- 04 December 2019
- Privacy and Data Protection
The GDPR increased the fines available to EU supervisory authorities for breaches of data protection requirements. Now, as we celebrate the GDPR’s 18-month birthday, it’s a good opportunity to take a look at some of the largest fines imposed to date and where in the EU we are seeing these.
The United Kingdom
The UK has issued notices of intent which would see it imposing the two highest fines so far!
8 July 2019, British Airways, €204,600,000.00. The ICO has issued an intention to fine only at this stage and has been issued as a result of a failure to adequately protect personal data. Users of British Airways’ website were diverted to a fraudulent site by hackers. Through this false site, details of about 500,000 customers were harvested. This case is currently being appealed by British Airways.
9 July 2019, Marriott International, €110,390,200.00. Again, the ICO has announced an intention to fine only at this stage. According to the ICO, the systems of Marriot’s subsidiary, Starwood hotels group were allegedly compromised in 2014. This was left undiscovered until 2018. The personal data of approximately 339 million guests was allegedly exposed by the incident (30 million related to EU residents, of which 7 million related to UK residents). The ICO’s investigation found that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”.
France currently holds the record for the highest fine actually imposed at €50,000,000.
21 January 2019, Google, €50,000,000. CNIL imposed this fine on Google for ‘lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.’ CNIL said that the ‘users are not able to fully understand the extent of the processing operations carried out by Google’ as the essential information was spread across numerous documents and difficult to access. CNIL went on to state that Google had failed to obtain a valid legal basis to process user data and had the “customised ad” boxes pre-ticked for consumers, therefore not allowing valid consent.
23 October 2019, Austrian Post, €18,000,000. DSB issued Austrian Post with this fine as it had created profiles for over 3 million people which included details such as their addresses, personal preferences/habits and possible political allegiances which it then sold to organisations including political parties.
30 October 2019, Deutsche Wohnen SE, €14,500,000. The Data Protection Authority of Berlin issued this fine against Deutsche Wohnen SE as it had stored personal data in its archiving system but did not have a way to erase the data when it was no longer necessary. This personal data included financial information such as payslips, tax data, social security data, and bank statements. This breach was flagged in 2017 by the Berlin Data Protection Authority, but there was no evidence of it having been remedied by March 2019. This case is currently being appealed.
28 August 2019, National Revenue Agency, €2,600,000. KZLD imposed this fine as a result of the National Revenue Agency failing to adequately protect personal data, resulting in the theft of data relating to 6 million people following a cyber-attack.
The GDPR increased the fines available to EU supervisory authorities for breaches of data protection requirements.
31 October 2019, UWV, €900,000. AP imposed this fine due to inadequate security measures in respect of UWV’s online employer portal which allowed wide access to health data.
10 September 2019, Morele.net, €644,780. UODO imposed this fine as Morele.net failed to put adequate security and organisational measures in place which led to over 2 million individuals’ personal data being accessed without authorisation.
Since the introduction of GDPR in 2018, many organisations have been quick to adapt and become compliant. However, it is clear that even companies with significant resources have fallen foul of the new accountability requirement of the GDPR and are now facing substantial fines. Businesses should be proactive in their efforts to ensure that all departments look closely at the data they collect and how they handle it.
Click here to contact Clarkslegal’s Data Protection team.
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.
Read, listen and watch our latest insights
- 08 December 2023
UK Hospitality – Right to Work
The UK’s hospitality sector is strongly impacted by immigration rules and policies post-Brexit.
- 04 December 2023
- Commercial Real Estate
Real Estate update and 2024 expectations
The ECC confers rights on code operators to install and maintain electronic communications apparatus on public land, and even grants operators the right to sometimes apply to court for an order allowing them to install and maintain such apparatus on private land.
- 29 November 2023
How will the Autumn Statement 2023 affect the Construction Industry?
On 22 November 2023 Parliament was presented with the Chancellor’s Autumn Statement.
- 29 November 2023
- Public Procurement
Public Procurement Annual Update 2023
Watch Clarkslegal’s Public Procurement team as they provide you with the essential information businesses involved in public tenders need to know.
- 28 November 2023
The risk of insolvency with equal pay claims: how can you avoid them?
Even though the law states that everyone should be paid equally for work of comparable value, this does not always happen in practice.
- 21 November 2023
- Privacy and Data Protection
Privacy matters: How the 8 data subject rights protect personal data
In this guide we explore the 8 data subject rights under the UK GDPR and discover how they play a vital role in preserving your organisation’s privacy standards in an increasingly interconnected world.