While GDPR related fines to big companies like Amazon or Google have seen widespread media attention, data protection authorities have issued several hundred more penalties since 2018. This study analyzes 856 fines and their summaries provided by the CMS Law GDPR Enforcement Tracker. The exploratation fines in the light of data flows with a detailed categorization. The analysis shows that it is a combination of technical and organizational issues that are involved when a fine is imposed. Moreover, data protection authorities more often react to data subjects’ complaints when data breaches become public and when health-related data is involved. We further show that the root causes for fined data processing lie in the early data life cycle phases (e.g., data collection). Here, organizational problems are more prevalent (601 fines) than technical issues (314 fines), while technical issues are mentioned more often in later life cycle phases (e.g., retention, access and usage). Especially mistakes in the early phases of the data collection process (e.g., lacking a legal basis) and unauthorized disclosure in later phases are fined. The study clusters the most frequent words and analyze relations to understand where data controllers put personal data at risk. The results confirm that access management is a common problem that results in the unintended disclosure of data.
