What are the top 5 GDPR fines so far?
We ranked top 5 GDPR fines not only by the biggest amounts, but also by the severity of impact on data subjects’ rights, the sensitivity of the information processed, a number of data subjects whose data was exposed in some way, and the impact on the legal practice.
It has been exactly one year since GDPR came into full force and created a lot of buzz, not just in Europe, but worldwide.
Although a lot of companies didn’t abuse customers’ rights deliberately or with an intention to gain profit, if they have not implemented proper data privacy and data security measures, under the GDPR they are all equally non-compliant. Therefore all susceptible to huge fines.
Companies often didn’t even know in what way they have been violating data subjects rights prior to the GDPR.
Some companies choose a “wait and see” GDPR strategy. Deleting the data and avoiding any possibility of data breach or violation of data subjects’ rights.
Some choose a proactive strategy and gathered information about GDPR, hired consultants and automated their processes. However, we can all agree on one thing, we were not ready.
There are others too. The non-believers who thought it was not possible to enforce GDPR properly or regulate it to an extent that it would result with any fines. Fines seemed somehow unreal.
No matter the approach, the compliance process is a very tedious task, and not everyone was successful.
Although the number of fines issued so far is not colossal, the significance of these fines is bigger than you think. It is important to learn from the first GDPR legal practices.
First practices with the regulation of such importance have tendencies to impose themselves as a precedent.
Regulators from different countries will start to refer to these pioneers in the area of GDPR fines to resolve new cases and establish new practice. It will definitely become a stepping-stone in the way GDPR practice will shape up.
This is a very cautionary story about how your data retention policies should be rechecked. The Danish Data Protection Agency issued the first GDPR fine in Denmark to the taxi company – Taxa 4×35.
The fine was issued to 1.2 million Danish crowns or approximately €160.000 or 2.8 percent of the company’s annual turnover. Which represents a significant change from previous Danish law that was in force before GDPR. According to the GDPR, the fine is approximately 50 times bigger then it would be if the fine was issued prior to the GDPR.
The fine was issued because the taxi company did not comply with the GDPR data minimization principle, purpose, and storage limitation, and have been retaining personal information of their customers for longer than necessary. The data was related to approximately 9 million individuals.
According to their data retention policy, they have been deleting personal data after two years but kept customers telephone numbers for an additional three years. Their argument was that the telephone numbers were an essential piece of information in their IT database and could not be deleted at the same time as other data.
The Agency could not find justification in the complexity of Taxa’s IT system for such a serious violation. Moreover, Taxa’s data anonymization attempts failed. The Anonymization was supposed to make it impossible for the unauthorized personnel to be able to connect individuals with their personal data, which was not the case.
The DPA definitely wanted to demonstrate that organizational IT limitations will not be a legitimate excuse for any GDPR violation.
We felt the issued fine deserves to be on the list since it represents a significant increase when compared to the previous law. In addition, it is interesting that the fine is a result of random checks by DPA in a number of companies and public authorities which represents proactivity at its best.
First GDPR fine issued by the Italian data protection authority Garante, was really interesting since the fine was not issued against the data controller but against the data processor.
Garante detected the lack of privacy and security measures, which resulted in a data breach on Rousseau platform that was operating a website for the Italian political party Movimento 5 Stelle. The regulatory authority stated that there was a breach of article 32 of the GDPR and issued a €50,000 fine.
So what was actually the case? Few websites relating to the political party were run through the data processor – the Rousseau platform. Platform suffered a data breach in 2017 which made Italian data protection authority turn their head into that direction.
They established that Rousseau has to update security measures, privacy information notice and demonstrate transparency in the way they process data. Enforcement was issued in the form of a very handsome fine.
The Galante gave guidelines for Rousseau to implement password strengthening system to avoid risks of attack, implementation of secure protocols and digital certificates, increase of the security of passwords (because of the weak cryptographic algorithms), and so on.
The Italian authority gets to occupy 4th place since it is regarding the data processor and sheds some light on what is expected by the GDPR in terms of data security.
Medical records are really the most sensitive information one person can have exposed. In 2018 Portuguese Supervisory Authority fined a Centro Hospitalar Barreiro Montijo hospital for violation of the GDPR.
Apparently, the non-medical staff was using profiles of health workers to log in to the hospital computer. Which made all confidential patients data exposed to unauthorized personnel.
To be more specific, there were 985 medical profiles registered in the hospital’s computer, but there was only 296 medical staff working at the hospital at the time.
All patients medical data would be inserted into the hospital’s program. Once it was in the program, the hospital’s employees could access each individual hospital card, even if they had nothing to do with the patient’s treatment and regardless of their role at the hospital. The only thing they needed was the username and password provided by the hospital.
Apparently, the administration of the hospital was previously warned and they have done nothing to correct their omissions. There were two fines issued totaling €400.000. The first fine was €300,000 issued for the inability to limit access to the patient’s data and confidentiality violation.
The second fine was €100,000 for failing to“ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services”
Third on our list, not just because of the fine, but the sensitivity of the data that was exposed and lack of responsibility shown by the hospital.
Polish DPA has issued first fine for €220.000 to the Bisnode – the provider of digital business, marketing, and credit information, for violation of data subject s rights under Article 14 of the GDPR.
Bisnode did not fulfill their obligation to inform all data subjects whose data they were processing, via personalized notice. The company notified approximately 700,000 people, but not everyone.
Personal information that was processed included names, surnames, contact details and Polish identification number (PESEL number) of more than 7 million people. Instead, the company published the notice on their company website.
Bisnode stated that such notice was in line with Article 14(5)(b) of the GDPR, which says that the information obligation is not necessary if the provision of information involves a disproportionate effort.
Their line of defense is that the fulfillment of their obligation would cause unreasonably high costs of more than €7 million, which would defeat the purpose of the entire action.
However, the Polish DPA did not interpret it the same way. After taking numerous factors into consideration they issued a €220.000 fine and gave Bisnode three months to notify around 6 million data subjects in order to rectify the situation. Arguably, the amount of the fine may not be considered shockingly huge, but it is definitely important because of the number of data subjects that it is regarding.
This was the topic of a lot of discussion between experts because it is shedding more light into what the term “disproportionate effort” means according to the GDPR. It is said that the Bisnode will file a complaint against the controversial fine.
Surprise, surprise! We are awarding Google with honorary first place for the biggest financial penalty so far, issued for lack of transparency and valid consent.
€50 million fine was issued by the French Data Protection Authority, on the account of lack of transparency on how data was harvested from data subjects and used for ad targeting.
Google was also accused of not collecting clear consents from data subjects. Information was scattered across several documents, and consents were not defined for each specific purpose. Making it hard for an individual to know what he is consenting to.
Pre-ticked opt-in was also an issue, it was more like one box to tick them all which is a clear violation of GDPR Article 7.
If you are familiar with fines according to GDPR, the €50 million fine can sound reasonable (taking into consideration Google’s revenue), but of course, Google was not very happy since this imposes reputation damage. They stated :
“We’ve worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing. We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we’ve now decided to appeal.”
We believe that they have put a lot of work to redeem themselves. Hopefully, this will be a lesson learned and our data in the hands of Google will be as safe as possible.