3 Examples of non compliance with GDPR

Apr 9, 2025

The General Data Protection Regulation (GDPR), introduced by the European Union in May 2018, transformed how organizations worldwide handle personal data. With its stringent requirements and potential fines of up to €20 million or 4% of annual global turnover, GDPR compliance is non-negotiable for businesses processing EU residents’ data. Yet, despite its clarity, non-compliance remains common—sometimes due to ignorance, other times due to negligence or cutting corners.

This article delves into three fictional but plausible examples of GDPR non-compliance: a small fitness app startup, a mid-sized retail chain, and a large financial institution. Each case highlights specific violations, their repercussions, and how they could have been avoided. These examples serve as cautionary tales and learning opportunities for organizations aiming to stay on the right side of the law.

Understanding GDPR Non-Compliance

Before exploring the examples, let’s define non-compliance. GDPR sets out principles (Article 5) like lawfulness, transparency, and accountability, alongside specific obligations—such as obtaining consent (Article 7), securing data (Article 32), and reporting breaches (Article 33). Non-compliance occurs when an organization fails to meet these standards, whether through inadequate processes, poor oversight, or outright disregard.

The consequences can be severe: fines, reputational damage, legal battles, and loss of customer trust. With this in mind, let’s examine our three examples.

Example 1: FitTrack – The Overzealous Fitness App

Context

FitTrack is a startup based in Ireland, launched in 2023, offering a fitness app with 50,000 EU users. The app tracks steps, heart rate, and diet, using data to recommend workouts and sell premium subscriptions. Eager to grow, FitTrack’s small team prioritizes features over compliance.

The Violation

FitTrack’s troubles begin with its data collection practices:

  • Lack of Consent: The app’s sign-up process pre-ticks boxes for data sharing with “marketing partners” (third-party advertisers), violating GDPR’s requirement for freely given, specific, and unambiguous consent (Article 7).
  • Excessive Data Collection: FitTrack collects location data 24/7, even when users aren’t exercising, without a clear lawful basis (Article 6). The privacy policy vaguely states it’s “to improve services,” failing the transparency test.
  • No Data Protection Officer (DPO): Despite processing health data—a “special category” under Article 9—FitTrack hasn’t appointed a DPO, mandatory for such activities (Article 37).

In early 2025, a user notices targeted ads for diet pills after logging meals, sparking complaints to Ireland’s Data Protection Commission (DPC).

The Consequences

The DPC investigates and finds multiple breaches:

  • Fines: FitTrack is fined €500,000 (scaled to its €1.2M revenue) for unlawful processing and consent violations.
  • Injunction: The DPC orders FitTrack to halt data sharing until compliant, stalling its ad revenue stream.
  • User Backlash: A viral social media campaign (#FitTrackFail) leads to 10,000 users deleting the app, slashing growth.

Root Causes

FitTrack’s non-compliance stems from:

  • Startup Mentality: Prioritizing speed over governance, assuming “small size” excuses compliance.
  • Misunderstanding Consent: Pre-ticked boxes are a clear GDPR red flag, yet FitTrack copied this from a competitor’s template.
  • Ignoring Special Data: Health data demands extra care, which FitTrack overlooked.

Lessons Learned

FitTrack could have avoided this by:

  • Implementing an opt-in consent mechanism with clear explanations.
  • Limiting data collection to what’s necessary (data minimization, Article 5(1)(c)).
  • Appointing a part-time DPO or outsourcing compliance (€5,000-€10,000/year).

Outcome

FitTrack scrambles to comply, but the damage—financial and reputational—sets it back years. This example underscores that even small players can’t dodge GDPR’s reach.

Example 2: StyleHaven – The Careless Retail Chain

Context

StyleHaven is a mid-sized fashion retailer with 20 stores across France and Spain, employing 300 staff. It runs a loyalty program collecting names, emails, purchase histories, and birthdays for discounts. In 2024, it launches an online store, amplifying its data footprint.

The Violation

StyleHaven’s non-compliance emerges from sloppy security and breach handling:

  • Inadequate Security: The online store’s database, hosted on a cheap server, lacks encryption or regular updates, breaching Article 32’s requirement for “appropriate technical measures.”
  • Breach Mismanagement: In March 2025, a hacker exploits a known vulnerability, stealing 100,000 customers’ data. StyleHaven delays notifying France’s CNIL (data protection authority) for 10 days—far beyond the 72-hour window mandated by Article 33—hoping to fix it quietly.
  • No Risk Assessment: StyleHaven never conducted a GDPR risk assessment or DPIA (Article 35), despite scaling to e-commerce, a high-risk activity.

A whistleblower leaks the breach to the press, triggering regulatory and public scrutiny.

The Consequences

The CNIL imposes a hefty penalty:

  • Fines: €2M for the security failure and €500,000 for late breach reporting, totaling €2.5M (3% of €83M turnover).
  • Legal Costs: Class-action lawsuits from affected customers add €1M in damages and fees.
  • Reputation Hit: Sales drop 20% as shoppers abandon StyleHaven for safer competitors.

