It is about two years ago that the General Data Protection Regulation (also known as the GDPR) became applicable. Just like last year, it is time to take a preliminary stock of the enforcement actions taken by the supervisory authorities in the past year and to make a forecast of what organisations will face in 2020 and the coming years in terms of data protection and GDPR.
Last year the Belgian DPA (Data Protection Authority) announced that there was an exponential increase in the number of files in 2018. Recently published figures show that this increase is continuing. For example, in the second year of the GDPR, the Belgian DPA received 937 notifications of data breaches, compared to only 317 notifications in the first six months of the GDPR.
However, the Belgian DPA is not the only one to note an increase, as other supervisory authorities such as the Dutch DPA, the UK DPA, the French DPA and the German Datenschutzkonferenz (DSK) also reported a strong increase in the number of files. More figures from other supervisory authorities can also be found in the evaluation document of the European Data Protection Board (EDPB).
An increase in the number of files may be due to the increasing awareness of citizens. Research shows (pdf) that the number of citizens familiar with the local supervisory authority has increased. Compared to 2015, 20% more citizens had already heard of the local supervisory authority.
Due to the increase in the number of files, supervisory authorities claim to be increasingly understaffed. Part of the German DPAs and the Dutch DPA have declared this openly. For example, the Dutch DPA is obliged to deal with every notification, but earlier this year it had to admit that this was no longer feasible. Due to this, approximately 3,000 complaints would, according to the competent minister, not have been dealt with yet. That is why the Dutch DPA works with priorities, just like other supervisory authorities.
In the period 2020-2025 the Belgian DPA will focus (pdf) on:
The Dutch DPA seems to focus on three areas in the period 2020-2023:
The French DPA focuses in 2020 on:
The UK DPA and German DSK do not mention any specific priority sectors or themes, but the UK DPA does indicate its focus on the following objectives:
Last year we wrote that most supervisory authorities had been relatively lenient in 2018 and that some supervisory authorities, including the Belgian DPA, had indicated that they would take more stringent action in 2019. The President of the Belgian DPA announced that he would step up efforts in 2019 to ensure compliance with the GDPR. This prediction seems to have been fulfilled by the three fines of EUR 50,000 imposed by the Belgian DPA in April and May 2020.
The President of the Dutch DPA also announced in the past that in 2018 the Dutch DPA would focus primarily on ending violations. To this end, the Dutch DPA organised exploratory investigations into the record of processing activities, data processing agreements and data breach registers. The Dutch DPA also insisted that the organisation itself should take remedial action. However, the President of the Dutch DPA also stated that complaints in 2019 would lead to more investigations and possible sanctions. This prediction also seems to have come true by two heavy fines of EUR 525,000 and EUR 725,000. It appears from the latter fine that organisations do not always have to expect a notice of default from the supervisory authority before a fine is imposed. In this case, the Dutch AP ruled that the infringement was so serious that the immediate imposition of a fine was justified.
The Irish DPA has also recently imposed its first GDPR fine. This despite the fact that Ireland has relatively the highest number of complaints. An investigation by IntoTheMinds showed that for every 10,000 Irish people 8.6 submit a complaint to the Irish DPA. This is the highest figure in the EU and contrasts sharply with the figure in Belgium (0.32 complaints per 10,000 Belgians). This is the second last place. A fine of EUR 75,000 was imposed on an Irish State agency Tusla (Child and Family Agency) for three cases of unlawful sharing of personal data of minors. In one case the contact and location details of a mother and child were disclosed to an alleged abuser. In the two other cases, data relating to minors in foster families were wrongly disclosed to blood relatives, including in one case to a detained father.
Although supervisory authorities can still issue a warning, there has been an increase in the number of fines imposed, as well as in the level of those fines. At present, however, supervisory authorities do not appear to act more frequently against certain sectors or companies, nor against certain types of infringements.
Fines are thus imposed in various sectors and companies, including:
Fines are also imposed for various types of infringements, including:
Please have a look at the bottom of this blog for an overview of the fines imposed!
In Belgium, fines imposed by the DPA can be challengedbefore the Market Court (Dutch: Marktenhof). The abovementioned fine of EUR 10,000 imposed on a Belgian liquor store was successfully challenged before the Market Court. The main reason for this was the lack of justification by the DPA.
Unlike the Netherlands and Germany, the Belgian DPA does not have a fining policy. Therefore, according to the Market Court, the Belgian DPA must justify the reason why a less far-reaching sanction than the imposition of a fine of EUR 10,000 would not put an end to the infringements. Moreover, the sanctions imposed were based on legislation that was not applicable at the time of the infringement by the liquor store.
