Since the implementation of the General Data Protection Regulation (“GDPR”) in April 2016, at least 233 fines have been issued to businesses and organizations by supervisory bodies throughout the European Union. It is critical for businesses across all industries to stay up-to-date on: (i) where fines have been assessed under the GDPR; (ii) how fines have been assessed under the GDPR; and (iii) why fines have been assessed under the GDPR.
This article will cover the following topics:
- Trends on fines and penalties issued under the GDPR
- The impact of GDPR fines on small businesses
- The largest fines imposed under the GDPR to date
- How to avoid GDPR penalties and fines
Trends on fines and penalties issued under the GDPR
Various member states have been more proactive than others in the frequency of fines and penalties issued under the GDPR. Spain leads the European Union in fines issued with 80, while Croatia, Lithuania, and Malta have only issued a single fine, respectively. In total, businesses have been fined more than 467,000,000 EUR under the GDPR as of April 2020.
The overall number of fines issued by member states has steadily increased monthly. In fact, each of the past six months has set the record for the most fines issued in a month since the implementation of the GDPR.
Below is a ranking of fines by GDPR violation type since the GDPR’s implementation:
- Insufficient technical and organizational measures to ensure the security of personal information – 332,962,397 EUR (62 fines);
- Lack of legal basis for personal data processing – 110,178,168 EUR (101 fines);
- Non-compliance with personal data processing principles of the GDPR – 16,070,665 (40 fines);
- Non-compliance regarding the rights of data subjects – 7,857,697 EUR (24 fines);
- Non-compliance with information obligations – 557,265 EUR (15 fines);
- Noncompliance with personal data breach notification obligations – 158,425 (15 fines);
- Failure to appoint a data protection officer – 61,000 EUR (2 fines);
- Lack of cooperation with a supervisory authority – 55,511 EUR (9 fines);
- Improper data processing agreement – 14,380 EUR (1 fine).
Do major corporations only receive fines under the GDPR?
While it is true that the largest fines issued under the GDPR have typically been large businesses (i.e. the largest fine issued was against British Airways for 204,600,000 EUR in July 2019), small businesses are not ignored by the supervisory bodies that assess GDPR fines and penalties. In fact, the fine and penalty structure under the GDPR was designed to ensure businesses of all sizes would be held liable for non-compliance. Below is a list of various small businesses and organizations that have been fined under the GDPR:
- The Romanian supervisory authority fined an infertility association 2,000 EUR in March 2020 for a failure to transmit requested information to authorities. The infertility association was under investigation to determine whether the association disclosed personal data without consent.
- The Spanish supervisory authority fined a homeowner association 2,000 EUR in March 2020 for a violation of the GDPR principles – specifically for video surveillance of a public space without any legal basis to do so.
- The Icelandic supervisory authority fined a secondary school 9,000 EUR in March 2020 for a lack of measures in place to ensure personal data security. A teacher at the school emailed students and parents an attachment containing the academic performance and overall well-being of students without their consent.
- The Spanish supervisory authority fined a local small business discount retail shop 3,200 EUR in March 2020 for a failure to provide notice to customers that video surveillance on the property was used.
- The Polish supervisory authority fined a primary school 4,600 EUR in March 2020 for not having a legal basis to process the personal data of students. The school utilized student fingerprinting in order to distribute meals in the cafeteria. The supervisory authority determined that the school could find other methods of distributing meals to students without the use of their biometric data.
- The Norwegian supervisory authority fined a local grocery chain 36,800 EUR in February 2020 for distributing video surveillance of children who allegedly shoplifted from the grocery store. The supervisory authority determined that the store did not have a legal basis for releasing the video.
- The Spanish supervisory authority fined a real estate company 2,500 EUR in February 2020 for a breach of the GDPR principles of integrity and confidentiality of personal data. A real estate agent had disclosed the personal information of buyers to third parties in a property purchase agreement.
- The Spanish supervisory authority fined a street vendor 5,000 EUR in February 2020 for a failure to obtain the consent of their customers to process their personal data.
- The Spanish supervisory authority fined a bank 6,670 EUR in February 2020 for a failure to comply with a customer’s request to remove his personal data from the bank’s records. The bank continued to send advertisements to the customer via text and email after repeated requests to remove him from the mailing lists.
- The Spanish supervisory authority fined an online shopping retailer 5,000 EUR in December 2019 for a lack of measures in place to ensure personal data security. Advertising emails sent to customers had inadvertently revealed the personal data of all recipients on the advertising email list.
- The Danish supervisory authority fined a luxury furniture retailer 200,850 EUR in June 2019 for a violation of personal data storage restrictions. The company had processed the personal data of approximately 385,000 customers for a longer period than necessary. The company also failed to establish deadlines and procedures for the deletion of customer data.
Fines under the GDPR can be astoundingly large
While businesses of any size can be penalized and fined under the GDPR, the largest fines have been somewhat proportional to the size of those companies the fines were issued to. This is because under Art. 83 of the GDPR, fines are scaled to the size of the business. Below is a list of the largest fines issued under the GDPR to date:
- British Airways (United Kingdom): The airline was fined 204,600,000 EUR in July 2019 for a failure to enact technical and organizational measures to ensure personal data protection;
- Marriott International (United Kingdom): the hotel chain was fined 110,390,200 EUR in July 2019 for a failure to enact technical and organizational measures to ensure personal data protection;
- Google (France): The technology company was fined 50,000,000 EUR in January for a lack of a legal basis for personal data processing;
- TIM (Italy): The telecommunications operator was fined 27,800,000 EUR in January 2020 for a lack of a legal basis for personal data processing;
- Austrian Post (Austria): The postal service company was fined 18,000,000 EUR in October 2019 for a lack of a legal basis for personal data processing;
- Deutsche Wohnen SE (Germany): The real estate company was fined 14,500,000 EUR in October 2019 for non-compliance with the general data processing principles of the GDPR;
- 1&1 Teleco GmbH (Germany): The telecommunications provider was fined 9,550,000 EUR in December 2019 for a failure to enact technical and organizational measures to ensure personal data protection;
- Eni Gas e Luce (Italy): The energy company was fined 8,500,000 EUR in December 2019 for lacking a legal basis for personal data processing;
- Google (Sweden): The technology company was fined 7,000,000 EUR in March 2020 for a failure to comply with the rights and requests of data subjects;
- Eni Gas e Luce (Italy): The energy company was fined 3,000,000 EUR in December 2019 for lacking a legal basis for personal data processing.
How can businesses avoid being fined under the GDPR?
Under Art. 58 of the GDPR, businesses can be fined for a simple failure to respond to the supervisory authority investigating them, as was the case for this Romanian business. Cooperation and timely responses to requests from a supervisory authority is one way businesses can avoid further fines and penalties under the GDPR. Businesses can also utilize the GDPR compliance checklist provided by the E.U.