In October 2020, three of the largest ever fines for breaches of the EU General Data Protection Regulation (“GDPR”) were imposed by data protection authorities in the EU. In Germany, the Data Protection Authority of Hamburg fined H&M €35.3m, while in the UK, the Information Commissioner’s Office (“the ICO”) fined British Airways and Marriott International, €22m and €20.45m respectively.

H&M - €35.3m fine

Swedish retail conglomerate H&M was fined for the illegal surveillance of hundreds of its employees. The company had collected sensitive personal data through the use of staff surveys and informal chats. The personal data collected included information about employees’ religious beliefs, medical records, including diagnoses and symptoms of illnesses, as well as private details about vacations and family affairs. The company then used this data to create profiles of its employees.

These practices became public after a technical error whereby the information which was stored on the company's network, became temporarily accessible to staff for several hours in October 2019, prompting the Hamburg authority to open an investigation. The Hamburg authority noted that there had been a gross disregard of data protection rules and the large fine was "justified and should help to scare off companies from violating people's privacy".

British Airways - €22m fine

The fine against British Airways for its GDPR breaches was reduced to €22m from the original notice of €204m imposed by the ICO in July 2019. An ICO investigation found that the airline was processing a significant amount of personal data without adequate security measures in place, leading to a cyber-attack in July 2018, which was only discovered two months later. The attack resulted in hackers stealing personal data from more than 400,000 customers of the airline. Interestingly, the ICO stated that it had taken into account the economic impact of Covid-19 and the effect this has had on the airline industry when imposing the reduced fine.

Marriott International - €20m fine

In July 2019, the ICO issued a notice of intention to fine Marriott International just over £99m for failing to keep millions of customers’ personal data secure. Marriott was the subject of a cyber-attack in 2014 from an unknown source which remained undetected until September by which time an estimated 339 million guests’ records were exposed.

The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the GDPR.

On 30 October 2020, the ICO issued its penalty notice in which it imposed a fine of €20.45m, substantially reducing the initial intended fine. As with its decision in the British Airways matter, the ICO took into account a number of mitigating factors, including the impact of the Covid-19 pandemic. The ICO also acknowledged that Marriott acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems.


The imposition of such high financial penalties in quick succession highlights the wide ranging enforcement powers available to data protection authorities to ensure compliance with the GDPR and that there is no hesitation to use these measures when appropriate. It should serve as a crucial reminder to all companies of their obligations as data controllers and processors under the GDPR. Moving forward, it will be interesting to see if, when imposing fines, other data protection authorities adopt the position taken by the ICO in taking into account the current economic impact that Covid-19 is having across the globe.