Google has become the first worldwide technology company to be fined for breaching the EU’s General Data Protection Regulation (GDPR). The €50 million (CZK 1,280,780,000) fine was imposed by French regulator CNIL at the beginning of this year based on complaints relating to how Google processed the personal data of data subjects. The common opinion is that this case is only the tip of the iceberg and it is considered as the first warning to large administrators and processors of data in the world since the financial consequences of breaching GDPR rules may be serious. The maximum amount of fines under the GDPR is €20 million or in the case of an undertaking 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher. In the other EU countries as well, the data protection authorities are starting to impose sanctions under the GDPR. The most common identified transgressions are the lack of transparency and information on processing and invalid consent (the Google case) or inefficient data minimization and insufficient data security (other cases). With the adoption of the new Act on Personal Data Processing and the expiration of one year from the GDPR coming into effect, a change in the approach of the Czech Office for Personal Data Protection, which has not yet imposed any significant sanctions under the GDPR, can be expected.