Print Article

Most significant GDPR Fines of 2022


The first quarter of 2022 has seen substantial penalties dished out to firms, with some finding themselves on the receiving end yet again.

Top GDPR fines in 2022:

  • REWE International - €8m fine
  • Cosmote Mobile Telecommunications - €6m fine
  • Vodafone España - €3.94m fine
  • OTE Group - €3.25m fine
  • Amazon Road Transport - €2m fine

Below is a summary of the reasons for these penalties and tips on preventing your company from committing similar breaches!

  • REWE International - €8m fine

GDPR breach - Non-compliance with general data protection principles

  1. The Austrian food retailer, REWE International, received a fine of €8 million for the careless handling of customer data. The company's customer loyalty and rewards programme, jö Bonus Club, breached the General Data Protection Regulation (GDPR) by allegedly collecting users' data without their consent and using it for marketing purposes.
  2. Rewe International will challenge the Austrian Data Protection Authority (DPA)'s decision because jö Bonus Club operates independently as a separate subsidiary, Unser Ö-Bonus Club.
  3. This is not the first time the jö Bonus Club has breached GDPR. The subsidiary was fined €2 million in August 2021 for the unlawful collection of millions of bonus club members' data and the subsequent sale to third parties.
  4. Cosmote Mobile Telecommunications - €6m fine

GDPR breaches - Art.5(1)a), Art. 5(2), Art. 13, Art. 14, Art. 25(1), Art. 26, Art. 28, Art. 35(7)

  1. The Hellenic Data Protection Authority (HDPA) imposed a fine of €6 million on Greece's largest mobile operator, Cosmote. After the company experienced a cyberattack in 2020, the personal data of millions of their customers was stolen.
  2. The HDPA found that Cosmote failed to include their parent company, OTE Group, in the investigation, and they neglected to explain the severity of the data breach to their affected customers. The investigation also found that Cosmote did not implement appropriate data protection measures.
  3. The authorities discovered that Cosmote could legally keep call data for up to 90 days and an additional 12 months if the data is pseudonymised. However, there were cases where the pseudonymisation process was incomplete, and the company held customer data for longer than is legally allowed.

Vodafone España - €3.94m fine

GDPR breaches - Art. 5 (1) f), Art. 5 (2)

  1. The Spanish Data Protection Authority ('AEPD') fined Vodafone an amount of €3.94 million for failure to implement appropriate security measures to prevent the fraudulent replication of sim cards. During the investigation, AEPD found that Vodafone could not prove they had verified the identity of the fraudsters and that their security measures were insufficient.
  2. Furthermore, authorities concluded that the company displayed a lack of accountability. In response to Vodafone's argument that the replication of sim cards was due to human error, AEPD stated that repetitive human error indicates "a lack of foresight of the risks, a lack of analysis and planning, and a lack of security measures."
  3. OTE Group - €3.25m fine

GDPR breaches - Art. 32

  1. Following the leakage of subscriber call data, the HDPA fined the OTE Group a total of £3.25 million. The investigation into the company was triggered when Cosmote reported a data breach. It was found that Cosmote should have included the OTE Group in the investigation into data protection measures.
  2. The HDPA concluded that both Cosmote and the OTE Group were responsible for determining the organisational and technical security measures. Furthermore, the OTE Group breached GDPR by failing to implement adequate security measures.

Amazon Road Transport - €2m fine

GDPR breaches - Art. 6 (1), Art. 10, Art. 10 LOPDGDD

  1. AEDP imposed a fine of €2 million on Amazon Road Transport for the failure to implement adequate procedures for collecting and processing personal data relating to criminal conviction.
  2. A representative of the General Union of Workers filed a claim with the AEPD. They noted that, for hiring self-employed contractors, Amazon Road Transport requests certificates of absence of a criminal record, i.e. negative certificates. Furthermore, they require candidates' consent to transfer this data to group companies and their suppliers located outside the European Economic Area.
  3. As a result, the AEPD rejected Amazon Road Transport's claims regarding the processing of negative criminal conviction certificates. Additionally, authorities refused to accept the company's interpretation of Article 10 of the GDPR, as well as Article 10 of the LOPDGDD.

What can we learn from these GDPR fines?

In some instances, the only conclusion is that the companies involved seemed to have forgotten that the GDPR existed. However, amongst the other penalties, there are some common themes to be learned from:

  • Always make proper disclosures to individuals (in contracts and privacy notices) about what personal data you process and your lawful basis for doing so.
  • Never use personal information in unfair, detrimental, unexpected, or misleading ways.
  • Ensure personal information is promptly deleted or securely destroyed once the purpose for which it was collected no longer applies.
  • Set up procedures and enforce rules to keep personal data secure - don't underestimate the inconvenience, worry or distress to individuals if their personal data is lost or stolen.
  • Appoint a Data Protection Officer (DPO), someone with overall responsibility who can ensure proper governance and accountability across your company.



The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email