How much can a GDPR breach cost you?

03.12.2020

Back to blog list

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhereso long as they target or collect data related to people in the EU. GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member statesAnd non-compliance could cost companies dearly.

Two tiers of GDPR fines

The GDPR states explicitly that some violations are more severe than others. The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

And these are just the administrative fines. Article 82 gives data subjects the right to seek compensation from organizations that cause them material or non-material damage as a result of a GDPR infringement. You can find more details related to fines on EU official GDPR page: https://gdpr.eu/fines/

How much can a GDPR breach cost you?

GDPR Fines

Image above shows the sum of GDPR fines as of November 2020, with total amount of €261M resulted from 419 GDPR fines, with smallest penalty being issued to a hospital in Hungary with amount as small as €90 all the way up to the famous €50M case of Google, LLC. The French court dismissed Google's appeal on June 19th 2019, making it clear to everyone that enforcing GDPR laws will be one of the top EU priorities in years to come.

As mentioned above, total amount of issued GDPR fines was €261M for 419 cases, which makes average penalty of €624,068 - over half a million EUR per incident.

Course of overall sum of GDPR fines

Web page called GDPR Enforcement Tracker gives quite a good insight on GDPR fines, such as summary of all fines, per country, per month and more. Image above shows the course of overall sum of fines over the years. As you can see, since July 2018, graph shows significant growth in total amount as well as the number of cases that confirms GDPR being a high priority for regulators in EU.

The price of GDPR penalties (2020)

The list of GDPR penalties is growing each day and 2020 has been "the most expensive" year since GDPR was implemented. Let me just remind you on some of the top cases and the costs affected.

H&M GDPR

H&M fined record €35 million for illegal surveillance of employees

German data protection authorities fined clothing chain H&M with €35.3 million ($41.4 million) over illegal surveillance of employees, as the Swedish firm delved deeply into the private lives of its staff members. The amount is the highest financial penalty for such breaches in Germany since the 2018 European Union legislation — General Data Protection Regulation (GDPR) — came into force and the second highest of its kind throughout the continent after French regulators fined Google €50 million last year for a GDPR violation.

No alt text provided for this image

€27,8 million GDPR fine for Italian Telecom -TIM

On January 15, 2020, Italian Data Protection Authority (Garante) issued a €27,8 million fine to TIM (telecommunications operator). The fine was issued for violation of the GDPR, with emphasis on unlawful data processing, non-compliant aggressive marketing strategy, invalid collection of consents and excessive data retention period.

British Airways

ICO fines British Airways £20m for data breach affecting more than 400,000 customers

The breach took place in 2018 and affected both personal and credit card data. The fine is considerably smaller than the £183m that the ICO originally said it intended to issue back in 2019. It said "the economic impact of Covid-19" had been taken into account.

No alt text provided for this image

ICO fines Marriott International Inc £18.4million for failing to keep customers’ personal data secure

The ICO has fined Marriott International Inc £18.4million for failing to keep millions of customers’ personal data secure. Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.

No alt text provided for this image

Carrefour Group fined with €3.05 Million for GDPR breach in France

On November 26, 2020, the French Data Protection Authority (the “CNIL”), fines two companies of the Carrefour Group with €3.05 Million - €2.25 million on Carrefour France and a fine of €800,000 on Carrefour Banque for various violations of the EU General Data Protection Regulation (“GDPR”) and Article 82 of the French Data Protection Act governing the use of cookies.

There are no exceptions

Ok, so you've probably reading the article so far and thinking: "Yeah, those are big players and just marketing names. I'm an SMB owner, it doesn't really affect me. No one is interested in my small piece of personal data and low penalties."

Well, sorry to tell you, but, You are WRONG. There are really no exceptions and penalties are issued from as low as €30 up to €50M. Whether you are a cafe, hospital, college, private person or company - rules apply to everyone. See below some smaller local cases and penalties issued for violating GDPR.

Cafe B.B.B. spain

Spain: AEPD fines Café B.B.B. with €900 for breach of Article 83(5) of the GDPR

The City Council of Antequera filed a complaint against Café due to the installation of a camera on the facade of the premises oriented towards a public space, ignoring the recommendations of the local police. In addition, the AEPD fined Café €1500, which was subsequently reduced to €900.

