GDPR imposes fines to date
As 2019 draws to a close, it should be noted that momentum in fines for breaches of the GDPR has increased. Since the introduction of the GDPR in May 2018, the number of reports of data protection breaches has risen massively and some reports have resulted in significant fines.
GDPR fines in 2019
In 2019, we recorded a significant increase in the number of GDPR fines imposed.
In January 2019, Google was fined EUR 50 million by the French data protection authority CNIL for a breach of EU data protection regulations.
In March 2019, the Danish Data Protection Authority fined a cab company DKK 1.2 million and the Polish supervisory authority imposed a fine of EUR 220,000 for illegal data collection.
In April, the Romanian National Supervisory Authority imposed a fine of USD 146,000 on Unicredit Bank S.A. for failing to take appropriate technical and organizational measures in its land company.
In May 2019, the Lithuanian state data protection authority imposed a fine of EUR 61,500 on MisterTango UAB.
In June 2019, Spain imposed a fine of 250,000 euros on the soccer league La Liga due to the monitoring of soccer matches for piracy and France fined the real estate company Sergic 400,000 euros for accessing its websites without user authentication.
In July 2019, some of the largest fines since the introduction of the GDPR were imposed.
The UK Information Commissioner's Office (ICO) has fined British Airways £183.4 million (£230 million) and Marriott Hotels £99.2 million (£124 million) for breaches of data protection regulations. The sanctions were the two largest ever imposed under the GDPR.
Also in July, the Netherlands imposed a fine of 460,000 euros on a Dutch hospital for lax controls of patient records. The French CNIL also imposed a fine of 180,000 euros on the company ACTIVE INSURANCES for inadequately protecting the data of its website users.
In August 2019, a Polish retailer received a fine of 645,000 euros for "insufficient organizational and technical guarantees" due to the GDPR.
Also in August, a Swedish school board was fined for using facial recognition for the school roll call in classes.
GDPR fines 2018
On July 17, 2018, just a few months after GDPR came into force, the Portuguese supervisory authority ("CNPD") imposed a fine of EUR 400,000 on a hospital for a breach of the GDPR.
When the Austrian Data Protection Authority (DPA) fined a small company €4,800 in October 2018 for illegally installing a CCTV camera that also recorded the public space in front of the company, it became clear for the first time that small companies are also affected.
In November 2018, a German social media platform called Knuddels.de was fined €20,000 after a breach exposed the personal data of 330,000 users, including their passwords and email addresses. The low amount of the fine was mainly due to the cooperative collaboration and massive investment in data protection by those responsible.
GDPR fines gain momentum in the third quarter
On October 16, 2019, the joint body of the German data protection authorities, the Data Protection Conference (DSK), published the model it intends to use to calculate fines in accordance with Article 83 GDPR.
October also saw the first multi-million dollar fine in Germany when the Berlin Commissioner for Data Protection and Freedom of Information announced that Deutsche Wohnen AG would have to pay a fine of 14.5 million euros because it was unable to provide evidence of an appropriate deletion concept for tenant data.
On October 25, the Spanish data protection authority imposed a fine of 35,000 euros on Vodafone Spain for inadequate legal bases for data processing.
On October 31, the Netherlands imposed a fine of 900,000 euros on the Dutch employee insurer UWV for inadequate security of the online employee portal.
In October 2019, Facebook agreed to pay the fine announced by the ICO in July 2018 in relation to Cambridge Analytica's data breaches in 2015. As the measure was set before the introduction of the GDPR, the maximum possible fine the ICO could levy was £500,000. If the breaches had occurred after May 2018, the potential fine could have been significantly higher - up to 4% of Facebook's annual turnover.
In November, the Romanian National Supervisory Authority for Personal Data Processing imposed fines on four companies:
- EUR 2,500 against the Royal President for refusing a request for access to personal data under Article 15 of the GDPR and the personal data disclosed without the consent of the data subjects.
- 80,000 euros against ING Bank N.V. Bucharest for failing to take appropriate technical and organizational measures for an automated data processing system in connection with the processing of card transactions with 225,525 customers.
- 11,000 euros to a courier service company for failing to take appropriate technical and organizational measures to prevent the loss of and unauthorized access to the personal data of around 1,100 data subjects.
- EUR 2,000 against BNP Paribas Personal Finance S.A. for failure to comply with a deletion request within the deadline set by the GDPR.
In November, the Spanish Data Protection Authority (aepd) imposed fines on a number of companies:
- 1,500 fine to Cerrajero Online for collecting personal data without a sufficient legal basis.
- 900 euros fine to TOTO TECNICOS24H S.L. for collecting personal data without a sufficient legal basis.
- 3,000 fine to the General Federation of Labor for disclosing personal data in a mailing without consent.
- 30,000 fine again Telefonica SA for non-compliance with the general principles of data processing.
- Xfera Moviles SA was fined 60,000 euros for failing to implement technical and organizational measures (TOMs) to ensure information security.
- Corporación radiotelevisión espanola was also fined 60,000 euros for failing to implement technical and organizational measures (TOMs) to ensure information security.
The Belgian data protection authority (APD) imposed a fine of 5,000 euros on a city councillor and a mayor for sending election mailings without a sufficient legal basis.
In November, the French CNIL imposed the second highest fine, €500,000, on Futura Internationale for cold calling after several complainants received cold calls despite having explained directly and by post to the caller that this was not wanted, had not implemented proper data transfer mechanisms and had not cooperated with the CNIL.
In December, a series of fines and penalties were imposed, including one by the Spanish Data Protection Agency, which fined Ikea Iberica 10,000 euros for installing cookies on its customers' mobile devices without their prior consent.
On December 3, the German data protection authority imposed a fine of 105,000 euros on a hospital for several violations of the GDPR in connection with a patient mix-up during patient admission. This revealed structural technical and organizational deficits in the hospital's patient management.
On December 4, the Romanian Data Protection Authority imposed a €20,000 sanction on an airline for failing to take appropriate measures to ensure that any natural person working under its supervision processes personal data in accordance with its instructions under GDPR.
On December 9, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), Ulrich Kelber, imposed a fine of €9.5 million on the telecommunications service provider 1&1 Telecom GmbH (1&1) for allegedly failing to adequately protect its customer data.
Delayed decisions
Ireland's data protection supervisory authority, the Data Protection Commission (DPC), was due to announce in December whether WhatsApp had breached the GDPR by not informing its users clearly enough about how it uses their personal data. The decision is now expected in January 2020.
In summary, looking back at the GDPR fines so far this year, we can see a certain momentum developing. With thousands of complaints in recent months, 2020 promises to be a very interesting year in terms of GDPR fines.
Are you worried about GDPR compliance? It's not too late.
Contact us today to find out how you can operate in compliance with data protection regulations in 2020.