GDPR Fines for Small Companies — Real Examples and Lessons

Published 2026-05-20 · BusinessConnect

Why Small Companies Are Now in the Crosshairs

In GDPR's first two years (2018-2020), enforcement focused heavily on tech giants — Google received a EUR 50 million fine from CNIL, and British Airways was hit with GBP 20 million. This created a dangerous misconception: that regulators only cared about large corporations.

Since 2022, that has changed dramatically. Data protection authorities across Europe shifted resources toward SME enforcement, driven by three factors:

• The volume of consumer complaints against small businesses surged as people became aware of their rights.
• Activist organizations like noyb began filing mass complaints against smaller websites using automated scanning tools.
• National DPAs faced political pressure to show that GDPR applies equally to all businesses.

By 2025, over 40% of GDPR enforcement actions in Europe targeted companies with fewer than 250 employees.

Case 1: Greek Online Store — EUR 30,000 for Ignoring Deletion Requests

A small e-commerce business based in Athens with 12 employees received three data deletion requests from former customers over a 6-month period. The business owner did not understand the legal obligation and simply ignored the emails, assuming they were spam.

One customer escalated to the Hellenic Data Protection Authority (HDPA). The investigation revealed:

• No data protection officer or designated contact for privacy matters
• No documented process for handling data subject requests
• Customer data retained indefinitely with no deletion schedule
• No privacy policy on the website

Fine: EUR 30,000 — plus an order to implement a compliant data handling process within 3 months.

Lesson: Ignoring data requests does not make them go away. Having even a basic process for receiving and responding to requests would have prevented this entirely.

Case 2: Belgian Marketing Agency — EUR 50,000 for Email Marketing Without Consent

A Brussels-based digital marketing agency with 8 employees scraped email addresses from LinkedIn profiles and company websites to build prospect lists. They sent promotional emails to approximately 15,000 contacts without obtaining GDPR-compliant consent.

Multiple recipients complained to the Belgian DPA (APD/GBA). The investigation found:

• No lawful basis for processing — the agency claimed 'legitimate interest' but could not demonstrate a proper balancing test
• No opt-out mechanism in the emails
• No record of where contact data was sourced
• Contact data shared with three other companies without a data processing agreement

Fine: EUR 50,000 — and a public reprimand published on the APD website.

Lesson: Legitimate interest is not a blanket excuse for cold outreach. If you are doing B2B email marketing, you need to document your legal basis and always provide an unsubscribe option.

Case 3: Polish Medical Practice — EUR 22,000 for a Data Breach

A small medical practice in Warsaw with 5 staff members suffered a ransomware attack. Patient records for approximately 3,000 individuals were encrypted. The practice paid the ransom (approximately EUR 2,000 in Bitcoin) and recovered most records.

The problem: they did not report the breach to the Polish DPA (UODO) within the required 72 hours. In fact, they did not report it at all. A patient whose records were among those compromised learned about the attack through an employee and filed a complaint.

The UODO investigation revealed:

• No breach notification to the DPA or affected patients
• No data protection impact assessment had ever been conducted (required for health data)
• Patient records stored on a single computer with no encryption and no backup
• The Windows installation had not been updated in over 18 months

Fine: EUR 22,000 — primarily for failing to notify, not for the breach itself.

Lesson: If you suffer a data breach, you must report it within 72 hours. Trying to hide it makes the penalty significantly worse.

Case 4: Austrian Fitness Studio — EUR 11,000 for Surveillance Cameras

A fitness studio in Vienna installed security cameras in its gym area, reception, and changing room corridor. The cameras recorded continuously and stored footage for 30 days.

A member filed a complaint after noticing there was no signage about the cameras and no information about who was processing the footage. The Austrian DPA (DSB) found:

• No visible signage indicating video surveillance was in operation
• No privacy notice explaining the purpose, retention period, or data controller
• Cameras positioned to capture the entrance to changing rooms — considered disproportionate
• No data protection impact assessment for the surveillance system

Fine: EUR 11,000 — plus an order to remove cameras from the changing room area and install proper signage within 30 days.

Lesson: GDPR applies to physical surveillance, not just digital data. If you use cameras in a business premises, you need signage, a privacy notice, and a proportionality assessment.

How to Protect Your Business from Enforcement Action

Every case above has a common thread: the fined businesses lacked basic compliance infrastructure that could have been implemented in a single day. The essential minimum:

1. A proper cookie consent mechanism on your website
2. A clear, comprehensive privacy policy
3. A documented process for handling data subject requests
4. Data processing agreements with your third-party tools
5. A breach notification procedure

Tools like Clym cover items 1-3 automatically — cookie consent management, privacy policy generation, and a DSAR handling portal. For a small business without a legal team, this is the most cost-effective way to close the biggest compliance gaps.

The cost of compliance tooling is typically EUR 15-50/month. The cost of non-compliance, as these cases show, starts at EUR 8,000 and goes up quickly.

Set up compliance with Clym today

Frequently Asked Questions