Fines under the GDPR – current status

The feared penalty wave after the GDPR came into force in May 2018 seemed not to occur. But now the grace period of the authorities seems to be over. Reports about fine proceedings are increasing in the media. Further inspections by the supervisory authorities are expected in 2019. Here is a non-complete overview of the recently imposed major fines and the announced controls.
The data protection officer of Baden-Württemberg announces 2019 as the year of controls and expects a strong increase in the number of warning notices. After we reported about the Knuddels fine in our last newsletter, 80,000 euros have been imposed in another case. Health data should have landed accidentally in the Internet. Further details on the case are not yet known.
The authorities are targeting social media companies and companies that manage large amounts of sensitive data, according to the data protection officer to SWR Aktuell Baden-Württemberg. “We have the authority of the public prosecutor’s office,” which means that the authorities can carry out checks even without existing complaints.
In Thuringia, a total of 65 fine proceedings for violations of the GDPR have been initiated since May 2018. In two particularly severe cases, the fine is said to have exceeded 10,000 euros each, with the highest fine amounting 12,000 euros. According to the Thüringer Allgemeine, one case involved the transfer of data to a business successor without the consent of the data subjects, as well as video recordings in a restaurant in the further case.
A fine of 5000 € was imposed on a small Hamburger company. The reason is said to be a lack of a data processing agreement and the trigger was a request to the data protection authority in Hamburg. If companies have to expect fines being imposed when asking data protection authorities for advice, this would have serious consequences for the willingness of the companies to cooperate voluntarily with the authorities.
The biggest fine in the history of European data protection has been imposed on Google by the CNIL (French data protection authority). 50 million is by far the highest fine for violations of the GDPR so far.
Google is supposed to violate its information and transparency obligations. “Essential information, such as the purpose of the data processing, the storage times or the categories of personal data used for the personalisation of the advertisements, are too much spread over several documents, with buttons and links that have to be clicked to access additional information”, according to the CNIL. The lack of information prevents users from identifying which Google services (Youtube, Maps, Drive) are involved in data processing.
Another violation according to the CNIL is the lack of consent of the users for the use of their data for advertising purposes in accordance with the GDPR. Furthermore, the fundamental objection to data collection is not possible when setting up a Google account.