Last year, we collected information on fines issued under the GDPR and the number of reported personal data breaches. We collected data for two time periods: May 2018 to November 2022, and January 2022 to November 2022.

The GDPR enables data protection authorities to apply fines of up to 4% of the total worldwide turnover of an undertaking in the preceding financial year or up to EUR 20 million, whichever is higher. The total value of fines issued in the Baltics from January 2018 to November 2022 was EUR 1,842,958. The largest fine was issued in Latvia, totalling EUR 1,200,000. In total, 130 fines were issued in the Baltics between May 2018 and November 2022.

Estonia: lowest value of fines in the Baltics

Estonia is among the countries in the EU with the lowest GDPR fines applied. This is partly due to the unique nature of procedural rules. Namely, in Estonia, fines are applied only in misdemeanour proceedings. However, the Estonian Data Protection Inspectorate can also apply non-compliance levies (also called penalty payments) as an administrative measure if an administrative precept is not complied with by the entity under investigation. The largest GDPR fine issued in Estonia was only EUR 280, while the largest enforced non-compliance levy was EUR 10,000.

From the date of application of the GDPR (25 May 2018) to November 2022, the total number of fines issued by the Estonian Data Protection Inspectorate was 29, while the number of enforced non-compliance levies was 18. The total value of all non-compliance levies issued was EUR 33,000. By comparison, the value of all fines issued was a mere EUR 1,924.

The total number of personal data breaches reported from May 2018 to November 2022 was 558, of which 114 were reported from January 2022 to November 2022.

Latvia: total value of fines the largest in the Baltics

In Latvia, the total value of fines issued from the date of application of the GDPR to November 2022 was the largest in the Baltics, EUR 1,596,534. The fines have increased over time – in 2018, a total of EUR 10,230 in fines was issued. This rose to EUR 1,220,259 in 2022, while at the same time the total number of fines decreased – from 12 to six. In total, 44 fines were issued from 2018 to November 2022.

From 2018 to November 2022, a total of 432 data breach notifications were reported. From January 2022 to November 2022, 74 personal data breach notifications were received by the authority.

Lithuania: biggest number of personal data breaches reported

In Lithuania, the largest fine issued was EUR 110,000 and the total value of all fines was EUR 244,500. As in Latvia, the size of fines has increased. In 2019, the value was EUR 61,000, while by 2021 that sum had risen to EUR 160,000. A total of 57 fines had been issued by 2022.

Lastly, from May 2018 to December 2022, 953 personal data breaches were reported, of which 258 were reported from January 2022 to December 2022.