When it comes to processing personal data, 2020 was quite an eventful year. The effort to reduce the spread of COVID-19 had a direct impact on businesses in all industries. Here is a gdpr fines list to help you understand the importance of staying compliant.
The implementation of emergency measures for health and safety of employees and contractors has led to a massive increase of collecting and processing sensitive data. However, the obligations of data controllers or data processors to comply with the GDPR (General Data Protection Regulation) remained the same.
The Data Protection Authorities (DPAs) have issued numerous sanctions in their on-going efforts to protect data. Violating the regulations even if unintentional does not relieve a company’s responsibilities under the law. In addition to fines, companies also risk significant damage to their brand reputation and losing the trust of their clients.
€50 million and €100 million fines for the giant company Google
On the 21st of January 2019, CNIL (Commission Nationale de l’informatique et des Libertés) fined Google with €50 million for the lack of transparency towards data subjects, for the lack of valid consent on ads personalization and for not offering proper and clear information to the users.
The company loses the appealing paying the large amount established by the CNIL on the 12th of June 2020.
Then, on the 7th of December 2020, the the French Authority imposed a penalty of €60 million on Google LLC and €40 million for Google Ireland. The big tech firm placed advertising cookies in the users’ computers without their consent. Is one of the biggest fines imposed for such data breach.
Vodafone Italy fined with over €12 million for abusive telemarketing
The Italian Supervisory Authority demonstrated through its investigation that Vodafone was illegally processing users’ personal data for commercial purposes.
‘’Several complaints and alerts had been submitted to the Garante by customers who had been contacted by operators purporting to be acting on Vodafone’s behalf and requesting IDs to be sent to them via WhatsApp – quite likely for purposes related to spamming, phishing or other fraudulent activities.’’
Massive data breach by Marriot International Inc fined with £18.4 million
A cyber-attack which took place in 2014 on Starwood Hotels affected approximately 339 million guests worldwide. Marriott acquired Starwood Hotels in 2016. According to the ICO’s report, Marriot did not detect the attack when acquiring Starwood. Moreover the attacker continued to access personal data of the guests even after the GDPR came into force.
The attacker installed a code known as ‘’web shell’’ through which he had authorized, unrestricted access to several devices. Moreover, he managed to get in possession of several login credentials and accessed the database storing reservation data and exported it.
The breach took place before the UK left EU, specifically on the 28th of May 2018. Therefore, the ICO took the decision to sanction Marriot, also approved by all the other EU DPAs.
According to ICO, Marriot reacted as soon as it discovered the attack and contacted its customers and the supervisory authority. It has also taken the necessary measures to ensure greater security of the systems and tools used.
H&M fined with over €30 million unlawfully storing and collecting personal data of their employees
On the 1st of October 2020, The Swedish clothing company H&M (Hennes & Mauritz) has been fined €35.5 million by the German Data Protection Authority after a data leak from a service center from Nuremberg Germany, which revealed the illegal collection of personal data of the employees by the managers.
The monitoring activity targeted several hundred employees at the service center. Since 2014, H&M managers have been gathering information related to employees’ privacy, such as medical diagnoses, family issues and religious beliefs.
The collected data was digitally recorded and stored in a system that could be accessed by 50 managers.
H&M admitted that there were deficiencies in the service center, claiming that they took measures to correct these situations.
Additional Fines and Regulatory Actions
The GDPR did not take a break even in the last days of the year. For the companies and businesses that may have thought that data protection authorities are ‘’on vacation’’, they are wrong.
TUiR Warta S.A., a consulting company from Poland received a fine on the 28th of December 2020 of €18,930 for insufficient fulfillment of data breach notification obligations.
On the 30th of December 2020, ING Bank N.V. Amsterdam Romania was fined with €3,000 for insufficient legal basis for data processing.
DPAs imposed fines in the New Year as well. The German authority imposed the largest fine to notebooksbilliger.de AG, a German electronics company on the 8th of January. The company monitored its employees through surveillance cameras for two years without any legal basis. For this reason, the State Commissioner for Data Protection (LfD) Lower Saxony has imposed a fine of €10.4 million.
On the 4th of January, 11 companies from Czech Republic received fines with a total of €118,500 for misusing data to spread unsolicited messages that appeared in citizens' data boxes. On the same day, Vodafone Spain received a €54,000 fine for non-compliance with the GDPR principles. Also, the Norwegian authority fined Innovation Norway (a state-owned company and a national development bank) with €95,500 for insufficient legal basis for data processing.
The impact of the COVID-19 pandemic included significant increases in levels of data processing. Data controllers and data processors must ensure, especially in times like these, that they are compliant with the current law and remain up to date with any changes that may occur to the regulations. Read more about GDPR fines and penalties and how to avoid them. Contact us for further information.