High fines for data protection breaches

Where do the authorities currently focus their audits? What should you look for if you want to avoid fines? Much can be learned from the decisions of the data protection authorities and the fines currently imposed!
In this newsletter we report again on interesting cases during the summer months.

Highest fine ever imposed since the implementation of the GDPR

Company: Amazon Europe Core S.à.r.l
Possible data protection breach: Proceedings initiated by the French civil rights organisation “Le Quadrature du Net” on the subject of advertising targeting – personalised advertising and disclosure of data to third parties
The Authority: CNPD (Luxembourg Data Protection Authority)
Amount of the fine: EUR 746.000.000

Second highest fine in the history of the GDPR

Possible data protection breach: The proceedings concerned breaches of the transparency requirements from art. 12 – 14 of the GDPR. The complaint was that the data was forwarded within the Facebook group without being transparent for the user.
Authority: DPC (Irish Data Protection Regulator) and EDPB.
Amount of the fine: EUR 225.000.000

Further examples from the past two months

Company: AG2R LA MONDIALE (insurance sector) esp. SGAM AG2R LA MONDIALE.
Data protection breach: art. 5(1)(e) GDPR, art. 13 GDPR, art. 14 GDPR: Violation of storage limitation for more than 2 million customer and prospect data incl. health data. In addition, advertising calls were not carried out properly. The data subjects were neither sufficiently informed about the data processing in accordance with art. 13 of the GDPR, nor were they informed about their right to object.
The Authority: CNIL (French Data Protection Authority)
Fine: EUR 1.750.000

Company: MERCADONA, S.A.
Data protection breach: A facial recognition system installed in 40 supermarkets was used, among other things, to track down convicted persons. As all persons were scanned when entering the stores, this included, among others, minors. This means a violation of the principle of data minimisation, a violation of the duty to inform according to art. 13 GDPR, and at the same time a lack of a data protection impact assessment (art. 5(1)(c) GDPR, art. 6 GDPR, art. 9 GDPR, art. 12 GDPR, art. 13 GDPR, art. 25(1) GDPR, art. 35 GDPR)
Authority: AEPD (Spanish Data Protection Agency)
Fine: EUR 2.520.000
Unknown company
Data protection breach: Lack of involvement and independence of the DPO, which prevented him from providing proper and independent advice. For example: lack of involvement in the relevant processes of the processing of personal data, lack of a standardised control plan for compliance with the GDPR and lack of communication to the highest management level. In addition, the DPO was not able to demonstrate sufficient knowledge of data protection law, which could have been deepened with sufficient training (art. 38(1) and (3) GDPR, art. 39(1)(a) and (b) GDPR).
The Authority: CNPD (Luxembourg Data Protection Authority)
Fine: EUR 15.000
Data protection breach: In an automated telephone information service provided by the bank, it was sufficient to provide the ID number of a customer in order to access their account transactions. The authority criticised the breach of the obligation to implement sufficient TOMs (technical and organisational measures) to protect the data (art. 32 GDPR).
Authority: Agencia Española Protección Datos (AEPD)
Fine: EUR 120.000
Company: Yes Consumer Solutions Ltd (YCSL) Telecommunications company
Data protection breach: approximately 200,000 unauthorised advertising calls despite objection. Ironically, the calls were intended to advertise a call protection product marketed by YCSL, which was supposed to enable the blocking of unwanted calls.
In addition, all telephone numbers were recorded in the British TPS register. The entry in this register serves to protect against unsolicited calls (art. 55A DPA, art. 21 PECR).
Authority: Information Commissioner’s Office (ICO)
Fine: EUR 199.812 (GBP 170.000)
Company: Vodafone España, S.A.U.
Data protection breach: breach of the obligation to delete data. The right to erasure according to art. 17 GDPR is one of the essential data subjects rights in data protection. Here, companies must respond to the data subjects request within the required deadlines. This requires good deletion concepts (art. 6(1) GDPR, art. 17(1) GDPR).
Authority: Agencia Española Protección Datos (AEPD).
Fine: EUR 96.000
Company: Operator of Aeroporto Guglielmo Marconi di Bologna S.p.a.
Data protection breach: use of a whistleblowing application without sufficient technical and organisational measures (neither a secure network protocol, nor encryption of the data of the reporter, the reported information or the attached documents was provided). The manufacturer of the whistleblowing software, aiComply S.r.l., was also fined. Here, among other things, the necessary conclusion of processing agreements was missing (art. 5(1)(f) GDPR, art. 25 GDPR, art. 28 GDPR, art. 32 GDPR, art. 35 GDPR).
Authority: Garante per la protezione dei dati personali (GPDP).
Total fine: EUR 60.000

Your contact to ePrivacy: