Skip to content

What Are the Most Common GDPR Violations? A Guide

Data privacy has become a pressing concern worldwide, and new regulations are springing up every year to protect the privacy and personal data of individuals. One major data privacy law, the EU’s General Data Protection Regulation (GDPR), imposes strict regulations on how data is collected, processed, and stored.

Failure to comply with the GDPR can lead to severe consequences, including substantial fines for organizations. The past year alone has seen penalties like Meta’s €390 million and €1.2 billion fines as well as multi-million euro fines for major companies like TikTok, WhatsApp, and Spotify.

But what are the most common GDPR violations? What data processing practices do they involve, and how can they be avoided?

What does the GDPR require?

Before we explore the top violations, let’s examine the GDPR’s requirements. At its core, the regulation gives EU individuals greater control over their personal information by mandating strict, transparent data handling practices from organizations. It includes many different rules for different kinds of businesses and data processing activities, but here are some of its core requirements:

Lawful and transparent processing. Personal data must be collected and processed for specific, legitimate purposes, and data subjects must be informed about how their data will be used. Data minimization is also an important aspect of the restrictions on data processing.

Robust individual rights. Data subjects have rights to access their data and request corrections and deletion. Just as importantly, businesses must obtain their explicit and informed consent before processing personal data, and they must make it easy for individuals to withdraw consent at any time.

Internal data processing policies. Some organizations must appoint a Data Protection Officer (DPO) if their core activities involve regular monitoring of individuals on a large scale or processing sensitive data. Others must conduct Data Protection Impact Assessments (DPIAs) for data processing activities that may result in high risks to individual rights and freedoms. All companies must maintain detailed records of their data processing activities, including purposes, categories of data, retention periods, and more.

Cross-border data transfers: If personal data is transferred outside the EU or EEA (European Economic Area), organizations must implement supplementary data protection measures like Standard Contractual Clauses, technological safeguards, or the EU-US Data Privacy Framework.

Data security and privacy by design: Organizations must implement robust security measures to protect personal data from breaches or unauthorized access. Additionally, they must incorporate data protection measures into their systems and processes from the outset — also known as privacy by design and privacy by default.

What are the five most common GDPR violations?

2022 was a record year for GDPR fines, with over €2.92 billion in fines levied against companies through the enforcement agencies in various EU countries. Compare that to the total amount of reported fines from May 2018 to January 2020: a paltry €127 million.

Not all GDPR fines are made public, so it’s impossible to give an exact ranking of GDPR violations. But we’ll cover five of the most common ones:

  • Non-compliance with general data processing principles.
  • Insufficient fulfillment of data subjects rights.
  • Insufficient legal basis for data processing.
  • Insufficient cooperation with supervisory authorities.
  • Insufficient technical and organizational measures to ensure information security.

1. Non-compliance with general data processing principles

This violation can involve several different GDPR articles, but the most commonly cited one is Article 5, which governs how personal data is processed. 

Under Article 5, data processing must be done in a lawful, fair, and transparent manner. It must be undertaken for a specific and legitimate purpose — and it must not extend beyond that purpose, meaning that the personal data can’t be subjected to further data processing for different aims.

To avoid incurring fines for non-compliance with general data processing principles, companies must also follow data minimization principles and keep personal data accurate and up to date.

2. Insufficient fulfillment of data subjects rights

The GDPR aims to ensure that people have insight into how businesses are handling their data. As the website for the regulation puts it: “Individuals have a right to know what data an organization is collecting and what they are doing with it.”

As such, the GDPR grants data subjects certain rights, including the right to access and correct their personal data and, in some cases, the right to have that data erased. A common violation occurs when organizations ignore these rights or delay in fulfilling data subjects’ requests.

To make compliance easier, companies should design and implement a streamlined process for handling data subjects’ requests and responding within the specified timeframe.

3. Insufficient legal basis for data processing

Processing data beyond lawful limits is a top cause of GDPR violations. Under the GDPR’s Article 6, organizations are only allowed to process data if they meet one of the six following criteria for lawful processing:

  • The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • The processing is necessary to execute a contract or to take steps at the request of the data subject.
  • The processing is necessary for compliance with a legal obligation.
  • The processing is necessary to protect the vital interests of the data subject.
  • The processing is necessary to perform a task carried out in the public interest.
  • The processing is necessary to pursue the data controller’s legitimate interests, except where such interests are overridden by the rights of the data subject — in particular, where the data subject is a child.

In addition, the GDPR prohibits processing many types of personal data except in certain circumstances. These types of data include information about a person’s racial origin, political opinions, religious beliefs, trade union membership, and health or biometric data.

4. Insufficient cooperation with supervisory authorities

GDPR compliance is enforced not by a single supervisory body but rather by a different data protection authority (DPA) in each EU member state. These authorities are independent public bodies that are responsible for monitoring GDPR adoption and addressing non-compliance.

Article 58 of the GDPR outlines the many powers of a DPA to investigate data handling practices and issue corrective actions. Organizations are required to cooperate with the DPA in the performance of these tasks when requested, and failing to do so in a timely manner is a common GDPR violation.

5. Insufficient technical and organizational measures to ensure information security

Under the GDPR, data controllers and processors are responsible for implementing robust security measures to protect personal data from unauthorized access, disclosure, or loss. This may include technical measures like physical security security, cybersecurity software, and good password practices — or it may include organizational safeguards like employee security training and confidentiality clauses.

Either way, data protection must safeguard personal data against unauthorized access and accidental loss. It must also ensure the confidentiality, integrity, and availability of an organization’s systems — the CIA triad — and the personal data processed within them.

Achieving GDPR compliance with ShardSecure

The ShardSecure platform offers advanced data privacy with its innovative approach to file-level encryption. By separating data access from infrastructure providers like cloud storage admins, we protect personal data and support secure cross-border data transfers.

ShardSecure’s approach has been validated by independent privacy attorneys to meet the requirements of Use Case 5 of the EDPB’s recommendations for cross-border data transfers, allowing organizations to store EU personal data within a US cloud provider without violating the GDPR. To learn more about our technology and GDPR/Schrems II compliance, download our white paper or visit our resources page.


Biggest GDPR Fines of 2023 | Skillcast

Data Minimization as a Tool for AI Accountability | AI Now Institute

The General Data Protection Regulation | Consilium

Data Protection Impact Assessment (DPIA) |

Biggest GDPR Noncompliance Penalties | Spirion

GDPR | Enforcement Tracker

What Are the GDPR Fines? |

Art. 5 GDPR - Principles Relating to Processing of Personal Data |

Art. 6 GDPR - Lawfulness of Processing |

Who’s Enforcing GDPR? - European Data Protection Board | KirkpatrickPrice

Art. 58 GDPR - Powers |

What Are GDPR Technical and Organizational Measures? | Know Your Compliance

Secure Personal Data | European Data Protection Board

A Guide to Data Security | ICO