GDPR fines in March 2021

Non compliance with the obligations under the Regulation (EU) 2016/679 can be a costly mistake for large and small businesses. The Article 83 of the Regulation (EU) 2016/679 provides for the conditions for the imposition of administrative fines that may reach the amount of up to 20 million Euro. 

Below are the 5 biggest fines (in regards to the amount) imposed by Data protection authorities within the EU in March, 2021:

Competent Authority




Spanish DPA (AEPD)

Since 2018, the Spanish DPA (AEPD) had received a total of 191 complaints against Vodafone Espana, S.A.U. The data subjects complained about advertising calls and messages (e-mail and SMS) made on behalf of Vodafone Espana as part of marketing campaigns. The contact was made without the prior consent of the data subjects and continued even after they had exercised their right to object. The fine imposed was in total for EUR 8,150,000.

Insufficient fulfilment of data subjects rights


Spanish DPA (AEPD)

Spanish DPA (AEPD) fined Air Europa Lineas Aereas, SA. EUR 600,000 after a serious data breach involving unauthorized access to contact details and bank accounts was reported to the AEPD. Approximately 489,000 individuals and 1,500,000 records were affected.

Insufficient technical and organisational measures to ensure information security


DPA of Baden-Wuerttemberg-Germany

The DPA from Baden-Württemberg has imposed a fine of EUR 300,000 on the soccer club VfB Stuttgart 1893 AG for negligent breach of data protection accountability under Art. 5 (2) GDPR.

Non-compliance with general data processing principles


Spanish DPA (AEPD)

The Spanish DPA (AEPD) imposed a fine of EUR 200,000 on I-DE Redes Electricas Inteligentes, S.A.U. The DPA received complaints from Waitum, S.L. and Servicios Aby 2018, S.L. because their customers had received letters from the controller. Both companies had previously transferred their customers' personal data to the controller under a network access agreement entered into with the controller. Under this agreement, the two companies acted as representatives of their respective customers, who were supplied with electricity by the controller. The DPA determined that the sending of these letters was neither related to nor necessary for the performance of the respective contract. The controller had therefore violated the principles of purpose limitation and data minimization, so that the sending of these letters constituted unlawful processing of the customers' personal data.

Non-compliance with general data processing principles


Spanish DPA (AEPD)

The Spanish DPA (AEPD) imposed a fine of EUR 150,000 on Xfera Moviles S.A.. The DPA had received two complaints from a data subject. The first complaint concerned the sending of advertising SMS messages that the data subject received from the controller, although he had objected to this and requested that his data be deleted. According to the data subject, he received over 60 SMS messages within 30 days. The second complaint was filed by the data subject because the controller repeatedly sent him messages containing confidential data of a third party. This concerned the login information of another customer to a company platform.

Insufficient technical and organisational measures to ensure information security


Smaller amounts of fine were imposed during March, 2021 by the Data Protection competent authorities of Romania, Belgium, Norway, Lithuania, Spain, Germany and Cyprus for reasons like insufficient legal basis for data processing, insufficient fulfilment of information obligations, insufficient technical and organisational measures to ensure information security, non-compliance with general data processing principles.

Any organization that does not comply with the GDPR rules faces a significant liability, regardless of its size.

G.P. Global Ltd can assist you to meet your obligations under the Regulation (EU) 2016/679 and Cyprus National Law 125(I)/2018.

Our services include the preparation of your Company's Data Protection Policy, preparation of GDPR notices for websites, preparation of necessary documents to have in place relevant to data subjects rights, breaches and impact assessment, outsource of DPO tasks, seminars on GDPR.

We are ready to discuss your specific GDPR needs.

Contact us at the email