Top 5 GDPR fines [first half of 2019]

We ranked the top 5 GDPR fines for the first half of 2019, not only by the biggest amounts, but also by the severity of impact on the data subjects’ rights, the sensitivity of the information processed, a number of data subjects whose data was exposed in some way, and the impact on the legal practice.

Although a lot of companies didn’t abuse customers’ rights deliberately or with an intention to gain profit, if they had not implemented proper data privacy and data security measures, under the General Data Protection Regulation, they are all equally non-compliant. Therefore, all susceptible to huge fines.

Companies often didn’t even know in what way they have been violating the data subject rights prior to the GDPR.

Although the number of fines issued so far is not impressive, the significance of these fines is bigger than it seems as they serve as a guide to how the Regulation will be enforced.

Let’s start with the top 5 GDPR fines:

1. France – Google

French Data Protection Authority issued a €50 million fine for the lack of transparency on how the data were harvested from data subjects and used for ad targeting.

Google was also accused of not collecting clear consents from data subjects.

Information was scattered across several documents, and consents were not defined for each specific purpose. Making it hard for an individual to know what he is consenting to.

Pre-ticked opt-in was also an issue, it was more like one box to tick them all which is a clear violation of GDPR Article 7.

If you are familiar with fines according to GDPR, the €50 million fine can sound reasonable (taking into consideration Google’s revenue), however, Google stated:

“We’ve worked hard to create a GDPR consent process for personalized ads, that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing. We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we’ve now decided to appeal.”

2. Portugal – Centro Hospitalar Barreiro Montijo hospital

Medical records are really the most sensitive personal data. In 2018 Portuguese Supervisory Authority fined a Centro Hospitalar Barreiro Montijo hospital for violation of the GDPR.

Apparently, the non-medical staff was using profiles of health workers to log in to the hospital computer. Which made all confidential patients data exposed to unauthorized personnel.

To be more specific, there were 985 medical profiles registered on the hospital’s computer, but there was only 296 medical staff working at the hospital at the time.

All patients’ medical data would be inserted into the hospital’s program. Once it was in the program, the hospital’s employees could access each individual hospital card, even if they had nothing to do with the patient’s treatment and regardless of their role at the hospital. The only thing they needed was the username and password provided by the hospital.

Apparently, the administration of the hospital was previously warned and they have done nothing to correct their omissions. There were two fines issued totaling €400.000. The first fine was €300,000 issued for the inability to limit access to the patient’s data and confidentiality violation.

The second fine was €100,000 for failing to“ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services”

Third on our list, not just because of the fine, but the sensitivity of the data that was exposed and lack of responsibility shown by the hospital.

3. Poland – Bisnode

Polish DPA has issued the first fine for €220.000 to the Bisnode – the provider of digital business, marketing, and credit information, for violation of data subjects’ rights under Article 14 of the GDPR.

Bisnode did not fulfill their obligation to inform all data subjects whose data they were processing, via personalized notice. The company notified approximately 700,000 people, but not everyone.

Personal information that was processed included names, surnames, contact details and Polish identification number (PESEL number) of more than 7 million people. Instead, the company published the notice on their company website.

Bisnode stated that such notice was in line with Article 14(5)(b) of the GDPR, which says that the information obligation is not necessary if the provision of information involves a disproportionate effort.

Their line of defense is that the fulfillment of their obligation would cause unreasonably high costs of more than €7 million, which would defeat the purpose of the entire action.

However, the Polish DPA did not interpret it the same way. After taking numerous factors into consideration they issued a €220.000 fine and gave Bisnode three months to notify around 6 million data subjects in order to rectify the situation. Arguably, the amount of the fine may not be considered shockingly huge, but it is definitely important because of the number of data subjects that it is regarding.

This was the topic of a lot of discussion between experts because it is shedding more light on what the term “disproportionate effort” means according to the GDPR.

4. Denmark –  Taxa 4×35

This is a very cautionary story about how your data retention policies should be rechecked. The Danish Data Protection Agency issued the first GDPR fine in Denmark to the taxi company – Taxa 4×35.

The fine was issued to 1.2 million Danish crowns or approximately €160.000 or 2.8% of the company’s annual turnover.

This represents a significant change from the previous Danish law that was in force before the GDPR. The fine is approximately 50 times bigger than it would be if the fine was issued prior to the GDPR.

The fine was issued because the taxi company did not comply with the GDPR data minimization principle, purpose, and storage limitation, and have been retaining personal information of their customers for longer than necessary. The data were related to approximately 9 million individuals.

According to their data retention policy, they have been deleting personal data after two years but kept the customers’ telephone numbers for an additional three years. Their argument was that the telephone numbers were an essential piece of information in their IT database and could not be deleted at the same time as other data.

The Agency could not find justification in the complexity of Taxa’s IT system for such a serious violation. Moreover, Taxa’s data anonymization attempts failed. The Anonymization was supposed to make it impossible for the unauthorized personnel to be able to connect individuals with their personal data, which was not the case.

Read more about pseudonymization and anonymization according to the GDPR! 

The DPA definitely wanted to demonstrate that organizational IT limitations will not be a legitimate excuse for any GDPR violation.

We felt the issued fine deserves to be on the list since it represents a significant increase when compared to the previous law. In addition, it is interesting that the fine is a result of random checks by DPA in a number of companies and public authorities which represents proactivity at its best.

5. Italy – Rousseau platform

The Italian data protection authority Garante issued a fine against the data processor – the Rousseau platform.

Garante detected the lack of privacy and security measures, which resulted in a data breach on the Rousseau platform that was operating a website for the Italian political party Movimento 5 Stelle. The regulatory authority stated that there was a breach of article 32 of the GDPR and issued a €50,000 fine.

So what was actually the case? Few websites relating to the political party were run through the data processor – the Rousseau platform. Platform suffered a data breach in 2017 which made Italian data protection authority to turn their head in that direction.

They established that Rousseau has to update security measures, privacy information notice and demonstrate transparency in the way they process data.

The Galante gave guidelines for Rousseau to implement the password strengthening system to avoid risks of attack, implementation of security protocols and digital certificates, increase the security of passwords (because of the weak cryptographic algorithms), and so on.

That’s it for TOP GDPR FINES in the first half of 2019.