Root Causes

StyleHaven’s downfall traces to:

  • Cost-Cutting: Choosing a budget server (€50/month) over a secure one (€200/month) ignored GDPR’s risk-based approach.
  • Poor Incident Response: Panic and indecision delayed breach reporting, compounding the violation.
  • Compliance Blind Spot: No one in management understood GDPR’s e-commerce implications.

Lessons Learned

StyleHaven could have prevented this by:

  • Investing in basic security (encryption, firewalls) for €5,000-€10,000 upfront.
  • Training staff on breach protocols and appointing a response team.
  • Conducting a DPIA before launching online, identifying vulnerabilities early.

Outcome

StyleHaven survives but spends 2025 rebuilding trust and infrastructure. This case highlights how neglecting security and preparedness can spiral into a compliance nightmare.

Example 3: FinanceCorp – The Arrogant Multinational

Context

FinanceCorp is a UK-based financial services giant with 10,000 employees and €5B in revenue, offering loans and insurance across the EU. It processes millions of records—names, financial histories, credit scores—and transfers data to its US parent company.

The Violation

FinanceCorp’s non-compliance is systemic and brazen:

  • Unlawful Data Transfers: Post-Schrems II (2020), which invalidated the EU-US Privacy Shield, FinanceCorp continues transferring EU customer data to the US without updated safeguards, breaching Chapter V (Articles 44-46).
  • Ignoring Rights Requests: When users submit Subject Access Requests (SARs) under Article 15, FinanceCorp routinely delays responses beyond the 1-month deadline or provides incomplete data, citing “system limitations.”
  • Profiling Without Notice: FinanceCorp uses AI to profile customers for loan eligibility, but its privacy policy doesn’t disclose this automated decision-making, violating Article 22.

In mid-2025, a privacy advocacy group files a complaint with the UK’s ICO after documenting 50 ignored SARs.

The Consequences

The ICO delivers a blockbuster response:

  • Fines: €20M (the maximum) for data transfer violations, plus €5M for SAR and profiling breaches—€25M total.
  • Regulatory Orders: FinanceCorp must halt US transfers and overhaul its rights-handling process, costing €10M in compliance upgrades.
  • Market Impact: Share prices drop 15%, wiping out €750M in value, as investors fear further scrutiny.

Root Causes

FinanceCorp’s failures stem from:

  • Arrogance: Assuming its size and legal team could navigate or challenge GDPR rules.
  • Outdated Practices: Relying on pre-Schrems II transfer mechanisms despite clear legal shifts.
  • Customer Disregard: Prioritizing efficiency over user rights, a cultural flaw.

Lessons Learned

FinanceCorp could have mitigated this by:

  • Adopting Standard Contractual Clauses (SCCs) and encryption for transfers (€100,000-€200,000 setup).
  • Automating SAR responses with dedicated software (€50,000/year).
  • Updating its privacy notice and offering profiling opt-outs (minimal cost).

Outcome

FinanceCorp pays dearly, both in fines and credibility. This example shows that even giants aren’t immune to GDPR enforcement when they flout core principles.

Comparing the Examples

Aspect FitTrack StyleHaven FinanceCorp
Size Small (startup) Medium (300 staff) Large (10,000 staff)
Violation Consent, health data Security, breach delay Transfers, rights, profiling
Fine €500,000 €2.5M €25M
Root Cause Ignorance Negligence Arrogance
Cost to Fix €5K-€10K €10K-€20K €150K-€250K

These cases illustrate a spectrum of non-compliance: startups tripping over basics, mid-sized firms faltering on execution, and corporates stumbling through hubris.

Common Threads in GDPR Non-Compliance

Across these examples, patterns emerge:

  1. Underestimating GDPR: All three assumed partial compliance was enough—FitTrack with consent, StyleHaven with security, FinanceCorp with transfers.
  2. Reactive Mindset: Waiting for complaints or breaches to act, rather than proactively assessing risks.
  3. Cost Avoidance: Skimping on upfront investments (DPOs, security, legal advice) led to exponentially higher penalties.

How to Avoid Non-Compliance

Drawing from these failures, here are actionable steps:

  1. Educate Your Team: Ensure staff understand GDPR’s scope—training costs less than fines.
  2. Audit Regularly: Map data flows and assess risks annually or after major changes.
  3. Invest in Basics: Consent tools, encryption, and breach plans are non-negotiable.
  4. Respond Swiftly: Address breaches and rights requests within legal timelines.
  5. Seek Expertise: For complex issues (e.g., transfers), consult lawyers or consultants.

Conclusion

GDPR non-compliance isn’t just a legal misstep—it’s a business risk with cascading effects. FitTrack’s user exodus, StyleHaven’s sales slump, and FinanceCorp’s market hit prove that data protection failures ripple beyond fines. As of April 2025, with regulators sharpening their enforcement and consumers growing savvier, the stakes are higher than ever. These examples aren’t just warnings—they’re blueprints for what not to do. Compliance isn’t optional; it’s a foundation for trust and survival in a data-driven world.