A report analyzes the most common reasons for imposing fines under the General Data Protection Regulation and who are the biggest infringers
The European Union’s General Data Protection Regulation (GDPR) entered into force in 2018 and many organizations have violated its rules since then. In fact, in just over three years, more than 650 fines have been issued for GDPR violations.
Bulgaria is among the countries that have imposed the most fines for this reason. The country ranks 10th in the EU with 20 fines totaling more than 3,21 million euros. The average value of the fines in our country is over 160 thousand euros.
That’s according to a study by cybersecurity company ESET, according to which the top ten countries have imposed fines of more than 193 million euros since 2018. The survey includes data on the largest fines imposed on companies, the most common reasons for GDPR fines and the countries that impose the most and the largest fines.
Although the average fine imposed on Spanish organizations is relatively low at just over € 118 000, Spain has imposed the largest number of fines - 273 in total. The country has registered just over a third of all GDPR violations so far. Italy has the dubious honor of being not only the country with the second largest number of fines, but also in second place in the total amount of fines: over 84 million euros since 2018. The average fine in Romania under the GDPR is a modest 11 659 euros, which is actually one of the lowest in Europe, but the country has accumulated a large number of fines, placing it third in the survey. The top 10 countries with the highest number of fines for data protection breaches are complemented by Hungary, Norway, Germany, Sweden, Belgium, Poland and Bulgaria.
Most of the fines so far fall into the category of “insufficient legal basis for data processing” and until recently Amazon’s fine was the basis for both the highest average fine and the largest number of fines paid. The second most common reason for fines is “insufficient technical and organizational measures to ensure information security” with 155 violations since the introduction of the regulation. The third most common infringement is formulated much more generally: “non-compliance with the general principles of data processing”. It covers less serious violations of the GDPR.