The GDPR provides for a new cooperation mechanism between the European supervisory authorities, being the one-stop shop mechanism. In the Facebook case in Belgium, the court therefore raised the question of whether this one-stop shop mechanism also affects the possibility of initiating proceedings before the court. Interesting to mention is that the one-stop shop mechanism was not applied by the French DPA when it imposed a multi-million fine on Google.
The Facebook case was initiated in 2015 by the former Privacy Commission and continued by the current Belgian Data Protection Authority. The former Privacy Commission argued that the Belgian courts have jurisdiction and claimed that Facebook must comply with the Belgian and European data protection rules.
In first instance, the former Privacy Commission was proved right, but Facebook appealed. On 8 May 2019, the Brussels Court of Appeal ruled to refer a number of preliminary questions to the Court of Justice of the European Union (CJEU) before ruling on the merits. The preliminary questions can be found here.
Compared to 2018 and the first half of 2019, more and higher fines were imposed in the second half of 2019 and in the first half of 2020. It is probable that this trend will continue in 2020 and the coming years.
It is likely that future fines will be in line with the strategic objectives of the supervisory authorities. As cookies and online trackers are among the priorities of several supervisory authorities, we certainly expect more cookie fines in 2020 and the coming years. The Belgian, Spanish and Turkish supervisory authorities have already issued such cookie fines.
However, a fine will not always be imposed. Although notifying a data breach may lead to a (high) fine, as in the case of British Airways, it appeared that reporting a data breach does not necessarily lead to a fine. This was apparent from a recent decision by the Belgian DPA. In that case, the Belgian DPA did not impose a fine on a telecommunications operator since it appeared from the investigation that the data breach was correctly notified and appropriate organisational and technical measures were taken.
As more and higher fines are imposed, the question of their insurability is becoming increasingly pressing. A fine for an infringement of the GDPR imposed by a supervisory authority is an administrative fine and can, in principle, be insured (in Belgium), but this raises two questions, namely whether administrative fines are excluded by the insurance policy, and whether the coverage of the insurance policy is sufficiently high.
For a further discussion of these questions we refer to our overview from last year.
It happens that complainants also ask the Belgian DPA to award damages to them, but the DPA does not have the power to do so. While the DPA may establish an infringement and impose an administrative fine, the award of damages is reserved to the competent courts. In addition, the DPA cannot award damages either, as this is an administrative procedure.
In the Netherlands, the Dutch Administrative Jurisdiction Division of the Council of State decided that the GDPR does not stipulate how immaterial damage should be determined. This must therefore be determined by national law. With respect to the concept of damage, recital 146 of the GDPR states the following: “The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law”. Although not every breach of the GDPR will give rise to damages, the Council of State granted an amount of EUR 500 (ex aequo et bono) to a data subject whose medical data were included by the director of the Pieter Baan Centre in a defence in the context of disciplinary proceedings.
In order to ensure that supervisory authorities do not impose arbitrary fines, it is useful to draft a so-called fining policy, as in the Netherlands and Germany. To this end, the Dutch DPA has based itself on the WP29 guidelines published in 2017 and distinguishes between four categories of infringements. Each category consists of a basic amount which can be adjusted upwards or downwards depending on the circumstances.
In addition to the competence to sanction, the supervisory authorities also have the power to issue guidelines on the processing of personal data. These guidelines are usually to be found on the local supervisory authority’s website. For the Belgian DPA, the following guidelines have been in place since the application of the GDPR:
When issuing guidelines, it is not excluded that there may be differences between the guidelines of the different supervisory authorities. As an example, according to a recommendation of the Dutch DPA, purely commercial interests cannot qualify as a legitimate interest, whereas according to the Belgian DPA, direct marketing may be possible on the basis of a legitimate commercial interest.
Conversely, guidelines issued by one supervisory authority may also be confirmed or followed by other supervisory authorities. For example, almost all supervisory authorities have in the meantime stated that a cookie wall is illegal. This means that a website can only be used if all cookies are accepted by the website visitor, including marketing cookies for example.
On the basis of Article 97 of the GDPR, the European Commission was required to submit a report to the European Parliament and the Council on the evaluation and review of the GDPR by 25 May 2020 and every four years thereafter. The May 2020 report is available here.
That being said, the EDPB published on 18 February 2020 an evaluation document stating that it is currently too early to revise the GDPR. At the same time, the EDPB calls for work to be done on the new ePrivacy Regulation, which is not yet in place. We already wrote about this on our blog.
