European data authorities have issued 340 fines totaling €158 million since the law was implemented in May 2018, according to tracking by Privacy Affairs.
The largest fine was the €50 million meted out by France to Google in January 2019 for "lack of transparency, inadequate information and lack of valid consent regarding ads personalization,” and the smallest was the €90 levied on a hospital in Hungary.
Each one of the 28 EU nations has dealt out fines, and the UK has imposed at least one specifically related to GDPR.
However, the UK’s Information Commissioner has hit firms with seven fines totaling €640,000, not including the potentially massive fines for data breaches faced by Marriott International and British Airways.
Spain was the most aggressive nation in terms of the sheer number of penalties doled out: 99. Hungary was a distant second, with 32.
But France led the way in monetary totals, apparently due the Google fine: €51.1 million. Italy was next, with €39.4 million and Germany third with €26.5 million.
In addition to Google, the largest fines went to:
TIM—Telecom Provider -- €27.8 million
Austrian Post -- €18 million
Deutsche Wohnen SE -- €14.5 million
1&1 Telecom GmbH - -€9.5 million
Among the smaller penalties was €2,500 issued to an individual in Germany who sent emails to several recipients, allowing each to see the others' email addresses. Over 130 addresses were exposed.