GDPR enforcement is no longer theoretical. CNIL in France has issued tens of millions of euros in fines in recent years. German DPAs have issued hundreds of Bußgelder. And Germany's private Abmahnung system generates thousands of enforcement actions every year against businesses of all sizes.
These are 13 documented enforcement cases — fines, sanctions, and enforcement decisions that you can verify. They are not hypotheticals. They are the cases your competitors' compliance teams are reading.
⚠️ Disclaimer: This article is for informational purposes only and does not constitute legal advice. Fine amounts and enforcement decisions are based on publicly available information. Consult a qualified lawyer for advice specific to your situation.
| Company | Fine | Year | Primary Violation |
|---|---|---|---|
| Criteo | €40,000,000 | 2023 | Cookie consent; invalid consent for ad tracking |
| Doctissimo | €380,000 | 2023 | Excessive data retention; health-data consent gaps; inadequate security; cookies before consent |
| NS Cards France | €105,000 | 2023 | Excessive data retention; inadequate security; cookies before consent |
| SAF Logistics | €200,000 | 2023 | Excessive data collection; retention violations; privacy policy gaps |
| Dedalus Biologie | €1,500,000 | 2022 | Data breach; inadequate security; retention violations |
| Clearview AI | €20,000,000 | 2022 | Unlawful facial recognition; no legal basis |
| Free Mobile | €300,000 | 2022 | Failure to respect data subject rights; inadequate data security (weak/cleartext passwords) |
| Infogreffe | €250,000 | 2022 | Excessive retention; inadequate security; no DPO registration |
Pattern: Cookie consent, excessive data retention, and inadequate security are the three most-cited violation categories in CNIL decisions.
| Entity | Fine | Year | DPA | Primary Violation |
|---|---|---|---|---|
| Deutsche Wohnen | €900,000 (reduced from €14.5M) | 2019 | Berlin DPA (BlnBDI) | Excessive retention of tenant data — fine imposed 30 Oct 2019, annulled by the Berlin Regional Court in 2021; after CJEU ruling C-807/21 (2023), re-set at €900,000 in 2026 (court statement) |
| Google Fonts sites | €100 damages (one plaintiff) | 2022 | LG München | IP address transfer without consent (Google CDN) |
| Knuddels | €20,000 | 2018 | LfDI Baden-Württemberg | Passwords stored in plain text (Art. 32 GDPR) — the first GDPR fine issued in Germany |
| Multiple SMEs | €1,000–€5,000 each | 2023–2024 | Abmahnung | Impressum violations; Widerrufsbelehrung errors |
Violation: Criteo processed visitor data from partner websites without valid consent. The cookie consent mechanisms on partner sites did not meet GDPR requirements; Criteo treated insufficient consent as valid consent.
What went wrong: Invalid consent collection; failure to verify partner consent; inadequate data subject information; failure to honor withdrawal requests.
Lesson: If ad-tech or analytics partners collect data through your site, you share responsibility for how that consent is collected. "We use a third-party tool" is not a defense.
→ For your site: Check every ad network or analytics script running on your site. If any fire before consent, you are in the same position Criteo's partner sites were in.
Violation: The French health content publisher retained user data far beyond what was necessary, processed health-related data without the consent safeguards Article 9 requires, had inadequate security and joint-controller arrangements, and deposited cookies before consent — some continuing to run after users refused them.
Lesson: CNIL decision SAN-2023-006 found violations in data retention, health-data consent, security, and cookie timing — not a single banner-design flaw. If your site processes health or other sensitive data, retention limits and consent scope deserve as much scrutiny as your cookie banner.
→ For your site: Check how long you retain user data, confirm any health or sensitive data has its own explicit consent basis, and make sure cookies aren't set before consent — or still active after someone refuses them.
Violation: NS Cards France (operator of the Neosurf prepaid payment service) retained user account data for around ten years, used weak password rules with an obsolete hashing function, and set Google Analytics cookies before obtaining consent.
Lesson: Define and enforce data retention periods, require strong passwords stored with a modern hashing function, and don't load analytics cookies before the user consents.
Violation: Collected excessive personal data from job applicants through web forms; retained data beyond necessary periods; had an inadequate privacy policy.
Lesson: Career pages and application forms are subject to the same GDPR requirements as customer-facing pages.
