Data protection: a necessity in the digital world
In today’s digital world, data protection is crucial to protect privacy, build trust and safeguard sensitive information from misuse or security breaches. Compliance with regulations such as the General Data Protection Regulation (GDPR) is essential to uphold ethical standards and protect the rights of individuals. In May 2025, significant fines were again imposed for breaches of the GDPR. Here are the five biggest cases:
TikTok: 530 million euro fine in Ireland
The Irish Data Protection Commission has fined TikTok 530 million euros. The reasons for this are illegal data transfers to China and a lack of transparency in the data protection guidelines. TikTok failed to ensure that the data transfer complied with the requirements of EU law, in particular Article 46 of the GDPR. In addition, the data protection guidelines were not transparent enough until the end of 2022, as they did not name the recipient countries such as China and insufficiently described the type of data processing. The fine consists of €485 million for the breach of Article 46 and €45 million for lack of transparency under Article 13(1)(f) GDPR. In addition, TikTok was ordered to adapt its data processing procedures within six months to prevent future data transfers.
Luka Inc.: 5 million euro fine in Italy
On April 10, 2025, the Italian data protection authority GDPD fined Luka Inc, operator of the AI chatbot Replika, 5 million euros. Luka violated key provisions of the GDPR, in particular the requirements for transparency, the legal basis for data processing and the protection of minors. It lacked a clear and complete data protection policy, effective age verification mechanisms and a transparent presentation of the purposes and bases of data processing. Despite subsequent adjustments, significant deficiencies remained at the time of the decision. In addition to the fine, the publication of the decision and the rectification of the data protection measures were ordered.
ING Bank N.V.: 1.6 million euro fine in Spain
The Spanish data protection authority AEPD has imposed a fine of EUR 2 million on ING Bank N.V., which was reduced to EUR 1.6 million by voluntary payment. The reason was a breach of Article 6 (1) GDPR. When opening bank accounts online, ING had required customers to agree to a clause that authorized ING to obtain information about their economic activity from the Spanish Social Security. The AEPD found that this consent was not voluntary within the meaning of the GDPR, as it was mandatory for the conclusion of the contract and no alternative to verification was offered. The processing was therefore carried out without a valid legal basis. ING invoked legal obligations to prevent money laundering, but the authority ruled that customer consent is not required in such cases.
Tagadamedia: 900,000 euro fine in France
On May 15, 2025, the French data protection authority CNIL imposed a fine of 900,000 euros on the company Tagadamedia. The company runs numerous online competitions and processed users’ personal data for advertising purposes without informing them with sufficient transparency about the specific processing purposes and recipients. In addition to the violations of Articles 5 and 6 GDPR, the CNIL found that there was no effective consent within the meaning of the GDPR, as it was neither specific nor sufficiently informed. Furthermore, it was not possible for the data subjects to effectively object to the transfer of their data to numerous partner companies.
Credifimio: 120,000 euro fine in Spain
The Spanish data protection authority AEPD imposed a fine of 200,000 euros on Credifimio, which was reduced to 120,000 euros through payment and acknowledgement of responsibility. The case concerned the unlawful reporting of a person as a guarantor in default of payment to the credit reference agency ASNEF, although the person concerned was never properly informed of the possible data transfer and it was proven in court that the debt in question did not exist. Credifimio was unable to demonstrate an effective basis for the data processing; in particular, there was no evidence of a correct dunning procedure or lawful information pursuant to Article 20 LOPDGDD. The breach of Article 6 GDPR was considered serious as fundamental obligations regarding lawfulness and transparency were breached.
Conclusion
The recent fines underline the need for strict compliance with GDPR guidelines. Companies must ensure that they maintain transparency and security in their data handling processes to minimize legal risks and maintain customer trust. Organizations like Syngenity® can help companies strengthen their data protection practices and ensure compliance. It is crucial to keep up to date with the developments and impact of GDPR on businesses worldwide.
