Products
▸
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly.
The GDPR states explicitly that some violations are more severe than others. The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
And these are just the administrative fines. Article 82 gives data subjects the right to seek compensation from organizations that cause them material or non-material damage as a result of a GDPR infringement. You can find more details related to fines on EU official GDPR page: https://gdpr.eu/fines/
Image above shows the sum of GDPR fines as of November 2020, with total amount of €261M resulted from 419 GDPR fines, with smallest penalty being issued to a hospital in Hungary with amount as small as €90 all the way up to the famous €50M case of Google, LLC. The French court dismissed Google's appeal on June 19th 2019, making it clear to everyone that enforcing GDPR laws will be one of the top EU priorities in years to come.
As mentioned above, total amount of issued GDPR fines was €261M for 419 cases, which makes average penalty of €624,068 - over half a million EUR per incident.
Web page called GDPR Enforcement Tracker gives quite a good insight on GDPR fines, such as summary of all fines, per country, per month and more. Image above shows the course of overall sum of fines over the years. As you can see, since July 2018, graph shows significant growth in total amount as well as the number of cases that confirms GDPR being a high priority for regulators in EU.
The list of GDPR penalties is growing each day and 2020 has been "the most expensive" year since GDPR was implemented. Let me just remind you on some of the top cases and the costs affected.
German data protection authorities fined clothing chain H&M with €35.3 million ($41.4 million) over illegal surveillance of employees, as the Swedish firm delved deeply into the private lives of its staff members. The amount is the highest financial penalty for such breaches in Germany since the 2018 European Union legislation — General Data Protection Regulation (GDPR) — came into force and the second highest of its kind throughout the continent after French regulators fined Google €50 million last year for a GDPR violation.
On January 15, 2020, Italian Data Protection Authority (Garante) issued a €27,8 million fine to TIM (telecommunications operator). The fine was issued for violation of the GDPR, with emphasis on unlawful data processing, non-compliant aggressive marketing strategy, invalid collection of consents and excessive data retention period.
The breach took place in 2018 and affected both personal and credit card data. The fine is considerably smaller than the £183m that the ICO originally said it intended to issue back in 2019. It said "the economic impact of Covid-19" had been taken into account.
The ICO has fined Marriott International Inc £18.4million for failing to keep millions of customers’ personal data secure. Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.
On November 26, 2020, the French Data Protection Authority (the “CNIL”), fines two companies of the Carrefour Group with €3.05 Million - €2.25 million on Carrefour France and a fine of €800,000 on Carrefour Banque for various violations of the EU General Data Protection Regulation (“GDPR”) and Article 82 of the French Data Protection Act governing the use of cookies.
Ok, so you've probably reading the article so far and thinking: "Yeah, those are big players and just marketing names. I'm an SMB owner, it doesn't really affect me. No one is interested in my small piece of personal data and low penalties."
Well, sorry to tell you, but, You are WRONG. There are really no exceptions and penalties are issued from as low as €30 up to €50M. Whether you are a cafe, hospital, college, private person or company - rules apply to everyone. See below some smaller local cases and penalties issued for violating GDPR.
The City Council of Antequera filed a complaint against Café due to the installation of a camera on the facade of the premises oriented towards a public space, ignoring the recommendations of the local police. In addition, the AEPD fined Café €1500, which was subsequently reduced to €900.
The Office of the Commissioner for Personal Data Protection ('the Commissioner') announced, on 19 October 2020, its decision to fine Grant Ideas Ltd €1,000 for sending emails without the consent of recipients.
On the 2nd of December 2019, in the exercise of its investigative powers, the National Supervisory Authority sanctioned the controller Nicola Medical Team 17 SRL with a fine in the amount of 9,555.4 lei, equivalent to the amount of 2000 euros, for the deed provided by Article 83 paragraphs (5) and (6) of Regulation (EU) 2016/679, related to Article 58 paragraph (1) letter a) and letter e) and in conjunction with Article 8 of Government Ordinance no. 2/2001.
The Hellenic Data Protection Authority ('HDPA') issued, on 29 June 2020, a decision fining New York College S.A. €5,000 for breaching the accountability obligation under Article 5 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, following a complaint in relation to New York College directly contacting the complainant by telephone about an education programme, as well as subsequently failing to adequately respond to the complainant's request for information and access to their personal data, the HDPA found that New York College was a data controller as they had processed information relating to the employment status of the complainant.
The Danish data protection authority ('Datatilsynet') announced, on 15 May 2020, its decision to fine JobTeam A/S DKK 50,000 (approx. €6,700) for its failure to comply with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') requirement that personal data must be processed legally and transparently. In particular, the Datatilsynet highlighted that JobTeam deleted personal data covered by a subject access request ('SAR') during the period after the SAR was made, and before responding to the SAR.
The Italian data protection authority ('Garante') announced, on 13 July 2020, that it had issued a decision ('the Decision') fining Merlini s.r.l. €200,000 for violation of Articles 5, 6, 7, 28, and 29 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), as well as Article 130 of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to GDPR ('the Code'). In particular, the Garante outlined that Merlini carried out, through a third-party provider, telemarketing activities on behalf of Wind Tre S.p.A.
Some more interesting cases include:
Under the GDPR, fines are administered by the data protection regulator in each EU country. That authority will determine whether an infringement has occurred and the severity of the penalty.
They will use the following 10 criteria to determine whether a fine will be assessed and in what amount:
If regulators determine an organization has multiple GDPR violations, it will only be penalized for the most severe one, provided all the infringements are part of the same processing operation.
The GDPR leaves much to interpretation. It says that companies must provide a “reasonable” level of protection for personal data, for example, but does not define what constitutes “reasonable.” This gives the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.
So, in real life, it really depends on the regulator on how high the fine for breach will be, mostly considering whether it was intentional or unintentional, at least thats what we learned from recent cases. Companies which did it on purpose (such as H&M) had significantly higher penalty with even less amount of data affected than others, which got their original penalties significantly reduced after proving that it was unintentional or that their systems were breached by outside hacks.