by Dr. Helmut Liebel / Marie Pfisterer
In its ruling of 25 July 2025 (W258 2299744-1), the Federal Administrative Court confirmed a fine of EUR 1.5 million against IKEA for unlawful video surveillance. The sum seems high, but is relatively low compared to the possible maximum amount. Because GDPR fines are based on global group turnover, IKEA could theoretically have paid up to EUR 1.77 billion (4% of EUR 44.3 billion). The fine imposed therefore corresponds to “only” 0.004 % of annual turnover. The case shows that even mild fines can quickly run into millions for company groups.
The catalyst was the incorrect alignment of several security cameras in the IKEA store at Vienna’s Westbahnhof. Not only customers entering their PINs at self-service checkouts were recorded, but also passers-by in the outdoor area (including the tram stop and underground station entrance).
Fines of up to EUR 20 million or up to 4 % of the previous financial year’s global annual turnover may be imposed for data protection violations (Art 83(5) GDPR) – the decisive factor is the “economic entity” (i.e. the entire company group). Violations by a subsidiary are therefore measured on the basis of the company group’s turnover (see CJEU on 5 December 2023, C‑807/21 – Deutsche Wohnen).
The specific amount within this framework depends on the severity of the infringement. Factors taken into account include: the nature, scope, and purpose of the processing; the number of data subjects affected; the duration; the amount of damage; the degree of fault; and the categories of data. In addition, there can be mitigating circumstances such as cooperation, or aggravating circumstances like previous infringements (see EDPB-Guidelines 04/2022 for details). The aim is to impose an effective, proportionate, and dissuasive sanction that is appropriate to the individual case.
In this specific case, the Federal Administrative Court classified the infringement as moderately serious. Although public areas were affected and many people were recorded, in fact only 9 of 133 cameras were involved. In addition, this was the first data protection violation, and IKEA cooperated closely with the authorities. Against this background, the fine of 0.004% of the group’s turnover is relatively low. At the same time, the fine illustrates that not only the specific violation matters, but above all the size of the (group) company involved.
Conclusion for practice:
Data protection violations are relevant across the entire company group. Even in the case of a local incident, the fine is based on the company group’s turnover; the amount can only be reduced to a limited extent by a lower degree of severity. Companies should therefore ensure group-wide data protection governance: centrally coordinate and document processes, technical tests, and controls. The IKEA case shows that even local negligence can lead to financial damage and reputational loss for the entire group.
An appeal has been lodged with the Supreme Administrative Court against the decision; the outcome remains to be seen. Regardless of this, data protection is a corporate obligation – not a marginal issue for individual locations.
