Most GDPR sanctions are caused due to the fact that people think about privacy only as a formal checkbox, as a link to the Privacy Notice at the bottom of the site, but not as a practical measure. That is why often employees of the company simply do not get the information on how to handle personal data.
Below are the examples of fines imposed by supervisory authorities in different EU countries that unequivocally answer these questions.
1
Right of access – Iberia Lae SA Operadora Unipersonal – 40,000 euros
On August 12, 2017, the applicant exercised the right of access to their personal data at Iberia (the Spanish carrier). Namely, the data subject requested access to four phone records from August 8, 9, and 11, 2017. The company responded that it “could not provide access to the data, except upon a court order.” The data subject filed a complaint with the Spanish supervisory authority, which found that the subject’s right and procedure to cooperate with the supervisory authority under Article 58 of the GDPR had been violated. As a result, the air carrier was fined 40,000 euros and accepted the sanction.
2
Retention period and security measures – Digi Távközlési Szolgáltató Kft. – 288,000 euros
A Hungarian e-communications service provider brought the attention of the supervisory authority under a number of GDPR articles at once. The company created a database to address an information security incident, but once it was resolved, the database was not deleted. Personal data of the users were stored on the systems in use without the purpose or legal basis for the processing. In addition, the company did not apply the appropriate technical and organizational measures in the field of data security, namely, there was no encryption of personal data and it was possible to access the databases using the vulnerability through the public website digi.hu. The supervisory authority imposed a fine of HUF 100,000,000, which at the time the breach was detected was the equivalent of EUR 288,000.
Information security – Telenor Norge AS – 134,000 euros
The Norwegian supervisory authority has filed a case based on information that the telecommunications company Telenor found a security breach in its voicemail function. For several years, it had been possible to hack into mobile responses using “spoofing services” and eavesdrop on the messages of approximately 1.3 million mobile subscribers in Norway. Earlier, for violating the Electronic Communications Act under the same circumstances, the National Communications Authority decided to impose a fee of NOK 1.5 million, the equivalent of 134,000 euros. To prevent the company from being penalized twice for the same violation, the supervisory authority issued a reprimand.
4
Biometrics – Unknown entity – 725,000 euros
The organization required its employees to scan their fingerprints to record attendance. However, as the Dutch data protection regulator stated in its decision, the organization could not rely on exemptions from processing this special category of personal data, and the company could not provide any evidence that the employees had given their consent to this data processing.
5
Retention period and privacy by design – Deutsche Wohnen SE – 14,500,000 euros
During inspections in June 2017 and March 2019, the Berlin supervisory authority found that the company used an archiving system to store tenants’ personal data. There was no option to delete the data that was no longer needed in the system. The tenants’ personal data had been stored without their consent for the storage and in some cases had been stored for several years and could therefore be accessed without the original purpose. These were tenants’ personal and financial information, such as wage statements, employment and training contract statements, tax, social security and health insurance information, and bank statements. After the data protection commissioner in Berlin issued an urgent recommendation to change the archiving system, the company also failed to clear its database.
6
Limitation of access – Sapienza Università di Roma – 30,000 euros
The university notified the Italian supervisory authority that it had revealed the identities of two people who reported possible illegal behavior at the university. The violation was due to the lack of adequate technical access control measures in the management system, which did not restrict access to such data to authorized personnel only. The university was fined €30,000.
7
Privacy by Design – unicredit BANK SA – 130,000 euros
A fine of 130,000 euros was handed down for a Privacy by Design violation that led to the disclosure of online identifiers and transactions of 337,042 data subjects. The online banking system was designed so that the recipient of the payment was unnecessarily shown the address and passport details of the payer. The Romanian supervisory authority emphasizes that when developing and designing applications, services and products that are based on the processing of personal data, companies should encourage the right to protect personal data.
Information security – 1 & 1 Telecom GmbH – €9,550,000
In the case of 1&1 Telecom GmbH, the German supervisory authority became aware that people who called the company’s customer service line could obtain extensive information about the personal data of the other customer simply by providing the customer’s name and date of birth. The supervisory authority regarded this as a violation of Article 32 of the GDPR, which requires the company to take appropriate technical and organizational measures to systematically protect the processing of personal data. The company cooperated with the authority and revised the authentication procedure, which has been significantly improved in terms of technology and data protection, but despite these measures, it was decided to impose a fine.
9
Transparency obligations and lack of appropriate legal bases – Google Inc – 50,000,000
The French supervisory authority found two types of GDPR violations: violation of transparency obligations (information provided by Google was not easily accessible to users, some information was not always clear and complete) and incorrect legal basis for processing for personalized advertising. Google stated that it obtained user consent to process data for personalized advertising purposes. However, user consent was insufficiently informed and neither “specific” nor “unambiguous”.
