Three billion euros! This year’s data protection fines set a new record.

It has been reported:

• In the first half of the year, in the EU, companies were hit with record-breaking fines for violating personal data protection rules; and
• The five most significant fines alone totalled over three billion euros in just six months.

At the start of 2025, the largest fine in GDPR history – €1.2 billion – came into effect.

• The Irish Data Protection Commission issued it to Facebook’s parent company, Meta.
• The fine was based on Meta’s extensive transfers of personal data from its social media platforms to the United States, which occurred without sufficient safeguards in place.
• This decision sends a strong signal to all companies that standard contractual clauses are not enough for international data transfers.
• A risk assessment, technical safeguards, and ongoing oversight are essential.

Tech giant Amazon took second place with a €746 million fine, issued by Luxembourg’s data protection authority in March:

• The massive fine was due to targeted advertising conducted without valid and informed consent from users; and
• In data-driven advertising, permission must be freely given, documented, and easily withdrawn at any time.

The third-largest fine of the year so far was issued in May to TikTok, totalling €530 million:

• Once again, the Irish Data Protection Commission was the authority responsible;
• The reason: employees based in China had access to personal data of European users, combined with a lack of transparency in the platform’s processes; and
• This case teaches that companies must clearly and understandably inform users where their data is stored and what third countries are involved in its processing.

In April, the Spanish Data Protection Authority fined healthcare service provider Marina Salud €500,000:

• The penalty stemmed from the processing of health data with subcontractors without appropriate contractual agreements; and
• This shows that every data processor – including IT partners – must be formally bound by a data protection agreement, and the data controller must have complete visibility into the entire processing chain.

In April, Vodafone España was fined €200,000 by the local data protection authority:

• The fine was a result of a SIM card swap carried out without sufficient identity verification; and  
• This fine highlighted that all personal data–related actions – including account recovery – must rely on strong authentication and a risk-based approach.

Vodafone’s German branch was also fined €45 million for failing to provide sufficient oversight of subprocessors and for not implementing adequate safeguards for user identification.

Conclusion

• The most considerable GDPR fines of the first half of 2025 revealed repeated patterns from which companies can draw valuable lessons.
• GDPR is no longer a stack of documents in a drawer. It’s a strategic management issue.
• Well-executed data protection builds trust, strengthens business relationships, and creates long-term value. The opposite is also true: if personal data is handled carelessly, companies will lose money, trust, and competitive advantage.
• To avoid reputational and financial risk, companies should map their data flows and cross-border transfers and ensure that data processing agreements cover all subprocessors.
• Don’t forget the importance of regularly updating privacy notices and consent templates, based on the latest best practices and lessons learned from others’ mistakes.
• Conducting regular risk-based audits is also essential to ensure there is a clear legal basis for each data processing activity.
• Remember, even the best system won’t work if people don’t understand the rules or perceive the risks. Employee training is critical in data protection – most major breaches start with ignorance.

Source

https://nordicfintechmagazine.com/three-billion-euros-this-years-data-protection-fines-set-a-new-record/