Search

How can we help?

Icon

GDPR Fines Across the EU

The GDPR increased the fines available to EU supervisory authorities for breaches of data protection requirements.  Now, as we celebrate the GDPR’s 18-month birthday, it’s a good opportunity to take a look at some of the largest fines imposed to date and where in the EU we are seeing these.

The United Kingdom

The UK has issued notices of intent which would see it imposing the two highest fines so far!

8 July 2019, British Airways, €204,600,000.00.  The ICO has issued an intention to fine only at this stage and has been issued as a result of a failure to adequately protect personal data. Users of British Airways’ website were diverted to a fraudulent site by hackers. Through this false site, details of about 500,000 customers were harvested. This case is currently being appealed by British Airways.

9 July 2019, Marriott International, €110,390,200.00. Again, the ICO has announced an intention to fine only at this stage.  According to the ICO, the systems of Marriot’s subsidiary, Starwood hotels group were allegedly compromised in 2014. This was left undiscovered until 2018. The personal data of approximately 339 million guests was allegedly exposed by the incident (30 million related to EU residents, of which 7 million related to UK residents). The ICO’s investigation found that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”.

France

France currently holds the record for the highest fine actually imposed at €50,000,000.

21 January 2019, Google, €50,000,000.  CNIL imposed this fine on Google for ‘lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.’ CNIL said that the ‘users are not able to fully understand the extent of the processing operations carried out by Google’ as the essential information was spread across numerous documents and difficult to access. CNIL went on to state that Google had failed to obtain a valid legal basis to process user data and had the “customised ad” boxes pre-ticked for consumers, therefore not allowing valid consent.

Austria

23 October 2019, Austrian Post, €18,000,000.  DSB issued Austrian Post with this fine as it had created profiles for over 3 million people which included details such as their addresses, personal preferences/habits and possible political allegiances which it then sold to organisations including political parties.

Germany

30 October 2019, Deutsche Wohnen SE, €14,500,000.  The Data Protection Authority of Berlin issued this fine against Deutsche Wohnen SE as it had stored personal data in its archiving system but did not have a way to erase the data when it was no longer necessary.  This personal data included financial information such as payslips, tax data, social security data, and bank statements. This breach was flagged in 2017 by the Berlin Data Protection Authority, but there was no evidence of it having been remedied by March 2019.  This case is currently being appealed.

Bulgaria

28 August 2019, National Revenue Agency, €2,600,000. KZLD imposed this fine as a result of the National Revenue Agency failing to adequately protect personal data, resulting in the theft of data relating to 6 million people following a cyber-attack.

Louise Keenan

Associate

View profile

+44 118 960 4614

The GDPR increased the fines available to EU supervisory authorities for breaches of data protection requirements.

Holland

31 October 2019, UWV, €900,000.  AP imposed this fine due to inadequate security measures in respect of UWV’s online employer portal which allowed wide access to health data.

Poland

10 September 2019, Morele.net, €644,780.  UODO imposed this fine as Morele.net failed to put adequate security and organisational measures in place which led to over 2 million individuals’ personal data being accessed without authorisation.

Since the introduction of GDPR in 2018, many organisations have been quick to adapt and become compliant. However, it is clear that even companies with significant resources have fallen foul of the new accountability requirement of the GDPR and are now facing substantial fines. Businesses should be proactive in their efforts to ensure that all departments look closely at the data they collect and how they handle it.

Click here to contact Clarkslegal’s Data Protection team.

 

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Louise Keenan

Associate

View profile

+44 118 960 4614

About this article

Read, listen and watch our latest insights

art
  • 01 June 2023
  • Employment

Facts employees should know about their personal data

We previously published an article on facts an employer should know about holding personal data, so it is only fair that we also write about the other side of the coin – facts employees should know as individuals whose personal data is held by their employer.

art
  • 01 June 2023
  • Immigration

What is the Immigration Skills Charge (ISC) and how much do you have to pay?

The Immigration Skills Charge (ISC) is a levy on companies who sponsor migrant workers. This levy was imposed on 6 April 2017. The Government states that the charge has been levied to contribute towards addressing the skills gap in the local economy.

art
  • 26 May 2023
  • Employment

Avoiding discrimination in flexible working requests

The right to request flexible working is currently available to employees with at least 26 weeks’ service and is set to be extended further under new Government reforms.

art
  • 25 May 2023
  • Corporate and M&A

Management Buyout – Top 5 things to consider

A management buyout is a financial transaction in which a member of the management team purchases the company from its registered owner. MBO’s usually occur in private companies in an effort to enhance profitability and simplify strategies.

art
  • 25 May 2023
  • Employment

Carer’s Leave Bill set to become law

On 19 May 2023, the Carer’s Leave Bill had its third reading in the House of Lords, and upon receiving Royal Assent, will become law. There is not yet a date for the implementation of this bill, however it is likely that this will happen relatively quickly upon receiving Royal Assent, so is definitely one to keep an eye on.

art
  • 18 May 2023
  • Immigration

Navigating SOC Codes

When it comes to UK immigration, understanding the intricacies of the system is vital. One significant aspect of the process revolves around Standard Occupational Classification (SOC) codes. SOC codes play a crucial role in determining the eligibility for an individual to apply for a work visa, assessing skill levels, and matching individuals to appropriate job roles.