Violation: Data breach exposing sensitive health data of approximately 500,000 patients. Root causes: inadequate security, absence of encryption, lack of data minimization.
Lesson: Health data carries a significantly higher fine ceiling under GDPR Art. 9. Data security is a compliance issue, not just an IT issue.
Violation: The chat platform Knuddels stored user passwords in plain text; a breach exposed the data of roughly 330,000 users. The LfDI Baden-Württemberg fined the company €20,000 (LfDI press release, 21 November 2018) under Art. 32 GDPR — the first GDPR fine issued in Germany.
Lesson: Store passwords hashed with a modern algorithm, never in plain text. The authority noted that the moderate amount reflected the company's exemplary cooperation and rapid security fixes.
Violation: A German court ruled that loading Google Fonts from Google's CDN violated GDPR — each page load transmitted visitor IP addresses to Google without consent.
Lesson: Self-host your fonts. This takes less than an hour and eliminates the risk entirely.
Violation: Failure to respect data subject rights (access and erasure) and inadequate data security — including weak passwords and passwords stored or transmitted in clear text.
Lesson: Honoring access and erasure requests on time, and storing passwords securely (strong rules, modern hashing), are compliance obligations in their own right — independent of any breach.
Violation: Consumer protection associations and competitors systematically scanned German SME websites for Impressum violations.
Lesson: German Abmahnung enforcement is private, systematic, and profitable for those filing it. You do not need to be investigated by a regulator.
→ For your site: Check your Impressum right now: legal company name, physical address (no PO box), phone number, email, commercial register entry, VAT ID, responsible person.
Violation: Incorrect or missing withdrawal/cancellation information (Widerrufsbelehrung) on German e-commerce sites.
Lesson: The Widerrufsbelehrung must use the official template. A common mistake: updating the AGB but forgetting the separately required withdrawal notice.
Violation: Excessive data retention periods; inadequate security; failure to register DPO with the CNIL where required.
Lesson: DPO registration is a compliance step many organizations miss.
CNIL's enforcement focus for 2025–2026 targets three areas:
| Violation Type | Appeared In | Notes |
|---|---|---|
| Cookie consent failures | Cases 1, 2, 6 | Most common automated-detection violation |
| Excessive data retention | Cases 3, 4, 8, 13 | Often accompanies other violations |
| Inadequate security | Cases 5, 8 | Higher fines; health data multiplier |
| Pre-consent tracking scripts | Cases 2, 6 | Technically verifiable; top enforcement pattern |
| Incomplete privacy policy | Cases 2, 4, 6 | Almost always a secondary violation |
| Private Abmahnung (Germany) | Cases 9–12 | No regulator required; fast, profitable for claimants |
Every violation in these 13 cases was detectable before enforcement. The pattern is consistent: the organization didn't know they had a problem until someone else found it.
For details on Abmahnung response: Received an Abmahnung? Here's What to Do in the Next 14 Days. For why German SMEs are disproportionately targeted: Why Small Businesses Are a Prime Target for Abmahnungen.
Are CNIL fines increasing year over year?
Yes. Total CNIL fine volume has trended upward since 2021, both in number of decisions and total amounts. The enforcement machinery is more automated than it was three years ago.
What's the difference between a CNIL fine and a German Bußgeld?
A CNIL fine is issued by the French DPA following a formal investigation. A Bußgeld is issued by a German DPA. A German Abmahnung is a private enforcement action — no regulator is involved; a competitor or consumer association sends it directly.
Can a small business really get fined by CNIL?
Yes. CNIL accepts complaints from individuals and follows up regardless of company size. The Abmahnung system in Germany is specifically effective against small businesses because the cost of challenging it often exceeds the cost of settling.
Is Google Fonts really a compliance risk?
In Germany, if you load Google Fonts from Google's CDN, yes. LG München ruled this violates GDPR in 2022. The fix is self-hosting — takes less than an hour.
What does a CNIL investigation actually cost beyond the fine?
Legal response costs for a formal CNIL inquiry typically start at €5,000–€15,000. Add operational disruption, management time, and any remediation work.
Related reading:
Sources: CNIL enforcement decisions (cnil.fr) · Berlin DPA (BlnBDI) decisions · LG München I Az. 3 O 17493/20 (Google Fonts) · DSK press releases · GDPR Articles 33, 83 · ePrivacy Directive Article 5(3)
🩸 — Sitetals Editorial