In the seven years since the General Data Protection Regulation (GDPR) became applicable, its powerful framework for imposing fines has certainly helped to raise awareness and encourage compliance efforts – just as the European legislator intended. At the same time, the risk of fines of up to €20m ($23m) or 4% of a company’s global annual turnover can also lead to fear and reluctance or ignorance about compliance issues.

The GDPR Enforcement Tracker Report (ETR), researched and published by CMS, is an annual deep dive approach to provide you with insights into the world of GDPR fines. The 2025 ETR covers fines from 2024 up to March 2025.

GDPR enforcement in healthcare

In the life science and healthcare sector to date, data protection authorities (DPAs) from 27 different countries have imposed 237 fines (+35 compared to the 2024 ETR) totalling approximately €22.8m ($26.1m) +€6.3m ($7.23m) compared to the 2024 ETR) for data protection violations by hospitals, pharmacies, physicians and medicine suppliers.

The number of new fines issued in 2024 in the health care sector is 17% lower than compared to the previous reporting period. This means that the halt in the strong growth in the number and sum of fines, which was already apparent in the last two years, continues.

The most common reason for fines was the lack of sufficient technical and organizational measures (TOMs), with a total number of 83 fines (+12 compared to the 2024 ETR) and a total volume of €16.3m ($18.7m).

With an average of €203,423 per fine ($233,445), TOM fines in 2024 are exorbitantly higher than in the previous year (€17,500) ($20,082). In contrast to the previous year, in which no exceptionally high fines were imposed, and the highest fine was €81,000 ($92,954), in 2024 a seven-figure fine of €3.2m ($3.7m) was imposed.

Regarding the countries from which the fines originated, Italy again takes the lead with 87 fines issued in 2024. The runners-up are Germany with 25 and Spain with 23 fines issued.

Let’s take a closer look

• The biggest health care case in 2024 (ETid-2449) originated in Sweden with a fine of €3.2m ($3.7m). The data controller, a pharmacy, had used so-called metapixels on its website, which, due to incorrect settings, resulted in customers’ personal data being transmitted to Meta. The data controller had used the tool to improve its marketing on Facebook and Instagram, without intending to transmit the data.
  
  During its investigation, the Swedish DPA found that the controller had failed to implement appropriate technical and organizational measures for the protection of personal data to avoid such an incident. In a similar case (ETid-2450), it fined another controller €698,000 ($801,014) for the same breach.
   
• The French DPA (CNIL) has imposed a fine of $800,000 ($918,068) (ETid-2542) on a company which publishes and sells management software for general practitioners working in surgery and health centres. The company had transferred customer data to its customers for research purposes without authorization and without proper anonymization. The data was used to carry out studies and produce statistics in the health sector. The data did not contain any names or immediately identifying information.
  
  However, the authority found that the data was not anonymous, but merely pseudonymous, since it was technically possible to re-identify the data subjects.
   
• Cybersecurity continued to play a major role in 2024. The following cases from Belgium, Poland and Croatia serve to show the importance of sufficient TOMs.
  
  In the first case (ETid-2521), the Belgian DPA (APD) fined a hospital €200,000 ($229,517) for suffering a ransomware attack through a server vulnerability. This paralyzed parts of its computer system and affected about 300,000 individuals. During its investigation, the DPA found that the hospital had failed to carry out a data protection impact assessment and did not have an adequate information security policy. It had also failed to implement appropriate TOMs, such as employee training and a process for updating its IT equipment.
  
  In the second case (ETid-2428), the Polish National Personal Data Protection Office (UODO) fined a company €336,000 ($385,588). The company also suffered a ransomware attack resulting in the loss of personal data because it had not taken appropriate TOMs to protect personal data, thereby allowing such an attack to occur.
  
  In the third case (ETid-2494), the Croatian DPA (azop) issued a fine to a hospital in the amount of €190,000 ($218,041) for the irrevocable loss of radiological image files. The respective hospital had failed to implement appropriate technical measures to safeguard personal data, as no backups of the affected data were made.
   
• The Italian DPA (Garante) had issued several fines for data protection violations relating to email. In one case (ETid-2245), the Garante imposed a fine of €300,000 ($344,275) on a medical technology company that manufactures medical devices for monitoring, preventing and treating various diseases.
  
  The controller had sent emails to hundreds of individuals using its app to measure blood glucose levels, making email addresses visible to recipients, allowing some to draw conclusions about diabetes. The controller also failed to adequately inform data subjects about the processing of their personal data.
  
  In another case from Italy (ETid-2408), the Garante issued a fine of €8,400 ($9,639) against a company that sent an email containing information on medical treatment plans to several patients in an open distribution list, which allowed all 44 recipients to see each other’s email addresses.
  
  For inadvertently sending health data to the wrong recipient (ETid-2268), the Garante issued a fine of €18,000 ($20,656) to a healthcare institution.

This information is reproduced from the CMS GDPR Enforcement Tracker Report 2025.

Martin Kilgus advises medium-sized and listed companies on software licensing and outsourcing projects. His IT and data protection law expertise is also regularly sought after in the context of M&A transactions and compliance projects.