The current versions of the Standard Contractual Clauses (SCCs) were drafted before the entry into force of the GDPR. Timelex has advised the European Commission on an adaptation of the Standard Contractual Clauses to the GDPR. If you would like to stay informed, you can follow us on LinkedIn.
GDPR certification is a way for an organisation to demonstrate its compliance with the GDPR. In the case of certification, an accredited certification body can assess, approve, and issue a certificate to an organisation. An example of a GDPR certification scheme is EuroPrivacy. Timelex also assists organisations in obtaining a GDPR certificate.
Several supervisory authorities are currently busy with corona apps and enforcement also seems to be affected by the current exceptional circumstances. For example, the ICO shows understanding for organisations that currently have other priorities: “We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won't penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period. “
Although the ICO does not extend the deadlines, the CNIL does. In certain cases, the CNIL will extend the deadlines for the notice of default until 24 June 2020. In addition, CNIL states that it will continue to take action against serious breaches of data protection laws in these exceptional circumstances.
The overview below is arranged in ascending order according to the amount of the fine and provides an anthology of the fines imposed up to now (mainly) in the EU member states.
Please note, however, that this overview is not intended as a complete overview. Our ambition is to include the most high-profile fines, but if you are looking for more information on enforcement in a particular Member State or sector, please contact us.
Authority | Penalty | To whom? | Why? |
€ 2,000 | A mayor | For violating the principle of finality. The mayor answered an e-mail sent to him to record an appointment with election propaganda. | |
€ 3,000 | A local publisher | For publishing the name and photo of police officers, even though it was not proportional under these circumstances. | |
€ 5,000 | A local hospital | For losing a patient file. | |
€ 5,280 | An Austrian sports betting café | For security camera (CCTV) violations. These cameras would be focused on the public domain, such as the street and parking, and the images would be kept for too long (more than 72 hours without justification). This is an infringement of the principle of storage restrictions. | |
Belgian (new) | € 10.000 | A Belgian company | For violating the principle of data minimisation and the absence of valid consent. The creation of a loyalty card was only possible by reading the electronic identity card. There was also no alternative, which meant that there was no freely given consent. In addition, the processing of the National Identity Number, gender and date of birth for the creation of a loyalty card was considered disproportional. In addition, information was not provided in a transparent manner, in particular not with regard to the legal basis and the retention period. However, this fine was successfully contested before the Market Court. |
Belgian (new) | € 15.000 | A legal news website (jubel.be) | For violating the cookie rules and the GDPR. It was not possible to refuse cookies, the privacy policy was displayed in the wrong language and the website owner relied on a legitimate interest as the legal basis for placing non-essential statistical cookies instead of consent. You can read a more detailed analysis of this matter on our blog. |
German (LfDI) | € 20,000 | A German social network (knuddels.de) | For failure to take appropriate technical and organisational measures. In this case, passwords were kept in full text (it was recently found that Facebook also did this, which is now being examined by the Irish authorities). |
Belgian (new) | € 50,000 | A Belgian telecom provider (Proximus) | For a conflict of interest on the part of the DPO who, in addition to DPO, was also head of the compliance, risk and audit department. |
Belgian (new) | € 50.000 | A social media network (unknown) | For a non-GDPR compliant “invite a friend” or “tell a friend” system based on invalid consent. A user of the social network could invite non-users via their email address. The system was based on the consent of the user who sent the invitation, but the DPA states that only the data subject (i.e. the invited person) can give this consent validly. The Belgian DPA also noted that consent for marketing e-mails cannot be obtained by means of an informative e-mail. Although this was previously allowed by the Federal Public Service Economy, this practice has already been rejected by other supervisory authorities. |
Belgian (new) | € 50.000 | A private health insurer (DKV) | For providing unclear information to data subjects. The insurer’s privacy policy did not contain a clear link between the legal basis and the purposes of processing personal data. |
€ 61,500 | A Payment Initiation Service Provider | For collecting more data than necessary and to keep it longer than necessary (216 days instead of 10 minutes) and for not reporting a data breach. Moreover, such payment initiation services are new since the Directive (EU) 2015/2366 on payment services (PSD2). | |
Irish (new) | € 75.000 | An Irish State Agency (Tusla) | For unlawful sharing of personal data of children in three cases. In one case, the contact and location details of a mother and child were disclosed to an alleged abuser. In two other cases, information of children in foster families were wrongly disclosed to blood relatives, including in one case to a detained father. This was the first GDPR fine in Ireland. Tusla has already indicated that it will not appeal. |
