Fines in the millions were distributed in May 2025. The highest Fine The Irish data protection authority DPC imposed a fine of 530 million euros on the video app TikTok because data was collected without its knowledge and consent. Consent of the data subjects reached China. The Italian data protection authority GDPD imposed a Fine in the amount of 5 million euros against the operator of the chatbot Replika, Luka Inc. An inadequate privacy policy and inadequate age verification measures led to this high Fine. High GDPR fines were also imposed in France and Spain.
TikTok: 530 million euros (Ireland)
On May 2, 2025, the Irish Data Protection Commission (DPC) imposed a fine on TikTok in the amount of 530 million euros was imposed. This was prompted by an investigation into the legality of the Transmission personal data of users from the European Economic Area (EEA) to China. The DPC found that TikTok had failed to ensure a level of protection comparable to EU law when transferring data, as required by Article 46 GDPR demanded. In addition, TikTok's privacy policy was not transparent enough until the end of 2022. It neither named the recipient countries (such as China) nor did it sufficiently describe the type of data processing.
The sanction consists of 485 million for the Infringement against Art. 46 GDPR and 45 million for lack of Transparency pursuant to Art. 13 para. 1 lit. f GDPR together. In addition, the DPC ordered TikTok to adapt the data processing procedures within six months to the GDPR must adapt. If this is not done, there is a risk that data transfers to China will be stopped. The decision was reinforced by new findings: TikTok had initially falsely informed the DPC that it did not store any EEA user data on servers in China, but later had to correct this.
Reading tip: TikTok must pay a fine of 530 million euros - for data transfers to China
Source: Notice from the Irish Data Protection Commission on the fine against TikTok
Luka Inc.: 5 million euros (Italy)
On April 10, 2025, the Italian data protection supervisory authority Garante per la Protezione dei Dati Personali (GDPD) imposed a Fine in the amount of 5 million euros against the US company Luka Inc., operator of the AI chatbot Replika. The GDPD found that Luka had violated key provisions of the GDPR has been violated. In particular against the requirements for Transparency, Legal basis for data processing and the protection of minors. There was a lack of a clear and complete privacy policy, effective mechanisms for age verification and a transparent presentation of the purposes and bases of data processing. Despite subsequent adjustments by the company, significant deficiencies remained at the time of the decision. In addition to the fine, the GDPD also ordered the publication of the decision and the rectification of the data protection measures.
Reading tip: Replika massively violates GDPR - Luka Inc. has to pay a fine of millions in Italy
Source: Notice of fine issued by Garante per la Protezione dei Dati Personal against Luka Inc.
ING Bank N.V.: 1.6 million euros (Spain)
The Spanish data protection authority, Agencia Española de Protección de Datos (AEPD), has initiated proceedings against ING Bank N.V., Sucursal en España. Fine in the amount of 2 million euros imposed - reduced to 1.6 million euros by voluntary payment - because it violates Art. 6 para. 1 GDPR has violated the law. Specifically, ING had received information from customers in connection with the online opening of bank accounts (such as "Cuenta NoCuenta").inside to agree to a clause authorizing ING to obtain information on their economic activity from the Spanish Social Security (TGSS). The AEPD found that this Consent not voluntary in the sense of GDPR as it was a mandatory part of the contract and no alternative to verification was offered. The Processing is therefore without a valid legal basis took place. ING invoked legal obligations to prevent money laundering, but the authority ruled that in such cases the Consent the customerinside remains necessary. In addition to the fine, ING was obliged to reorganize the process in compliance with data protection regulations within six months.
Source: Fine imposed by the Agencia Española de Protección de Datos on ING Bank N.V.
Tagadamedia: 900,000 euros (France)
On May 15, 2025, the French data protection authority CNIL issued a decision against the company Tagadamedia. Fine in the amount of 900,000 euros. The company operates numerous online competitions and has personal data of users for advertising purposes without informing them in a sufficiently transparent manner about the specific processing purposes and recipients. In addition to the violations of Articles 5 and 6 GDPR the CNIL also found that there was no effective Consent in the sense of GDPR as it was neither specific nor sufficiently informed. Furthermore, it was not possible for those affected to effectively object to their data being passed on to numerous partner companies. The breaches affected a large number of individuals and concerned key principles such as Transparency and legality.
Source: CNIL press release on the fine imposed on Tagadamedia
Credifimio: 120,000 euros (Spain)
The Spanish data protection authority AEPD has initiated proceedings against Unión de Crédito para la Financiación Mobiliaria e Immobiliaria, Credifimo, E.F.C., SAU. Fine in the amount of 200,000 euros was imposed. The case concerned the unlawful reporting of a data subject to the credit agency ASNEF as a defaulting guarantor for a loan, although the Affected parties had never been properly informed about the possible data transfer and there was judicial evidence that the debt in question did not exist. Credifimo was unable to provide evidence of an effective basis for the data processing; in particular, there was no evidence of a correct dunning procedure or of lawful information in accordance with Art. 20 LOPDGDD. The Infringement in particular against Art. 6 GDPR was considered to be serious, as fundamental obligations regarding legality and Transparency were injured. Due to Payment and recognition of responsibility CREDIFIMO took advantage of the statutory discount option, so that the effectively paid Fine 120,000 euros amounted to. The authority also ordered the unlawful entry to be deleted from the ASNEF register.
Source: Fine imposed on Credifimo by the Agencia Española de Protección de Datos
German 
English 
Italian 
French