Cyprus

Cyprus: Commissioner fines Grant Ideas Ltd €1,000 for sending unsolicited emails

The Office of the Commissioner for Personal Data Protection ('the Commissioner') announced, on 19 October 2020, its decision to fine Grant Ideas Ltd €1,000 for sending emails without the consent of recipients.

Medical Team

The Romanian National Supervisory Authority sanctions Nicola Medical Team 17 SRL with 2,000 EURO

On the 2nd of December 2019, in the exercise of its investigative powers, the National Supervisory Authority sanctioned the controller Nicola Medical Team 17 SRL with a fine in the amount of 9,555.4 lei, equivalent to the amount of 2000 euros, for the deed provided by Article 83 paragraphs (5) and (6) of Regulation (EU) 2016/679, related to Article 58 paragraph (1) letter a) and letter e) and in conjunction with Article 8 of Government Ordinance no. 2/2001.

New York College SA

Greece: HDPA fines New York College €5,000 for breach of GDPR accountability obligation

The Hellenic Data Protection Authority ('HDPA') issued, on 29 June 2020, a decision fining New York College S.A. €5,000 for breaching the accountability obligation under Article 5 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, following a complaint in relation to New York College directly contacting the complainant by telephone about an education programme, as well as subsequently failing to adequately respond to the complainant's request for information and access to their personal data, the HDPA found that New York College was a data controller as they had processed information relating to the employment status of the complainant.

No alt text provided for this image

Denmark: Datatilsynet fines JobTeam with 7.000€ for GDPR violation

The Danish data protection authority ('Datatilsynet') announced, on 15 May 2020, its decision to fine JobTeam A/S DKK 50,000 (approx. €6,700) for its failure to comply with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') requirement that personal data must be processed legally and transparently. In particular, the Datatilsynet highlighted that JobTeam deleted personal data covered by a subject access request ('SAR') during the period after the SAR was made, and before responding to the SAR.

No alt text provided for this image

Italy: Garante fines Merlini €200,000 for GDPR violations

The Italian data protection authority ('Garante') announced, on 13 July 2020, that it had issued a decision ('the Decision') fining Merlini s.r.l. €200,000 for violation of Articles 5, 6, 7, 28, and 29 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), as well as Article 130 of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to GDPR ('the Code'). In particular, the Garante outlined that Merlini carried out, through a third-party provider, telemarketing activities on behalf of Wind Tre S.p.A.

Some more interesting cases include:

How is the GDPR fine amount calculated?

Under the GDPR, fines are administered by the data protection regulator in each EU country. That authority will determine whether an infringement has occurred and the severity of the penalty.

They will use the following 10 criteria to determine whether a fine will be assessed and in what amount:

  1. Gravity and nature: The overall picture of the infringement. What happened, how it happened, why it happened, the number of people affected, the damage they suffered, and how long it took to resolve.
  2. Intention: Whether the infringement was intentional or the result of negligence.
  3. Mitigation: Whether the firm took any actions to mitigate the damage suffered by people affected by the infringement.
  4. Precautionary measures: The amount of technical and organizational preparation the firm had previously implemented to be in compliance with the GDPR.
  5. History: Any relevant previous infringements, including infringements under the Data Protection Directive (not just the GDPR), as well as compliance with past administrative corrective actions under the GDPR.
  6. Cooperation: Whether the firm cooperated with the supervisory authority to discover and remedy the infringement.
  7. Data category: What type of personal data the infringement affects.
  8. Notification: Whether the firm, or a designated third party, proactively reported the infringement to the supervisory authority.
  9. Certification: Whether the firm followed approved codes of conduct or was previously certified.
  10. Aggravating/mitigating factors: Any other issues arising from circumstances of the case, including financial benefits gained or losses avoided as a result of the infringement.

If regulators determine an organization has multiple GDPR violations, it will only be penalized for the most severe one, provided all the infringements are part of the same processing operation.

Conclusion

The GDPR leaves much to interpretation. It says that companies must provide a “reasonable” level of protection for personal data, for example, but does not define what constitutes “reasonable.” This gives the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.

So, in real life, it really depends on the regulator on how high the fine for breach will be, mostly considering whether it was intentional or unintentional, at least thats what we learned from recent cases. Companies which did it on purpose (such as H&M) had significantly higher penalty with even less amount of data affected than others, which got their original penalties significantly reduced after proving that it was unintentional or that their systems were breached by outside hacks.


Compliance Risk management Personal data