BA was handed the fourth biggest GDPR fine
Top ten individual fines imposed by data controller as of July 2021
| Controller/Processor | Country | Fine (€) | Type | Date |
|---|---|---|---|---|
| Google Inc. | France | 50,000,000 | Insufficient legal basis for data processing | 2019, Jan |
| H&M Hennes & Mauritz Online Shop A.B. & Co. KG | Germany | 35,258,708 | Insufficient legal basis for data processing | 2020, Oct |
| TIM (telecommunications operator) | Italy | 27,800,000 | Insufficient legal basis for data processing | 2020, Jan |
| British Airways | United Kingdom | 22,046,000 | Insufficient technical and organisational measures to ensure information security | 2020, Oct |
| Marriott International, Inc | United Kingdom | 20,450,000 | Insufficient technical and organisational measures to ensure information security | 2020, Oct |
| Wind Tre S.p.A. | Italy | 16,700,000 | Insufficient legal basis for data processing | 2020, Jul |
| Vodafone Italia S.p.A. | Italy | 12,251,601 | Non-compliance with general data processing principles | 2020, Nov |
| notebooksbilliger.de | Germany | 10,400,000 | Insufficient legal basis for data processing | 2021, Jan |
| Eni Gas e Luce | Italy | 8,500,000 | Insufficient legal basis for data processing | 2019, Dec |
| Vodafone España, S.A.U. | Spain | 8,150,000 | Insufficient fulfilment of data subjects rights | 2021, Mar |
