The General Data Protection Regulation (GDPR) imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the EU Shutterstock

The General Data Protection Regulation (GDPR) imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the EU Shutterstock

Of that number, 375 were reported in the past 12 months, the firm said in a press release issued on Tuesday. The grand duchy ranked eighteenth overall and has issued no fines since the regulation entered into law on 25 May 2018.

Italy imposed the highest aggregate fines at €69.3m. Germany and France came second and third with aggregate fines of €69.1m and €54.4m respectively.  

281,000 data breach notifications in Europe

In total there have been more than 281,000 data breach notifications since the application of GDPR, with Germany (77,747), The Netherlands (66,527) and the UK (30,536) topping the table for the number of data breaches notified to regulators. France and Italy only recorded 5,389 and 3,460 data breach notifications for the same period. DLA Piper said this disparity illustrated the cultural differences in approaches to breach notification.   

Daily breach notifications across Europe grew 19% in 2020 to reach 331 per day, up from 278.

The highest GDPR fine to date remains the €50 million imposed by the French data protection regulator on Google, for alleged infringements of GDPR’s transparency principle and lack of valid consent.

Graphic: DLA Piper

2021 expectations

In 2020, European regulators adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead, said Olivier Reisch, Partner of DLA Piper’s Luxembourg Intellectual Property & Technology.

“However, we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high profile fines being reduced due to financial hardship. During the coming year we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other “third countries” as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.”