So far, few fines have been imposed throughout Europe after the GDPR came into force. Just in the last few weeks we are observing a greater activity of the authorities. Here is a brief overview of the penalties imposed.
Austria
In September 2018, the Austrian data protection authority imposed the first administrative penalty. The violation consists in the extensive surveillance of the public space in front of a betting pub in Styria. The fine is moderate and amounts to EUR 4,800 plus procedural costs. Further details can be found in the following commentary:
https://digital.freshfields.com/post/102f39w/first-gdpr-fine-issued-by-austrian-data-protection-regulator
Portugal
A substantial fine was imposed for a GDPR violation to a hospital near Lisbon. 400,000 EUR fine for a inadequate authorisation concept and free handling of patient data. An article from IAPP provides further details on this case:
https://iapp.org/news/a/portugal-fines-hospital-400k-euros-for-gdpr-violation/
Germany
A fine of EUR 20,000 was imposed to a chat platform Knuddels.de because of an unencrypted storage of 1.8 million user passwords. This is the first penalty under the GDPR in Germany. The authority could have imposed a significantly higher fine, but Knuddels worked very cooperatively with the authority to clarify the incident: as a result of a data leak caused by a hacker attack in September, around 808,000 e-mail addresses and 1,872,000 pseudonyms and passwords were published online. According to the managing director, the company has emerged stronger from the hacker attack because “Knuddels is now safer than ever”.
Please consider this article about the Knuddels data protection incident:
https://www.bleepingcomputer.com/news/security/first-gdpr-sanction-in-germany-fines-flirty-chat-platform-eur-20-000/