amount of time to investigate a breach.

Which company holds the record for the biggest fine for a privacy breach?

1. Meta — €1.2 billion ($1.3 billion) Facebook's parent company, Meta, now holds the biggest GDPR fine ever issued.

Is GDPR stricter than CCPA?

Which is stricter—CCPA or GDPR? The GDPR generally includes more rigorous requirements than the CCPA. It imposes higher financial penalties for violations, requires a lawful basis for processing personal data, defines broader data subject rights, and has more comprehensive age-of-consent protections.

What are 10 examples of sensitive personal information?

Definition of Sensitive Personal Information

  • Racial or ethnic origin.
  • Political opinions.
  • Religious or philosophical beliefs.
  • Trade union membership.
  • Genetic data.
  • Biometric data.
  • Health data.
  • Sexual orientation or sex life.

Can you sue if your data is breached?

Eligibility Criteria To Sue A Company For A Data Breach

The data controller or processor engaged in some form of wrongful conduct contrary to their obligations under data protection law. This conduct resulted in a personal data breach that impacted your personal information.

Who receives the money from fines?

Money from fines and penalty receipts, including for speeding, goes to the Treasury into the Consolidated Fund.

What is a Tier 1 fine for GDPR?

Under the General Data Protection Regulation (GDPR) [Art. 83], there is a tiered system of fines depending on the nature and severity of the violation. For tier 1 violations, up to 2% of annual revenue or €10 million, whichever is greater.

Can I check to see if my SSN has been compromised?

To check for SSN identity theft, review your free credit reports at AnnualCreditReport.com, create a my Social Security account at ssa.gov to track earnings, and check your IRS records via IRS.gov/IdentityTheft for tax fraud, looking for unfamiliar accounts, jobs, loans, or tax filings. Report any discrepancies to the FTC at IdentityTheft.gov for a recovery plan and consider freezing your credit with the major bureaus to prevent new accounts. 

Has LifeLock been hacked?

What happened. In December 2022, thousands of Norton LifeLock customers had their accounts compromised, potentially allowing criminal hackers access to customer password managers, the company revealed in a data breach notice.

Can I run a test to see if my phone is hacked?

You can check if your phone is hacked by looking for signs like rapid battery drain, high data usage, unfamiliar apps, pop-ups, performance slowdowns, or unexpected charges and messages, then confirm by running a mobile antivirus scan or using built-in tools like Google Play Protect (Android) or Apple's Safety Check (iOS) to find and remove malicious software.