GDPR violations: 5 common mistakes to avoid

You can see a young man with short hair and a beard. He is wearing glasses and a shirt. The young man is sitting at a desk in an office, with a laptop in front of him and a notepad and smartphone on the table. The man smiles directly into the camera.

The GDPR at a glance

The General Data Protection Regulation (GDPR) has been the standardised European set of rules for the protection of personal data since May 2018. It regulates how companies and organisations may collect, process and store data and gives data subjects comprehensive rights over their data. Serious violations can result in fines of up to 20 million euros or 4% of annual global turnover, whichever is higher.

Current developments are expanding the scope of data protection: The EU AI Act, which has been in force since August 2024 and whose obligations will gradually take effect from 2025, regulates the use of AI systems. The Data Act has strengthened users' access to data from their networked devices since September 2025. There are also new proposals for the handling of AI training data and for amended rules on cookies and tracking – making regular compliance checks even more important.

Costly lessons: When everyday practices become a fine trap

In May 2023, Meta Platforms Ireland Limited was hit particularly hard. The Irish data protection authority imposed a €1.2 billion fine because the company transferred the personal data of European users (in particular Facebook user data) to the USA without complying with the necessary safeguards. Following the ECJ's "Schrems II" judgement, the specific standard contractual clauses used were deemed inadequate without additional safeguards. This ultimately led to the highest GDPR sanction ever imposed.

However, fines do not only affect large corporations. Orange SA learnt this in December 2024. The established French telecommunications provider had to pay a fine of 50 million euros because it displayed adverts in its customers' email inboxes that were barely distinguishable from regular emails. This was also done without obtaining valid consent beforehand. The CNIL also objected to the fact that Orange continued to read cookies on the website despite the withdrawal of consent.

The case of Jubel.be, a legal information platform from Belgium, shows that even smaller providers are not exempt. The Belgian data protection authority imposed a fine of 15,000 euros at the end of 2019 because the website set cookies without consent, did not offer an opt-out option and did not provide users with sufficient information about the tracking technologies used.

The five cardinal errors of GDPR compliance

These and numerous other examples show: Despite years of experience with the GDPR, companies keep making the same mistakes. Here are five examples that often lead to heavy fines and can be easily avoided with a systematic approach:

1. Lack of a legal basis: The foundation of data protection

One of the most common and most serious violations of the GDPR is the processing of personal data without a valid legal basis. All data processing must be based on one of the six legal grounds listed in Article 6 GDPR: consent, contract fulfilment, legal obligation, protection of vital interests, public interest or legitimate interest.

If this basis is missing, all data processing is unlawful – with corresponding financial consequences. It becomes particularly problematic when companies rely on supposed consent that does not fulfil the strict GDPR criteria: They must be voluntary, informed, specific and unambiguous.

2. Inadequate security measures: The digital Achilles heel

Inadequate technical and organisational measures (TOM) are another common cause of GDPR breaches. These include a lack of encryption, inadequate access controls, outdated software and inadequate backup systems. The GDPR requires state-of-the-art protection of personal data. It's a moving target that requires continuous investment in IT security. Companies that skimp here not only risk cyberattacks and data leaks, but also hefty fines for breaching their duty of care.

3. Disregarded data subject rights: When customers become petitioners

The GDPR grants data subjects in the European Economic Area (EEA) extensive rights to their personal data, including access, rectification, erasure, restriction of processing, data portability and objection. Companies that ignore, incompletely process or excessively delay such requests are in breach of the requirements.

The refusal to erase data – the "right to be forgotten" – is particularly sensitive once statutory retention periods have expired. These rights are mandatory and must generally be responded to within one month. In complex cases, a justified extension is possible.

By the way: this will become even more important with the new AI Act. As AI systems are often trained with personal data, companies must ensure that data subjects can also exercise their GDPR rights in this context. This includes people being able to request information about their data, object to processing or request erasure. Companies must review these requests and – where legally possible – implement them.

4. Silent data breaches: Silence is not golden

Data breaches happen. The key is dealing with them correctly. The GDPR obliges companies to report serious incidents to the competent supervisory authority within 72 hours and to inform the authority if there is a high risk for those affected. Companies that conceal mishaps or report them too late risk double penalties: once for the incident itself and once for failing to report it. Transparency and a swift response are legal obligations here and not just confidence-building measures.

5. Unauthorised advertising: When marketing becomes a boomerang

The unauthorised processing of personal data for advertising purposes remains a perennial issue among GDPR breaches. Whether unauthorised email newsletters, purchased address lists or tracking without consent – marketing without a solid legal basis can cause rapid damage.

A case from Amazon underlines the dimensions: In July 2021, the group received a 746 million euro fine from the Luxembourg authority CNPD because personalised advertising was carried out on the website without valid, voluntary consent and the refusal of tracking options was made unnecessarily complicated. This violation affected millions of users and violated the strict consent rules of the GDPR (Art. 7).

How companies can avoid expensive fines

To avoid the pitfalls mentioned above, it is worth taking a systematic approach:

Create a register of processing activities: Complete documentation of all data flows within the company: What data is processed for what purpose, on what legal basis and for how long?
Implement technical and organisational measures: Regular security updates, strong password guidelines, encryption of sensitive data and access restrictions based on the "need-to-know" principle.
Write transparent data protection declarations: Explain in simple language which data is processed and why, and enable data subjects to exercise their rights easily.
Establish a system for data subject enquiries: Central point of contact, clear processes and defined processing times to comply with legal deadlines.
Conclude GDPR-compliant data processing agreements: Agree clear rules on obligations and responsibilities with all partners.

Conclusion: Prevention is cheaper than fines

The most common GDPR violations are usually caused by negligence, but these compliance errors cost European companies hundreds of millions of euros in fines every year. This money would be better invested in business development and innovation. However, the combination of stricter law enforcement and new regulations such as the AI Act makes proactive data protection a strategic necessity. Companies that invest in GDPR-compliant systems and European technology providers not only protect themselves against fines, but also build trust with customers and business partners. In a digital economy, data protection is no longer a cost factor, but a competitive advantage.