Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

Top 5 GDPR fines [first half of 2019]

Top 5 GDPR fines

We ranked the top 5 GDPR fines for the first half of 2019, not only by the biggest amounts but also by the severity of impact on the data subjects’ rights, the sensitivity of the information processed, the number of data subjects whose data was exposed, and the impact on the legal practice.

Although many companies didn’t abuse customers’ rights deliberately or intend to gain profit, if they had not implemented proper data privacy and security measures under the General Data Protection Regulation, they are all equally non-compliant.

Therefore, all are susceptible to huge fines. Companies often didn’t even know in what way they had been violating the data subject rights prior to the GDPR.

Although the number of fines issued so far is not impressive, the significance of these fines is bigger than it seems, as they serve as a guide to how the Regulation will be enforced.

Let’s start with the top 5 GDPR fines:

1. France – Google


French Data Protection Authority issued a €50 million fine for the lack of transparency on how the data were harvested from data subjects and used for ad targeting.

Google was also accused of not collecting clear consent from data subjects.

Information was scattered across several documents, and consent was not defined for each specific purpose. Making it hard for an individual to know what he is consenting to.

Pre-ticked opt-in was also an issue; it was more like ticking one box to tick them all, which is a clear violation of GDPR Article 7.

If you are familiar with fines according to GDPR, the €50 million fine can sound reasonable (considering Google’s revenue). However, Google stated:

“We’ve worked hard to create a GDPR consent process for personalized ads, that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing. We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we’ve now decided to appeal.”

2. Portugal – Centro Hospitalar Barreiro Montijo hospital

top 5 gdpr fine hospital

Medical records are really the most sensitive personal data. In 2018, the Portuguese Supervisory Authority fined Centro Hospitalar Barreiro Montijo Hospital for violation of the GDPR.

Apparently, the non-medical staff was using health worker profiles to log in to the hospital computer, which exposed all confidential patient data to unauthorized personnel.

To be more specific, there were 985 medical profiles registered on the hospital’s computer, but there were only 296 medical staff working at the hospital at the time.

All patients’ medical data would be inserted into the hospital’s program. Once it was in the program, the hospital’s employees could access each individual hospital card, even if they had nothing to do with the patient’s treatment regardless of their role at the hospital. They only needed the username and password provided by the hospital.

Apparently, the administration of the hospital was previously warned and they have done nothing to correct their omissions. There were two fines issued totaling €400.000. The first fine was €300,000 for the inability to limit patient data access and confidentiality violation.

The second fine was €100,000 for failing to“ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services.”

Third on our list, not just because of the fine, but the sensitivity of the data that was exposed and the lack of responsibility shown by the hospital.

3. Poland – Bisnode

top gdpr fine bisnode

Polish DPA has issued the first fine of €220.000 to Bisnode – the provider of digital business, marketing, and credit information- for violating data subjects’ rights under Article 14 of the GDPR.

Bisnode did not fulfill its obligation to inform all data subjects whose data they were processing via personalized notice. The company notified approximately 700,000 people, but not everyone.

The processed Personal information included names, surnames, contact details, and Polish identification numbers (PESEL numbers) of more than 7 million people. Instead, the company published the notice on their company website.

Bisnode stated that such notice was in line with Article 14(5)(b) of the GDPR, which says that the information obligation is not necessary if the provision of information involves a disproportionate effort.

Their line of defense is that fulfilling their obligation would cause unreasonably high costs of more than €7 million, defeating the entire action’s purpose.

However, the Polish DPA did not interpret it the same way. After considering numerous factors, they issued a €220.000 fine and gave Bisnode three months to notify around 6 million data subjects to rectify the situation.

Arguably, the fine amount may not be considered shockingly huge, but it is important because of the number of data subjects it is regarding.

This was the topic of a lot of discussion between experts because it is shedding more light on what the term “disproportionate effort” means according to the GDPR.

4. Denmark –  Taxa 4×35

top 5 gdpr fines denmark taxa

This is a very cautionary story about how your data retention policies should be rechecked. The Danish Data Protection Agency issued the first GDPR fine in Denmark to the taxi company – Taxa 4×35.

The fine was issued to 1.2 million Danish crowns or approximately 160.000 or 2.8% of the company’s annual turnover.

This represents a significant change from the previous Danish law in force before the GDPR. The fine is approximately 50 times bigger than it would be if it had been issued before the GDPR.

The fine was issued because the taxi company did not comply with the GDPR data minimization principle, purpose, and storage limitation and had been retaining the personal information of their customers for longer than necessary. The data were related to approximately 9 million individuals.

According to their data retention policy, they have been deleting personal data after two years but kept the customers’ telephone numbers for an additional three years. They argued that the telephone numbers were an essential piece of information in their IT database and could not be deleted simultaneously as other data.

The Agency could not find justification for such a serious violation in the complexity of Taxa’s IT system. Moreover, Taxa’s data anonymization attempts failed. The Anonymization was supposed to make it impossible for unauthorized personnel to connect individuals with their personal data, which was not the case.

Read more about pseudonymization and anonymization according to the GDPR! 

The DPA definitely wanted to demonstrate that organizational IT limitations will not be a legitimate excuse for any GDPR violation.

We felt the issued fine deserves to be on the list since it represents a significant increase compared to the previous law. In addition, it is interesting that the fine is a result of random checks by DPA in a number of companies and public authorities, which represents proactivity at its best.

5. Italy – Rousseau platform

top 5 gdpr fines italy

The Italian data protection authority Garante issued a fine against the data processor the Rousseau platform.

Garante detected the lack of privacy and security measures, which resulted in a data breach on the Rousseau platform that was operating a website for the Italian political party Movimento 5 Stelle. The regulatory authority stated that there was a breach of Article 32 of the GDPR and issued a €50,000 fine.

So what was the case? Few websites relating to the political party were run through the data processor – the Rousseau platform. Platform suffered a data breach in 2017 which made the Italian data protection authority turn in that direction.

They established that Rousseau has to update security measures and privacy information notices and demonstrate transparency in the way they process data.

Galante gave guidelines for Rousseau to implement the password-strengthening system to avoid risks of attack, implement security protocols and digital certificates, increase the security of passwords (because of the weak cryptographic algorithms), and so on.

That’s it for TOP GDPR FINES in the first half of 2019.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top