Data Protection has Entered the Chat: Analysis of GDPR Fines



Before the adoption of the EU-GDPR, researchers remarkably argued on law enforcement of personal data protection being „toothless” and a “paper tiger”. Almost three years after its enforcement date, the GDPR fines are increasing, and the world is beginning to witness the effect of sizeable fines awarded to organizations. This analysis aims to discover potential correlations between GDPR fines, and equally the lack of them. Such correlations might help to tap into trends that are followed by Data Protection Authorities (DPA) in their fining practices. This paper specifically describes the fines issued by the Romanian DPA, while also containing qualitative research findings extracted from discussions with interview subjects. The aim of this paper is to evaluate the possibility to construct a prediction model that is based on linear regression analysis and provide for future direction on the field of legal data analysis.

GDPR fines; data analytics; R-programming; fine calculation

163 – 213
Author biography

Nimród Mike

Corvinus University of Budapest, Institute of Information Technology

Department of Legal informatics

PhD student


Blutman, László, Az Európai Unió joga a gyakorlatban. (HVG-ORAC 2014).

Catherine Barrett (2020): Emerging Trends from the First Year of EU GDPR Enforcement. SciTech Lawyer, Data, Spring 2020. Available at:

Elena Brandt - Annabelle Hamelin (2019): The German model for calculating fines under GDPR: more questions than answers. Freshfields Bruckhaus Deringer. Available at:

Greengard, Samuel (2018): Weighing the impact of GDPR. Communications of the ACM. 61. 16-18. 10.1145/3276744.

Hansell, Saul (2008): Europe: Your I.P. Address Is Personal. Available at:

Jan Philipp Albrecht (2016): ‘Regaining Control and Sovereignty in the Digital Age’ in David Wright and Paul De Hert (eds), Enforcing Privacy: Regulatory, Legal and Technological Approaches (Springer 2016), p. 473, 483; European Union Agency for Fundamental Rights.

Miriam Everett (2020): How to calculate a GDPR fine - the proposed ICO way. Herbert Smith Freehills LLP. Lexology. Available at:

Ohm, Paul, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization (August 13, 2009). UCLA Law Review, Vol. 57, p. 1701, 2010; U of Colorado Law Legal Studies Research Paper No. 9-12. Available at SSRN:

Ruohonen, Jukka & Hjerppe, Kalle. (2020): Predicting the Amount of GDPR Fines. Available at:

Ruohonen, Jukka & Hjerppe, Kalle. (2020): The GDPR Enforcement Fines at Glance. Available at:

Rubinstein, Ira (2012): Big Data: The End of Privacy or a New Beginning? International Data Privacy Law (2013 Forthcoming); NYU School of Law, Public Law Research Paper No. 12-56. Available at SSRN:

Sebastian Golla (2017): Is Data Protection Law Growing Teeth? The Current Lack of Sanctions in Data Protection Law and Administrative Fines under the GDPR, 8 (2017) JIPITEC 70 para 1. Available at:

Simone Ziegler – Anna Rosón Eichelmann (2019): Five steps to calculate GDPR fines: new model adopted by German data protection authorities conference. Herbert Smith Freehills. Legal Briefings. Available at:

Tim Wybitul - Gail Crawford (2019): German Data Protection Authorities Adopt New GDPR Fine Model. Latham & Watkins Data Privacy & Security Practice. Number 2546. Available at:

Tobin, Paul & Mckeever, M & Blackledge, Jonathan & Whittington, Mark & Duncan, Bob (2017): UK Financial Institutions Stand to Lose Billions in GDPR Fines: How can They Mitigate This? Available at:

Winston Maxwell – Christine Gateu (2019): An approach for setting administrative fines under GDPR, Engage Legal insight and analysis. Available at:

Wilfred Steenbruggen, Berend Van Der Eijk, Sonja van Harten (2019): Dutch regulator publishes guidelines for the calculation of administrative fines under the GDPR. Bird & Bird. Available at:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) [2016] L 119/1.

Directive (EC) 95/46 of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/31.

Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679, wp253. Available at:

WP 203, 00569/13/EN, Opinion 03/2013 on purpose limitation. Available at:

Commission Staff Working Paper. SEC (2012) 72 final, Brussels, 25.1.2012. Available at:

ICO consultation on the draft Statutory guidance. Closing date: 12 November 2020. Available at:

Beleidsregels van de Autoriteit Persoonsgegevens van 19 februari 2019 met betrekking tot het bepalen van de hoogte van bestuurlijke boetes (Boetebeleidsregels Autoriteit Persoonsgegevens 2019). Policy rules of the Dutch Data Protection Authority of 19 February 2019 with regard to determining the amount of administrative fines (Fines policy rules Dutch Data Protection Authority 2019). Available at:

Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder issued on 14.10.2019. Available at:

CJEU, Rewe-Zentralfinanz eG v. Landwirtschaftskammer für das Saarland, Case C-33/76, E.C.R. 1976 -01989.

CJEU, Comet BV v Produktschap voor Siergewassen, Case C-45/76, E.C.R. 1976 -02043.

CJEU, Ute Reindle v. Bezirkshauptmannschaft Innsbruck, C- 443/13, 13 November 2014.

CJEU, LCL Le Crédit Lyonnais v. Fesih Kalhan, Case C- 565/12, 27 March 2014.

Case Höfner and Elsner, ECLI:EU:C:1991:161.

Case Confederación Española de Empresarios de Estaciones de Servicio, ECLI:EU:C:2006:784.

Case C-582/14, Patrick Breyer v Bundesrepublik Deutschland, EU:C:2016:779.







pdf views