Where do the authorities currently focus their audits? What should you look for if you want to avoid fines? Much can be learned from the decisions of the data protection authorities and the fines currently imposed!
\u00a0
In this newsletter we report again on interesting cases during the summer months.<\/p>\n\n\n\n
Highest fine ever imposed since the implementation of the GDPR<\/strong><\/p>\n\n\n\n \u00a0 Second highest fine in the history of the GDPR<\/strong><\/p>\n\n\n\n <\/strong> Further examples from the past two months<\/strong><\/p>\n\n\n\n \u00a0 Company:\u00a0<\/strong>MERCADONA, S.A. Your contact to ePrivacy:<\/p>\n\n\n\n
Company:<\/strong>\u00a0Amazon Europe Core S.\u00e0.r.l
Possible data protection breach:\u00a0<\/strong>Proceedings initiated by the French civil rights organisation \u201cLe Quadrature du Net\u201d on the subject of advertising targeting – personalised advertising and disclosure of data to third parties
The Authority:<\/strong>\u00a0CNPD (Luxembourg Data Protection Authority)
Amount of the fine:\u00a0<\/strong>EUR 746.000.000
\u00a0<\/p>\n\n\n\n
Company: <\/strong>WhatsApp
Possible data protection breach: <\/strong>The proceedings concerned breaches of the transparency requirements from art. 12 – 14 of the GDPR. The complaint was that the data was forwarded within the Facebook group without being transparent for the user.
Authority<\/strong>: DPC (Irish Data Protection Regulator) and EDPB.
Amount of the fine: <\/strong>EUR 225.000.000
<\/p>\n\n\n\n
Company:<\/strong>\u00a0AG2R LA MONDIALE (insurance sector) esp. SGAM AG2R LA MONDIALE.
Data protection breach:\u00a0<\/strong>art. 5(1)(e) GDPR, art. 13 GDPR, art. 14 GDPR: Violation of storage limitation for more than 2 million customer and prospect data incl. health data. In addition, advertising calls were not carried out properly. The data subjects were neither sufficiently informed about the data processing in accordance with art. 13 of the GDPR, nor were they informed about their right to object.
The Authority:\u00a0<\/strong>CNIL (French Data Protection Authority)
Fine:\u00a0<\/strong>EUR 1.750.000<\/p>\n\n\n\n
Data protection breach:\u00a0<\/strong>A facial recognition system installed in 40 supermarkets was used, among other things, to track down convicted persons. As all persons were scanned when entering the stores, this included, among others, minors. This means a violation of the principle of data minimisation, a violation of the duty to inform according to art. 13 GDPR, and at the same time a lack of a data protection impact assessment (art. 5(1)(c) GDPR, art. 6 GDPR, art. 9 GDPR, art. 12 GDPR, art. 13 GDPR, art. 25(1) GDPR, art. 35 GDPR)
Authority:\u00a0<\/strong>AEPD (Spanish Data Protection Agency)
Fine:<\/strong>\u00a0EUR 2.520.000
\u00a0
Unknown company<\/strong>
Data protection breach:<\/strong>\u00a0Lack of involvement and independence of the DPO, which prevented him from providing proper and independent advice. For example: lack of involvement in the relevant processes of the processing of personal data, lack of a standardised control plan for compliance with the GDPR and lack of communication to the highest management level. In addition, the DPO was not able to demonstrate sufficient knowledge of data protection law, which could have been deepened with sufficient training (art. 38(1) and (3) GDPR, art. 39(1)(a) and (b) GDPR).
The Authority:\u00a0<\/strong>CNPD (Luxembourg Data Protection Authority)
Fine:<\/strong>\u00a0EUR 15.000
\u00a0
Company:<\/strong>\u00a0BANCO BILBAO VIZCAYA ARGENTARIA, S.A.
Data protection breach:<\/strong>\u00a0In an automated telephone information service provided by the bank, it was sufficient to provide the ID number of a customer in order to access their account transactions. The authority criticised the breach of the obligation to implement sufficient TOMs (technical and organisational measures) to protect the data (art. 32 GDPR).
Authority:\u00a0<\/strong>Agencia Espa\u00f1ola Protecci\u00f3n Datos (AEPD)
Fine:<\/strong>\u00a0EUR 120.000
\u00a0
Company:\u00a0<\/strong>Yes Consumer Solutions Ltd (YCSL) Telecommunications company
Data protection breach:<\/strong>\u00a0approximately 200,000 unauthorised advertising calls despite objection. Ironically, the calls were intended to advertise a call protection product marketed by YCSL, which was supposed to enable the blocking of unwanted calls.
In addition, all telephone numbers were recorded in the British TPS register. The entry in this register serves to protect against unsolicited calls (art. 55A DPA, art. 21 PECR).
Authority:<\/strong>\u00a0Information Commissioner’s Office (ICO)
Fine:\u00a0<\/strong>EUR 199.812 (GBP 170.000)
\u00a0
Company:<\/strong>\u00a0Vodafone Espa\u00f1a, S.A.U.
Data protection breach:<\/strong>\u00a0breach of the obligation to delete data. The right to erasure according to art. 17 GDPR is one of the essential data subjects rights in data protection. Here, companies must respond to the data subjects request within the required deadlines. This requires good deletion concepts (art. 6(1) GDPR, art. 17(1) GDPR).
Authority<\/strong>: Agencia Espa\u00f1ola Protecci\u00f3n Datos (AEPD).
Fine:\u00a0<\/strong>EUR 96.000
\u00a0
Company:\u00a0<\/strong>Operator of Aeroporto Guglielmo Marconi di Bologna S.p.a.
Data protection breach:<\/strong>\u00a0use of a whistleblowing application without sufficient technical and organisational measures (neither a secure network protocol, nor encryption of the data of the reporter, the reported information or the attached documents was provided). The manufacturer of the whistleblowing software, aiComply S.r.l., was also fined. Here, among other things, the necessary conclusion of processing agreements was missing (art. 5(1)(f) GDPR, art. 25 GDPR, art. 28 GDPR, art. 32 GDPR, art. 35 GDPR).
Authority:\u00a0<\/strong>Garante per la protezione dei dati personali (GPDP).
Total fine:<\/strong>\u00a0EUR 60.000<\/p>\n\n\n\n