€ 160,000 (converted) | A Danish taxi company (Taxa 4x35) | For keeping track of personal data for longer than necessary more specifically because the telephone number was an essential part of the taxi company's system. | |
Turkish | € 160,000 (converted) | Amazon | For sending commercial electronic messages to users without their consent, the bundling of registration for the services as a condition for giving consent, the transfer of personal data without the express consent of the users and for not providing information in accordance with the law and with regard to data processing with cookies. |
Norwegian (new) | € 170,000 (converted) | A Norwegian municipality (Bergen) | For failure to take appropriate technical and organisational measures. As a consequence of poor security measures, the usernames and passwords more than 35.000 data subjects (pupils, mainly children, and employees of municipal primary schools) were freely accessible. The municipality had already been warned several times about the lack of security. |
Danish (new) | € 200,000 (converted) | A Danish furniture manufacturer (IDDesign) | For failure to document retention periods, failure to comply with predetermined retention periods and for keeping personal data longer than necessary (storage limitation). |
€ 220,000 (converted) | An international data analytics company (Bisnode) | For a breach of the duty to provide information. The company in question had to inform 6 million people within three months. | |
€ 250,000 | A Spanish football league (La Liga Santander) | For not sufficiently informing about switching on the microphone and geolocation via the La Liga app in order to be able to locate illegal broadcasts of football matches. | |
€ 400,000 | A local hospital (Centro Hospitalar Barreiro Montijo) | For failure to take appropriate technical and organisational measures. The hospital is said to have given nine social workers access to certain medical data and access rights to these data were also granted carelessly. While there were 296 doctors working in the hospital, four times as many employees had the same access rights as them. | |
Greek (new) | € 400.000 | A telecom provider (OTE) | For multiple violations of the GDPR, including privacy by design. The DPA levied the fine following user complaints about third-party marketing calls despite opting out of third-party marketing. An investigation found that the company’s systems erroneously deleted some users’ opt-out requests due to organisational errors. |
Dutch (new) | € 460.000 | A local hospital (HagaZiekenhuis) | For failure to take appropriate technical and organisational measures. The investigation came after dozens of employees had consulted the medical file of a well-known Dutchman. The hospital has to regularly check who consults which file and has to introduce two-factor authentication. |
British (new) | € 575,000 (converted) | A lead generator company (CRDNN) | For making more than 193 million automated nuisance calls. The investigation revealed that CRDNN Limited was found to be making nearly 1.6 million calls per day about window scrappage, debt management, window, conservatory and boiler sales between 1 June and 1 October 2018. |
Dutch (new) | € 525.000 | A Dutch tennis association (KNLTB) | For selling the personal data of its members. In 2018, KNLTB unlawfully provided personal data of a few thousand of its members to two sponsors. |
€ 600,000 | An American transport app (Uber) | For not reporting a data breach within 72 hours. Although it was a data breach in 2016, the Dutch DPA relied on national legislation and the GDPR to impose this fine. | |
Dutch (new) | € 725.000 | Unknown | For obliging employees to scan their fingerprints for time and attendance registration. |
Penalty payment (max. € 900,000) | A Dutch sickness absence portal for employers | To take more measures to secure access to the sick leave portal for employers, at least by applying multifactor authentication. | |
Italian (new) | € 11,5 million | An energy provider (Eni Gas e Luce – Egl) | The Italian Supervisory Authority imposed two fines on Eni Gas and Luce (Egl), totaling EUR 11,5 million, concerning respectively illicit processing of personal data in the context of promotional activities and the activation of unsolicited contracts. The fines were calculated on the basis of the wide range of stakeholders involved, the pervasiveness of the conduct, the duration of the infringement, and the economic conditions of Egl. |
German (new) | € 14,5 million | A German real estate company | For storing all personal data of tenants indefinitely in an archive system. |
Italian(new) | € 27,8 million | A telecom provider (TIM) | For violation of the GDPR, with emphasis on unlawful data processing, non-compliant aggressive marketing strategy, invalid collection of consents and excessive data retention period. |
French(new) | € 50 million | For various infringements with regard to invalid consent and lack of transparency. | |
Swedish(new) | € 69 million (converted) | For not complying with the right to erasure. | |
British(new) | € 115 million proposed (converted – 99 million GBP) | A hotel chain (Marriott International) | For not carrying out proper due diligence when making a corporate acquisition and for not putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected. The vulnerability began when the systems of Starwood hotels group were compromised in 2014 and Marriott subsequently acquired Starwood in 2016 but the exposure of customer information was not discovered until 2018. |
British (new) | € 243.47 million | A British airline (British Airways) | For failure to take appropriate technical and organisational measures, as the company was the victim of a cyber attack in which personal data of 500.000 data subjects were stolen. |