More than four years after the General Data Protection Regulation 2016/679 (GDPR) came into force, companies and organizations that process personal data inside and outside the EU have come to realize the benefits that a privacy-friendly business management can entail. Moreover, in the last years it became evident that processing personal data in violation of GDPR obligations and national laws expose companies to heavy penalties and also damages of different nature (i.e., harming the reputation and trustworthiness of a company or brand in the customers’ eyes).
According to statistics, the highest individual GDPR fines were issued by the EU Data Protection Authorities (DPAs) of Luxembourg, Ireland, France and Germany. So far, the highest fines have mainly affected the Media, Telecoms and Broadcasting sector (€1,694,160,741 at 216 fines) and the Industry and Commerce sector (€856,827,401 at 354 fines).
The analysis of the violations that led to most of the fines issued by the DPAs is extremely important for companies, in order to acquire an overview of the areas and topics of greatest interest to the DPAs and prevent similar situations. For this reason, we will present some of the most relevant decisions of EU DPAs in recent years.
Unlawful consent for data processing
A large number of sanctions have been issued in relation to the processing of personal data (in particular for marketing and the sending of profiled and non-profiled commercial and advertising material) without data subjects’ valid consent. Some of the heaviest fines relate precisely to this type of violation, such as that of the Luxembourg DPA against Amazon Europe Core S.à.r.l. (€746 million). On this occasion, the US ecommerce giant was found to have used an advertising targeting system without valid consent (i.e., freely given, specific, informed and unambiguous). Similarly, many of the highest fines ever imposed relate to the same kind of violation, as evidenced by the fines issued by the Italian authority against TIM S.p.A. (€27.8 million) and Enel S.p.A. (€26.5 million). In both cases, the number of customers involved was very high, and the complaints received by the Italian DPA mainly concerned telemarketing (commercial calls) and marketing activities (sending of e-mails and advertising material) carried out – according to the Regulators – aggressively and, more importantly, without a valid consent, provided in a clear and informed way. Both cases unite that the contracts concluded with the data subjects were rather complex and included a variety of services. That made the understanding of the processing difficult for the clients.
The Human Error – breach of data subjects’ confidentiality
Many of the sanctions issued by EU DPAs in the past years concern violations resulting from human error that negatively impacts the confidentiality of client and patient data of large companies. This is the case, for example, with the sanction issued by the ICO against HIV Scotland: due to a human error, the charity sent a group email with the recipients in CC rather than BCC, disclosing identifying information of 65 data subjects and making their HIV statuses accessible.
A similar situation led the Italian DPA to issue a €70,000 sanction against a hospital, which sent two medical newsletters with recipients in CC. In this occasion, personal data of all recipients were disclosed, and it was also possible to deduce important health information thanks to the contents of the newsletters.
Insufficient TOMs (Technical and Organizational Security Measures)
Another critical element that has led to numerous sanctions is the implementation of TOMs appropriate to the risk to which personal data are exposed. Two relevant sanctions are certainly those proposed by the ICO against British Airways (€22.4 million)and the international hotel group Marriot (€20.45 million). In both cases, the cybersecurity verification process was insufficient and therefore allowed unauthorized third parties to breach the personal data processed by the two companies, exposing their customers (including public officials and high profile individuals) to significant risks. In the latter case, years after the M&A that led to Marriot’s acquisition of the Starwood Hotels group, the famous hotel chain was exposed to numerous cyber-attacks that led to the breach of the personal data of a large number of customers. These data breaches were then traced back to the lack of adequate protection measures for the former Starwood Hotels‘ systems, exposing Marriot to significant penalties and brand damages.
More recently, Dedalus Biologie, a company which sells software solutions for medical analysis laboratories, was sanctioned by the French Data Protection Authority (CNIL) in 2021 due to numerous technical and organizational breaches in terms of security, which lead to a massive data breach involving sensitive data of nearly 500,000 people. In this occasion, personal data such as name, surname, social security numbers but also medical information as HIV, cancers, genetic diseases, pregnancies, drug therapy of patients and genetic data were involved. The CNIL found some important security violations linked to the migration process of software, such as, inter alia:
- lack of a specific procedure for data migration operations;
- lack of encryption of personal data stored on the problematic server;
- no automatic deletion of data after migration to the other software;
- no authentication required from the internet to access the public area of the server;
- use of user accounts shared by several employees on the private area of the server;
- lack of a procedure for monitoring and reporting security alerts on the server.
Mismanagement of data subject’s request
A topic with high practical importance – that most companies are confronted with – is the management of data subject requests and the risks of not complying, be it in a timely manner or providing the full picture.
Failure to comply with the data subjects’ requests and to exercise them are among the most frequent grounds for sanctions. Especially when companies don’t implement organizational systems and procedures that prevent situations like late responses, sharing of incomplete information or failure to verify the identity of the data subject with whom the data shall be shared, or directly the failure to manage and answer to the request.
A remarkable sanction relating to this topic, although not among the highest, was recently (in 2022) issued by the Dutch DPA with a €525,000 fine against a media company. As is well known, the EDPB Guidelines 01/2022 stipulate that the data controller is obliged to verify the identity of the applicant, before responding to a request to exercise rights and thus to share important personal data. This mandatory control must, however, be carried out in compliance with the principles of proportionality and data minimization. The company in question, before handling the access or deletion requests received from the data subjects, required the compulsory upload of the applicants’ IDs, which obviously contained excessive and unnecessary data for the simple purpose of verifying their identity. In the eyes of the DPA, this process made it over complicated for customers to exercise their rights and, therefore, led to the company’s sanction.
Last but not least – unlawful processing of employees’ personal data
Finally, some of the most important sanctions in recent years stem from intentional improper handling of employees‘ personal data within the employment relationship. Of particular note is the fine issued by the HmbBfDI (Hamburg DPA) against the retail brand H&M (€35,258,707.95). H&M’s violations of the GDPR consisted of monitoring the activities of several hundred employees, recording ‚back to work‘ meetings and making them accessible to more than 50 H&M managers, exposing events in employees‘ private lives, including sensitive information (e.g., religious beliefs). Furthermore, all information was then used to evaluate employees‘ performance and to base important decisions on their employment.
Another scenario in which compliance with the data minimization principle and additional measures to safeguard and manage access to data could have helped to avoid the sanction.
We recommend to regularly analyze important decisions of the European DPAs, in order to review the level of data protection in your organization and avoid incurring GDPR violations or being exposed to such penalties. As we have seen, the penalties imposed based on the GDPR can be very high and damage a company’s business.
So, what lessons can be learned from the cases described above?
- Implement a proper consent management for the processing of personal data.
- Document, implement and review TOMs regularly, in particular, of data access and encryption measures.
- Ensure a proper handling of requests to exercise data subjects‘ rights, particularly identity verification mechanisms as a prerequisite to process them.
- Make sure that no processing of personal data takes place “in the dark”. Provide trainings and implement controls.
The definition of privacy by design and by default procedures, i.e., the structuring of any processing activity in a GDPR-oriented manner from the very beginning, is fundamental to ensure lawful personal data processing activities and protect the organization from heavy penalties.