Since the General Data Protection Regulation ("GDPR") came into force in May 2018, the several supervisory authorities across the EU started to show their teeth in the following most striking (intentional) enforcement actions:
The French data protection authority CNIL fined Google LLC: EUR 50,000,000 for a lack of transparency, inadequate information and a lack of valid consent regarding ads personalization.
2. British Airways
No final decision, but a large fine of £183,390,000 is ready to be imposed on British Airways by the UK data protection authority ICO. User traffic to their website was being diverted to a fraudulent site, allowing harvesting of customer details and compromising data of approximately 500.000 customers.
A huge amount of records and a huge intended fine: the hotel chain might face a £99,200,396 fine of the UK data protection authority ICO, because its guest records were being exposed.
4. Haga Ziekenhuis
This Dutch hospital got the doubtful honour of the first GDPR fine in the Netherlands: Dutch data protection authority AP issued a fine of EUR 460,000 for insufficient internal security of patient records.