The Three biggest GDPR Fines of 2021: who was punished for mishandling your Data this year?

As another year comes to an end, and with Christmas just around the corner, we’ve created our own ‘naughty list’ with regards to companies that have mishandled their customers’ personal data and been fined heavily as a result during 2021. 

The General Data Protection Regulation came into effect on May 25th 2018, replacing the Data Protection Directive, which was considered to be outdated in protecting the rights of consumers’ online data given that it was created in 1995 before the internet really became a data hoover. It is generally considered to be the toughest privacy and security law in the world. 

The purpose of the legislation is to protect ‘the right to privacy’, which is part of the European Convention on Human Rights. As such, companies that fail to protect this right receive harsh fines, with penalties reaching into the tens of millions of euros. So far, over 880 fines have been issued totaling over €1.29 billion. 

Though the legislation was passed by the European Union (EU) it has implications for any organisation in the world, as long as they collect data related to people living in the EU. That’s why you may see US companies, for example, on this list.

So, who have been issued the biggest fines in 2021?

  1. Amazon

In July 2021, the Luxembourg National Commission for Data Protection issued the largest fine ever for the violation of GDPR amounting to €746 million ($865 million) to Amazon. First brought to attention by a complaint filed by 10,000 people from the group La Quadrature du Net in May 2018, the Commission began investigating how Amazon processed the personal data of its customers. It found that Amazon was responsible for infringing the GDPR due to the way its advertising targeting system collected customer data without proper consent. It also ordered the company to change its business practices to prevent future infringements. 

Amazon has since stated that it disagrees strongly with the Luxembourg authority’s finings and launched an appeal against the fine in October 2021.

  1. WhatsApp

In September 2021, messaging platform WhatsApp became the victim of the second largest GDPR fine ever totaling €225 million ($267 million) from Ireland’s Data Privacy Commission (DPC). This fine, which was given after a three year investigation into the company (starting December 2018), was issued due to WhatsApp not being clear enough with its customers about how their data was being processed in its privacy policy. The privacy policy has since been updated several times, most recently for countries outside Europe in early 2021 where its data sharing practises between Facebook and Instagram came under heavy scrutiny. 

WhatsApp has also since rewritten its privacy policy for European users as directed to by the DPC. The policy now includes more detail about how the company collects and uses customer data, why data is shared across borders, how it is stored, and when it is deleted. 

As is the case with Amazon, WhatsApp says it disagrees with the decision and the severity of the fine and submitted an appeal in the latter half of September 2021. 


At the very start of 2021, in January, German electronics retailer received the third largest GDPR fine of the year, €10.4 million ($12.5 million) from the data protection commissioner for the German state of Lower Saxony (LfD). However, unlike with the other two companies mentioned above, this fine was the result of not protecting its employees personal data – rather than customers. 

The breach of GDPR came from the fact that employees were constantly videotaped without any legal basis for over two years in its salesrooms, workhouses, and other common areas of the company. This surveillance was put in place, argued, to prevent theft of high value goods and to track the flow of goods from its warehouses. 

Nonetheless, the LfD stated that because videos were kept much longer than necessary (around 60 days in the company’s database before being deleted) and that videotaping was used as a deterrent for crime -rather than due to justifiable suspicion that crime was being carried out by an employee – the privacy rights of employees was being violated.

On receiving the fine, CEO of the company, Oliver Hellmold, objected strongly to the decision, claiming that the LfD didn’t visit the premises of during the three year investigation and that the company had already previously made adjustments to its video surveillance system to become GDPR compliant. As such, submitted an appeal to the Bonn Regional Court to review if the fine is lawful and proportionate. 

Did anyone on this list surprise you? How do you feel about companies who mishandle customer data? Let us know in the comments section below. 

We’ve also written another post detailing how to know if your personal data has been compromised in a leak here.

And, if you have any questions or other technology queries, please tweet us at @techtroublesho1.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s