The latest DLA Piper GDPR Fines and Data Breach Survey provides a comprehensive overview of data protection enforcement trends across Europe, including the Central and Eastern European (CEE) region. CEE countries are in the mid-range in terms of total GDPR fines imposed since the regulation became applicable in 2018 and for last year, but enforcement activity is steadily increasing. Here are the latest trends and legal developments in Austria, the Czech Republic, Hungary, Poland, Romania, and Slovakia.
In terms of total GDPR fines imposed from 25 May 2018 to date, CEE countries are in the middle of the ranking of 31 European countries.* Austria leads the region, ranking 9th with EUR 44,816,915 in fines, followed by the Czech Republic (13th, EUR 12,123,489), Poland (15th, EUR 6,919,077), Hungary (17th, EUR 4,170,000), Romania (21st, EUR 2,086,318) and Slovakia (26th, EUR 644,247).
In contrast, Ireland and Luxembourg dominate the rankings with EUR 3,507,481,500 and EUR 746,380,875 in fines, respectively. These exceptionally high figures are mainly because the European headquarters of major technology giants such as Meta are located in these countries. Liechtenstein recorded the smallest total fines, amounting to just EUR 28,107.
In Romania, the Data Protection Authority has maintained its approach of issuing numerous but relatively low fines throughout 2024, solidifying its position as one of the most active regulators in the EU.
The report also provides insights into the total number of personal data breach notifications between May 2018 and January 2025, where Poland stands out significantly, ranking third with 70,204 breach notifications. Other CEE countries are in the mid-range, with reported data breaches ranging between 800 and 7,000.
Technology and financial sectors face high fines
Since the GDPR was introduced, companies in the technology, social media, and financial sectors have been among the most heavily fined entities. Given the vast amounts of personal data these businesses handle and their widespread consumer impact, regulators continue to closely monitor and assess their data processing practices.
In 2024, one of the most notable enforcement actions in these sectors occurred in the Czech Republic. The Czech Office for Personal Data Protection (Czech DPA) imposed a fine of CZK351 million (EUR14 million) on Avast Software, a cybersecurity company, for transmitting around 100 million users' pseudonymized internet browsing data to its subsidiary, Jumpshot, Inc. The Czech DPA determined that Jumpshot unlawfully shared this data with marketers to track online consumer behaviour. Avast misled users by falsely claiming the data transfers were anonymous and solely for trend analysis. In reality, the data wasn't properly anonymized and allowed for re-identification. Avast also processed the data for consumer tracking without a legal basis.
In Poland, the President of the Personal Data Protection Office (PUODO) imposed administrative fines on several large international banks, including issuing a fine of EUR870,000 for failing to notify customers of a data breach.
In Hungary, significant fines were imposed in recent years on companies for unlawful video surveillance practices. The Hungarian National Authority for Data Protection and Freedom of Information focused on data subject access rights, the data processing activities of health service providers and data breaches.
Recent legal developments
Beyond enforcement actions, the Czech DPA continued its methodological activities by issuing guidance on the recommended use of camera systems in public spaces, schools, and on processing drone camera recordings.
An important legal development in Austria in the past year relates to data subjects' rights, which have been extended to legal entities. The discourse on the application of the GDPR to legal entities has been ongoing in Austria since 2018, but the specific application of data subject rights is a recent development. The initial decision by the Data Protection Authority (DPA) dates back to October 2023, but the court’s decision in the appeals procedure, which upheld the DPA’s stance, was issued in 2024.
What to expect in 2025?
The “consent or pay” model is expected to remain a key regulatory focus in 2025, both in Europe and the CEE region. Under this model, users can choose between two options: consent to the use of their personal data for behavioural advertising or pay for the service.
Following the European Data Protection Board’s (EDPB) opinion on the model, the Czech DPA issued a preliminary measure against Seznam.cz, the Czech Republic's leading search engine and app provider, requiring it to stop processing personal data obtained through consents where the only alternative was paid access. Investigations into similar practices by major media companies are ongoing.
The EDPB’s long-awaited opinion on AI-related data processing, published in December, didn’t provide definitive guidance, leaving room for uncertainty regarding the lawful use of personal data in AI models. With AI adoption expanding rapidly across industries, European regulators are expected to intensify investigations and enforcement actions related to AI-driven data processing. As a result, businesses leveraging AI for data analytics, automation, and customer interactions should prepare for heightened scrutiny and ensure their AI models align with GDPR requirements.
*DLA Piper's seventh annual survey takes a look at key GDPR metrics across the European
Economic Area (EEA) and the UK since GDPR first applied and for the current year to 27 January 2025. The EEA includes all 27 EU member states, plus Norway, Iceland and Liechtenstein.
By Sabine Fehringer, Partner, Austria, Tomas Scerba, Partner, Czech Republic, Zoltan Kozma Partner, Head of IPT, Hungary, Ewa Kurowska-Tober, Partner, Head of IPT, Poland, Irina Macovei, Counsel and Andrei Stoica, Senior Associate, Romania, and Eva Skottke, Legal Director, Slovakia, DLA Piper
