TOP 6 GDPR fines: Non-compliance can cost millions

The General Data Protection Regulation (GDPR) has been in force for two and a half years. It had been adopted two years earlier, in the spring of 2016, therefore organizations had enough time to prepare for the new rules and procedures for personal data processing.

When we talk about the new legislation, it should be mentioned that in terms of rights and obligations directly related to the processing of personal data, GDPR did not bring about any radical changes. However, the GDPR is implementing a number of new processes and institutes to help organizations comply with the rules, such as data protection impact assessments, record keeping, data breach management and the appointment of a Data Protection Officer.

The GDPR has also significantly increased the fines that can be imposed for breaches of obligations in this area. Pursuant to the previous Act No. 101/2000 Coll., On the protection of personal data, a fine of up to CZK 10 million (~ EUR 383 000) could be imposed for relevant offenses, such as the processing of personal data without a legal reason, poor security arrangements, etc.

The Office for Personal Data Protection has not reached the upper limit of this fine in the past 18 years since the law became effective. The highest fines imposed for non-compliance with the former law ranged from CZK 2-3 million (~ EUR 77 000 – 115 000).

According to the GDPR, which is directly effective in all Member States of the European Union, fines of up to EUR 10 million or up to 2% of the company's total annual turnover for the preceding financial year (whichever is higher) can be imposed for breaches of procedural tools (such as impact assessment, appointment of a trustee, incident management, etc.). 

In case violation of basic rules and obligations for data processing, such as determining the scope, retention period, legal title to processing or handling complaints of data subjects (right of access, right to erasure, etc.), the organization can face fines of up to EUR 20 million or 4% of the total annual turnover of the enterprise worldwide for the preceding financial year, whichever is higher.

Many European Supervisory Authorities resorted to imposing a high fine. These can be used as examples of what organisations have been doing wrong when applying GDPR in practice, and what breaches are considered to be the most serious.

Let's start with one of the well-known cases - the leak of British Airways personal data. In 2018, personal data (incl. bank card data) of over 400,000 BA clients leaked. The British Supervisory Authority originally announced that fines of up to £ 183 million would be imposed. After difficult negotiations, the British authority imposed a fine of £ 20 million on BA a few months ago.

Last autumn was full of high fines. The Hamburg Data Protection Authority fined H&M EUR 35.3 million for unlawful processing of employees' personal data. H&M monitored their service centre employees fairly thoroughly, including information about their personal and family circumstances, health status or symptoms of illness, as well as religious or philosophical beliefs. The company systematically recorded these apparently redundant data and used them, among other things, to make decisions about terminating employment contracts. The circumstance that contributed to the discovery of this practice is also interesting: in 2019, due to a technical error, this detailed information was made available for several hours within the company network…

In addition to the basic rules, the exercise of the rights of data subjects (such as the right of access, rectification or erasure of personal data) is a major issue.

The Dutch Supervisory Authority imposed a fine of EUR 830,000 on a credit register operator for complicating the exercise of the rights by the persons concerned. The operator charged the data subjects a fee for sending an electronic copy of the data processed, i.e. their credit score documents. The documents could be obtained in paper form, however only once a year. According to the Dutch authority, this practice was clearly non-compliant with the GDPR, which requires data controllers to facilitate the exercise of the data subject's rights as much as possible and to only charge for any costs actually incurred.

However, even a supportive approach in dealing with the data subjects' requests has its limits. The German telecommunications operator 1 & 1 Telecom GmbH set up this process in a way that allowed anyone to simply call the information line and obtain detailed and sensitive client data just by stating the name and DOB, no further verification needed. The German authority fined the company EUR 9 550 000.

Let's have a look at the south of Europe: The Italian authority imposed a fine of EUR 17 million on the local telecommunications operator Wind Tre SpA for violating several rules in processing personal data for marketing purposes. This violation mainly concerned marketing to users without their consent and without the possibility of easily preventing further communication.

The Czech Office for Personal Data Protection also imposed a heavy fine for marketing communications that violated the relevant regulations. The Office fined an unnamed car dealer CZK 6 million (~ EUR 230 000) for spamming their customers.

In this context, it is certainly interesting to mention that the administrative court recently confirmed the Office's approach, which for the dissemination of unsolicited commercial communications affects not only those who actually send spam messages. It also affects those who order the distribution of such communications without ensuring the sender is proceeding correctly and in compliance with the law. Thus, a vague contractual arrangement is not sufficient. A real process based on risk assessment and the adoption of sufficient measures is required.

It is clear that high fines and regulations are already common practice in a large number of European countries. If an organization operating in the Czech Republic participates in the cross-border processing of personal data, for example, it is a member of a group whose parent company is based in Germany, a possible inspection would be conducted by the German supervisory authority.

And as we can see, the authorities are not reluctant to resort to high fines. Investing in GDPR compliance and rectifying deficiencies is therefore important and worthwhile.