The five highest fines in August 2024

Fines in August 2024.
Categories:
,

The data protection authorities were also active in August and imposed some very high fines. The fine of 290 million euros imposed by the Dutch data protection authority on the ride-hailing company Uber caused quite a stir. In August, it is also worth taking a look at the fines imposed in Belgium, Sweden and Spain with interesting details. The investigations against the fashion company Uniqlo Europe in Spain show why the negligent mistake of a single employee can be expensive for a company.

1. Uber: 290 million euros (Netherlands)

The Dutch data protection authority Autoriteit Persoonsgegevens (AP) has filed a complaint against the ride-hailing service Uber. Fine in the amount of 290 million euros. The reason for the fine: inadequate protection of personal data of European cab drivers that was transmitted to Uber's US headquarters.

The investigation by the data protection authority followed complaints from more than 170 French Uber drivers. They had complained to the French human rights organization Ligue des droits de l'Homme (LDH) about Uber's data protection practices. The LDH then filed a Complaint to the French data protection authority. As Uber's European headquarters are located in the Netherlands, the Dutch data protection authority was responsible for the investigation.

Among other things, Uber had sensitive information such as account and driver's license data, location data, Photospayment information, identification documents and, in some cases, criminal and medical data of drivers from Europe are collected and stored on servers in the USA.

This sensitive data was transferred over a period of more than two years. In the process, no necessary protective measures were implemented that could have been prevented by the GDPR are prescribed. The data protection authority classifies the Infringement of Uber as serious.

Source: Fines imposed by the Autoriteit Persoonsgegevens against Uber

2. T-Mobile US: 60 million US dollars

The Committee on Foreign Investment in the U.S. (CFIUS) has imposed a fine of 60 million dollars (around 55 million euros) on the mobile communications company T-Mobile US.

The company failed to prevent and report unauthorized access to sensitive data, senior US officials told Reuters on August 14. In addition, T-Mobile US did not report some breaches quickly enough, which made the agency's investigation more difficult.

In a statement, T-Mobile explained that the merger with the US mobile communications company Sprint had led to technical problems that were quickly resolved. Specifically, there were some cases of unauthorized access to sensitive data between August 2020 and June 2021. According to the company, a small number of requests from investigating authorities were affected.

T-Mobile US has already been fined millions for the second time this year. The FCC had already imposed a fine of 80 million dollars (around 74.7 million euros) in April because the company had not adequately protected its customers' location data.

Reading tip: Current penalties for data protection violations in the USA

3. Apoteket AB and Apohem AB: SEK 37 million and SEK 8 million (Sweden)

The Swedish data protection authority Integritetsskyddsmyndigheten (IMY) has imposed fines of SEK 37 million (around EUR 3.26 million) on Apoteket AB and SEK 8 million (around EUR 705,000) on Apohem AB. The companies had used the meta pixel on their websites and violated data protection law over a longer period of time. personal data transmitted to Meta.

Apoteket and Apohem had used the Meta-Pixel analytics tool from Meta on their websites from January 2010 to April 2022 in order to optimize their Marketing on Facebook and Instagram. The erroneous Transmission of personal data was caused by the fact that the companies had activated a new sub-function of the meta pixel.

The activation of the "Advanced Matching" (AAM) function of the Meta Pixel resulted in more data being processed and transmitted to Meta than originally intended. Among other things, the companies transmitted data on the purchase of over-the-counter medicines, self-tests and treatments for sexually transmitted diseases and sex toys. Such data can provide information about a person's health or sex life and is therefore subject to Art. 9 GDPR special protection.

IMY's investigation revealed that the companies had not taken appropriate technical and organizational measures to ensure an adequate level of protection for their customers' personal data. Only after the incident did both companies take several measures to improve compliance with data protection regulations. These included a comprehensive review of the Cookies and analysis tools, the implementation of employee training and the creation of a new function to monitor compliance with data protection regulations in the marketing department.

Source: Notice of fine Integritetsskyddsmyndigheten against Apoteket AB

Source: Notice of fine Integritetsskyddsmyndigheten against Apohem AB

4th Uniqlo Europe: 270,000 euros (Spain)

A mishap with consequences: A former employee of the Japanese fashion company Uniqlo requested that his payslip for July 2022 be sent to him. In addition to his own payslip, the PDF file sent to him contained the payslips of 446 other employees.

The investigation by the Spanish data protection authority Agencia Española de Protección de Datos (AEPD) revealed that the data breach had been caused by an error in HR. However, this error was neither reported internally nor recognized in time. Only when UNIQLO was informed in April 2023 about the Complaint was informed by the AEPD, the company recognized the incident as a security breach. In addition, the affected employees were not notified immediately. The notification was not made until May 4, 2023, after Uniqlo was informed of the Complaint had been informed. Uniqlo stated that it had received no indication that the data had been compromised or otherwise misused. Nevertheless, the company advised affected employees to remain vigilant and monitor their bank accounts for unusual activity.

The AEPD found that Uniqlo violated several provisions of the GDPR has violated:

  1. Article 5(1)(f) GDPRUNIQLO has violated the principle of Confidentiality and Integrity by processing the personal data of 447 employees by means of improper data processing. Transmission has disclosed. The unauthorized disclosure of this sensitive information constitutes a serious Infringement in particular as the data was not encrypted and was transmitted by e-mail, thus increasing the risk of access by unauthorized persons. Third was increased.
  2. Article 32 GDPRUNIQLO had not taken appropriate technical and organizational measures to ensure an adequate level of protection. Despite the introduction of a security portal and an information security manual, the implementation of security protocols was clearly insufficient to prevent such a data breach. The training and sensitization of employees to the Data protection were not sufficient to minimize the risk of human error.

The fact that an employee committed the error does not relieve the company of its responsibility. According to the case law of the Spanish Supreme Court (STS No. 188/2022), a company remains liable even if the employee has committed the error. Infringement is due to the negligence of an employee.

The fine originally imposed by the AEPD totaling 450,000 euros was reduced to 270,000 euros. Uniqlo has paid the Infringement and has since taken measures to prevent such an incident from occurring in the future.

Source: Notice of fine Agencia Española de Protección de Datos

5. telecommunications company: 100,000 euros (Belgium)

On August 23, 2024, the Chambre Contentieuse of the Belgian data protection authority (Autorité de Protection des Données, APD) imposed a fine of 100,000 euros on an unnamed telecommunications company.

The company only responded 14 months after receiving a request for information from a customer. The delay in responding meant that APD was unable to provide information due to the Complaint of the person concerned initiated an investigation.

The Chambre Contentieuse found that the company had violated Articles 12 and 15 of the GDPR had violated the Right to information was not properly granted to the data subject.

Article 15 of the GDPR guarantees the data subject the right to obtain from the controller confirmation as to whether or not personal data processed, as well as access to this data and additional information.

According to Article 12 of the GDPR must have the Processing The controller must take measures to facilitate the exercise of data subjects' rights and respond to requests "without undue delay and in any event within one month".

However, the defendant had not acted within the time limit set out in Art. 12 para. 3 GDPR The complainant did not reply to the request for information within the time limit set. Furthermore, the information requested was only made available to the complainant after repeated requests and during the ongoing proceedings.

When calculating the fine, it was taken into account that the violation of the right to information is generally considered a serious offense. Infringement is to be classified. The delay in responding to the request for information by more than 14 months was considered to be a continued Infringement evaluated. It was also taken into account that a satisfactory response was only given under pressure from the authority.  

Source: Notice of fine Autorité de Protection des Données

Contact us
Tags:
, , ,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts