No legal repercussions.
I did some consultancy for the NHS (hint for anyone in IT: DON'T) and tried to whistle-blow the absolute shocking state of patient confidentiality. Nurses would routinely look up things to use or for gossip or leverage over people. For example, one nurse was able to access patient details to help her friend get ammunition in a divorce and custody battle. Another used it for playground gossip against a mother who had offended her and spread around that she was on antidepressants. When I started the complaint (giving multiple examples), they closed ranks and decided my claims were due to "miscommunication" and/or were fabricated. I could prove this data had been accessed and who had accessed it on the system's audit trail. Nothing was done. They have policies in place stating not to do that, but they were routinely ignored.
Same with the police. Officers were using police databases to stalk and harass exes, exes new partners or neighbours who had pissed them off. The Independent Police Complaints Commission are a joke and are staffed by ex police officers who had personal relationships with the people involved. The complaint was closed and I received a letter months later thanking me for withdrawring my complaint. I never withdrew the complaint and was informed that I had and I was unable to open it up again. This was 10 years ago and I haven't worked for any police department since or relied on the police for anything.
GDPR and data protections laws are all well and good, but without enforcement they are meaningless.
It was McDonalds. They had collection boxes for Mcdonalds Children's charity.