Past GDPR Enforcement Actions 2018 - May 2020
Since GDPR rolled out, there has been growing number of data breach notifications, a number of which are starting to result in significant GDPR fines.
We started to see a lot more momentum in 2019 around GDPR fines issued.
In January 2019, Google was fined 50 million euros by the French data regulator CNIL, for a breach of the EU’s data protection rules.
In March 2019, the Danish Data Protection Agency set a taxi company a fine of DKK 1.2 million and the Polish Supervisory Authority issued a fine of 220,000 euros for data scraping.
In April, Romania’s National Supervisory Authority fined Unicredit Bank S.A. $146,000 as a result of the failure to apply appropriate technical and organizational measures
In May 2019, the Lithuanian State Data Protection Inspectorate imposed an administrative fine on MisterTango UAB in the amount of EUR 61,500.
In June 2019, Spain issued a fine of 250,000 euros to La Liga soccer league for monitoring soccer games for piracy and France issued the real estate company Sergic a fine of 400,000 euros for allowing the access of their websites without user authentication.
July 2019 marked some of the largest GDPR fines to date.
The U.K.’s Information Commissioner’s Office (ICO) fined British Airways £183.4 million (U.S. $230 million) and Marriott £99.2 million (U.S. $124 million) for data breach-related violations. The penalties were the two largest issued under the EU’s data protection regulation thus far.
Also in July, the Netherlands fined a Dutch hospital 460,000 euros over lax controls over patient records. In addition, The French CNIL pronounced a sanction of 180 000 euros against the company ACTIVE INSURANCES for having insufficiently protected the data of the users of its website.
In August 2019, a Polish retailer gets a 645,000 euro fine under GDPR for “insufficient organizational and technical safeguards”. Also in August, a Swedish school board was fined for using facial recognition to take class roll call.
Just a few months after GDPR took effect, in July 17, 2018, the Portuguese Supervisory Authority (“CNPD”) imposed a fine of 400,000 euros on a hospital for infringement of the European Union General Data Protection Regulation (“GDPR”).
Demonstrating that even small businesses are impacted, in October 2018, the Austrian DSB issued a small business a 4,800 euro fine for installing a CCTV camera that also recorded the public space in front of his business.
In November 2018, a German social media platform called Knuddels.de was fined 20,000 euros following a breach that exposed the personal information of 330,000 users, including their passwords and email addresses
GDPR Fines Gain Momentum in Third Quarter
On October 16, 2019, the joint body of German data protection authorities, known as the Datenschutzkonferenz (DSK), published the model which it intends to use to calculate fines pursuant to Article 83 of the GDPR.
October also saw the first multi-million dollar fine in Germany, as the Berlin DPA said that Deutsche Wohnen had to pay a 14.5 million euros penalty for not having a proper data retention schedule in place.
On October 25, the Spanish Data Protection Authority levied a fine of 35,000 euros on Vodafone Espana for insufficient legal basis for data processing.
On October 31, The Netherlands levied a 900,000 euro fine against Dutch employee insurance services provider UWV for inadequate security of the online employee portal.
In October 2019, Facebook agreed to pay the fine announced by the ICO in July 2018 related to the Cambridge Analytica data protection violations in 2015. Since the action occurred before the implementation of GDPR, the maximum possible fine the ICO could levy was £500,000. If the offences had occurred after May 2018, the potential fine could have been much higher – up to 4% of Facebook’s annual turnover.
During November, the Romanian National Supervisory Authority for Personal Data Processing levied fines on 4 entities:
- 2,500 euros against the Royal President for refusing a request for access to personal data pursuant to Article 15 of the GDPR and disclosed personal data without the consent of the data subjects.
- 80,000 euros against ING Bank N.V. Bucharest for not taking appropriate technical and organisational measures for an automated data processing system during the settlement process of card transactions affecting 225,525 customers
- 11,000 euros gain a courier services company for failure to take appropriate technical and organisational measures leading to the loss and unauthorised access to personal data of approximately 1,100 data subjects
- 2,000 euros against BNP Paribas Personal Finance S.A. for failure to react to a request for erasure within the period set by the GDPR.
In November, the Spanish Data Protection Authority (aepd) levied fines on a number of different entities:
- 1,500 euro fine to Cerrajero Online for collecting personal data with insufficient legal basis
- 900 euro fine to TOTO TECNICOS24H S.L for collecting personal data with insufficient legal basis
- 3,000 euro fine to General Confederation of Labour for revealing personal data in a mailing without consent
- 30,000 euro fine again Telefonica SA for non-compliance with general data processing principles
- Xfera Moviles SA was fined 60,000 euros for lack of technical and organizational measures (TOMs) to ensure information security
- Corporación radiotelevisión espanola was fine 60,000 for lack of technical and organizational measures (TOMs) to ensure information security
The Belgian Data Protection Authority (APD) issued a 5,000 euro fine on a municipal alderman and same to a mayor for sending election mailings without sufficient legal basis.
In November France’s CNIL fined Futura Internationale the second largest fine, 500,000 euros, for cold calls after several complainants obtained cold calls, despite having declared directly to the caller and by post that this was not wanted, failing to implement proper data transfer mechicanisms, and failing to cooperate with CNIL.
December saw a number of fines and penalties leveraged, including The Spanish Data Protection authority gave Ikea Iberica a 10,000 euro fine for installed cookies on an end users terminal device without prior consent of the data subject.
On December 3, the German data protection authority imposed a fine of 105,000 euros on a hospital for several breaches of the GDPR in connection with a patient mix-up at the admission of the patient. This revealed structural technical and organisational deficits in the hospital’s patient management.
On December 4, the Romanian data protection authority imposed a sanction of 20,000 euros on an airline because it has not taken appropriate measures to ensure that any natural person acting under its supervision processes personal data in accordance with its instructions the GDPR.
On December 9th the Federal Commissioner for Data Protection and Freedom of Information (BfDI), Ulrich Kelber, imposed a fine of €9.5 million on the telecommunications service provider 1&1 Telecom GmbH (1&1) for allegedly failing to adequately protect its customer data.
Ireland’s privacy supervisory authority, the Data Protection Commission (DPC) was due to announce in December whether WhatsApp had broken the General Data Protection Regulation (GDPR) by not giving people enough clear information about how it uses their personal data. The new draft decision will now likely be in January 202 (Fox, 2019).
In summary, looking back at GDPR fines so far, we are seeing momentum building up this year. With thousands of complaints issued in recent months, 2020 promises to be very interesting with regards to GDPR fines.
Worried about GDPR compliance? It’s not too late. Contact us today to discuss how you can be compliant in 2020.
- C. Fox (2019): Google hit with £44m GDPR fine over ads (found at: bbc.com/news/technology-46944696)
Privacy is often associated with security in popular literature and the media, consumers assume that they are the same thing, when they are not.What is Privacy Software?
Data protection requirements have become so complex that even small and medium-sized companies need a data protection tool.Cybersecurity and Privacy Solutions in Smart Cities
The impact of privacy law on Smart Cities application is discussed, as is the potential for off specification data collection that may be a target for hacking.