Upstract Image1

Related Practice Areas

Related Practice Areas

Upstract Image2

Related Industry Sectors

Related Industry Sectors


This article briefly sets out general overview of the fines imposed for GDPR violations in 2021 and how they increased compared to 2020.

What are the GDPR fines?

Under the GDPR, the EU’s data protection authorities can impose fines of up to €20 million, or 4 percent of worldwide turnover for the preceding financial year, whichever is higher.

The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

Since the GDPR took effect in May 2018, there has been a steady increase in the total penalties issued each year. The total sum of GDPR fines issued in 2021 hit over €1 billion by the end of the year whereas in 2020, total sum of GDPR fines issued was €171 million and €72 million in 2019.

GDPR fines in 2021

A total of 412 penalties were issued in 2021, mainly for marketing related activities, with companies like Amazon and WhatsApp paying the most significant penalties for violating GDPR laws.

In July 2021, Amazon was fined €746 million which was handed down by the Luxembourg's National Commission for Data Protection in July. Although the full reasons behind the fine are not yet confirmed, it is alleged that the cause of the fine is related with cookie consent.[1] It is also known that Amazon has appealed this decision to Luxembourg's Administrative Tribunal.

Ireland also issued WhatsApp a penalty amounting to €225 million after claiming that the service provider had failed to properly explain its data processing practices in its privacy notice.

In September 2021, when Austrian Post allegedly failed to facilitate data subject rights requests properly, it received a €9 million fine. Austrian Post was fined because it did not allow a data subject to submit a rights request via e-mail and the Austrian DPA said that Austrian Post should have allowed data subjects to submit a data subject rights request through any medium they preferred.

GDPR fines among countries

Spain has accumulated 351 fines, resulting in €36.7 million worth of penalties. Spain has gathered the most fines by far, compared to any other country.

Italy has the second place on the list with 101 fines, resulting in nearly €90 million worth of penalties. The average penalty in Italy is about €887K, which stands out as one of the largest compared to other countries.

Romania stands third on the list with a total of 68 sanctions, resulting in €721K worth of fines.[2]

Cyprus has issued GDPR fines resulting in approximately €1 million worth of penalties in 2021.


It is important to emphasize that GPDR sets high standards for data protection and it is clear that data protection authorities are not hesitant to impose deterrent penalties to companies to keep them on their toes in relation to personal data protection.

By Ms. Munevver Kasif

For more information, please visit our website microsite on Data Protection & Cyber Law or send your queries at This email address is being protected from spambots. You need JavaScript enabled to view it..


[1] accessed on 13/01/2022.

[2] accessed on 13/01/2022.

Back to News

1 Kinyra Street, 5th floor
1102 Nicosia


115 Faneromenis Avenue,
Antouanettas Building
6031 Larnaca


12 Platonos Street,
3027 Limassol


4 Nicou Nicolaidi & Kinyra,
2nd floor, 8011 Paphos


164A Georgiou Gourounia,
1st floor, 5289 Paralimni

Monday – Thursday

8:00 – 18:00


8:00 – 16:00

TEL: +357 24 201 600

FAX: +357 24 201 601

Privacy Policy