The five highest GDPR fines in October 2024

The British Data Protection Commissioner was particularly busy in October: he was among the highest GDPR fines twice.
Categories:

After the Irish data protection authority DPC had already imposed a fine of 91 million euros on Meta in September, it followed suit against LinkedIn in October: The Microsoft-owned company has to pay 310 million euros for serious data protection violations. The UK's Data Protection Commissioner was particularly busy in October: its data protection authority, the ICO, made it into the top 5 GDPR fines twice.

1. LinkedIn Ireland: 310 million euros

The Irish Data Protection Commission (DPC) has imposed a fine of 310 million euros on the Microsoft-owned business network LinkedIn in a decision dated October 22, 2024. The subject of the investigation was the processing of personal data of LinkedIn users for behavioral analysis and targeted advertising.

The DPC's investigation was initiated on 20 August 2018 following a complaint from the French non-profit organization La Quadrature Du Net. The complaint was first submitted to the French data protection authority CNIL and then forwarded to the DPC in its role as the lead supervisory authority for LinkedIn.

According to the DPC, the investigation concerned "the lawfulness, fairness and transparency of the processing of personal data of users of the LinkedIn platform for the purposes of behavioral analysis and targeted advertising". The DPC found that the personal data in question was data provided directly to LinkedIn by its members (first-party data) and data collected by LinkedIn through its third-party partners in relation to its members (third-party data).

You can read more details about the record fine in our extra article: LinkedIn fined 310 million euros

2. Police Service of Northern Ireland: 750,000 GPD (approx. 890,000 euros)

The UK's Information Commissioner's Office (ICO) fined the Police Service of Northern Ireland (PSNI) £750,000 (equivalent to around €890,000) for a significant data protection breach. On August 8, 2023, personal data of around 9,500 PSNI employees, including their service numbers, departments and locations, was inadvertently published on a public website. This publication posed a significant risk to the employees concerned, particularly those in classified and security sensitive roles.

The ICO found that the PSNI breached several articles of the General Data Protection Regulation (UK GDPR) as the authority had not taken appropriate technical and organizational measures to ensure the security of the data. The breach was due to deficiencies in internal management and training in the handling of sensitive data.

Despite the measures taken by the PSNI following the incident, such as establishing a threat management process and improving internal security policies, the ICO decided that a fine was appropriate to highlight the seriousness of the breach and create a deterrent for similar organizations.

Source: Notice of fine Information Commissioner's Office (published on October 3, 2024)

3rd Cosmospace: 250,000 euros AND Telemaque: 150,000 euros

The French data protection authority Commission Nationale de l'Informatique et des Libertés (CNIL) imposed fines on the companies Cosmospace (250,000 euros) and Telemaque (150,000 euros) for data protection violations in connection with their fortune-telling services. Several breaches were identified during an investigation in 2021:

Cosmospace systematically recorded all conversations between customers and fortune tellers, which the CNIL found to be excessive and disproportionate. The CNIL found that such comprehensive recording was not necessary and should only be limited to certain conversations for quality control purposes.

Cosmospace and Telemaque also retained customer data for an excessive period of time. Cosmospace stored data for six years for commercial use, while TelemaqueE did so without restricting access to the data or filtering it accordingly.

The two companies also collected sensitive data such as health information and sexual orientation of their customers without obtaining explicit consent.

Cosmospace sent advertising messages by SMS and email to people without obtaining their unambiguous consent. The CNIL found that consent was not properly obtained via the partner company Telemaque.

The amount of the fine takes into account the seriousness of the violations, the large number of people affected (over 1.5 million contacts) and the financial situation of the company.

Source: Notice of fine CNIL (published on October 10, 2024)

4. Ibercaja Banco, S.A: 180,000 euros

The Spanish data protection authority Agencia Española de Protección de Datos (AEPD) imposed a fine of 300,000 euros on Ibercaja Banco in a decision dated October 1, 2024. The company had unlawfully accessed the personal data of a former customer after the termination of a contractual relationship The customer had terminated the contract in February 2022, but Ibercaja carried out a total of 47 searches of his data in a credit assessment register until January 2023. These accesses were made without a valid legal basis, as there was no contractual or legal necessity.

Ibercaja accepted the decision and took advantage of the option to voluntarily pay and acknowledge the debt, reducing the fine to 180,000 euros. The company also undertook to take measures within six months to ensure compliance with the

Source: AEPD fine notice dated October 1, 2024

5. Quick Tax Claims Limited: GBP 120,000 (approx. 143,400 euros)

The British data protection authority ICO has imposed a fine of £120,000 on Quick Tax Claims Limited (QTC). This was due to breaches of the Privacy and Electronic Communications Regulations (PECR). QTC sent almost 8 million unsolicited marketing text messages between February 12 and May 12, 2023 without the recipients' valid consent. Over 93 percent of these messages did not include an option to unsubscribe, which also violates the PECR.

A total of 66,793 consumers complained about the campaign.

The ICO found that QTC was sourcing data from third party providers but their consent mechanisms did not comply with legal requirements. The ICO also found that QTC had not carried out sufficient due diligence checks to ensure that consent for data processing had been properly given.

Source: Notice of fine Information Commissioner's Office dated October 15, 2024

Tags:
Share this post :
en_USEnglish