Recently I was looking at fines for GDPR breaches to get better understanding on data protection landscape at the moment. I selected 10 from just December 2020 and January 2021 which were biggest or most interesting. There are more loud fines being issued already in February which I did not include in the list. But I am sharing my observations and takeaways in hopes you will find them interesting and useful, too.
1) Germany: €10.4M fine against notebooksbilliger.de for employee video monitoring without a legal basis
Fine: €10.4 million
The Lower Saxony data protection authority issued a €10.4 million fine against notebooksbilliger.de AG for video monitoring its employees for over two years without any legal basis. DPA noted that the cameras recorded workplaces, sales rooms, warehouses, and common areas, among other places, and that notebooksbilliger.de claimed that the aim of the video camera installation was to prevent and investigate criminal offences and to track the flow of goods in the warehouses.
The DPA stated that, in order to prevent theft, a company must first examine milder means, such as random bag checks when employees are leaving the business premises. In addition, video surveillance to uncover criminal offences is also only lawful if there is justified suspicion against specific persons, and that, if this is the case, it may be permissible to monitor them with cameras for a limited period of time. At notebooksbilliger.de video surveillance was neither limited to a specific period of time nor to specific employees, and that, in many cases, the recordings were saved for 60 days, which is significantly longer than necessary. In addition, the DPA outlined that customers of notebooksbilliger.de were also affected by the video surveillance, as some cameras were aimed at seating in the sales area, and that the video surveillance by notebooksbilliger.de was not proportionate in these cases.
- Video monitoring is particularly privacy invading processing and requires thorough evaluation of purpose, necessity, proportionality, location of cameras, records retention etc.
2) Spain: AEPD fines CaixaBank €6M for consent and information failures
Fine: €6 million
A customer and non-profit organization alleged that the bank’s framework agreement prevented customers from negotiating the terms of their contracts and forced them to consent to the processing of their personal data. The AEPD agreed with the complainants stating that the evidence the bank brought in their defence was imprecise, vague, not uniform and did not provide sufficient justification for their legal basis for data processing and transferring data to third parties (including other companies within the CaixaBank Group).
- Consent must not be forced upon customer; invalid consent means illegal processing of data.
- Processing based on legitimate interests must be justified.
- Information on processing activities and data retention must be precise and provided in uniform manner.
- Also data transfers within group must comply with GDPR requirements.
The fine represents the largest financial penalty issued under the GDPR by the AEPD to date
AEPD decision: https://www.aepd.es/es/documento/ps-00477-2019.pdf
3) Spain: AEPD fines BBVA €5M for GDPR information and consent failures
Fine: €5 million
The Spanish data protection authority (AEPD) fined Banco Bilbao Vizcaya Argentaria, SA (BBVA) €2 million for a violation of transparency principle – it provided insufficient information about the category of personal data processed, especially in relation to customer data obtained through products, services, and channels, – and €3 million for failure to obtain consent before sending promotional SMS messages to a customer, and did not have in place a specific mechanism for consent to be obtained.
- Transparency about processing activities is one of pillars of GDPR compliance, so is obtaining proper consent where necessary.a
AEPD decision: https://www.aepd.es/es/documento/ps-00070-2019.pdf
4) Sweden: Companies fined for no risk analysis regarding the access to data
- Capio St. Göran: €2,9 million (SEK 30,000,000)
- Aleris Sjukvård AB: €1,5 million (SEK 15,000,000)
- Aleris Närsjukvård AB; €1,2 million (SEK 12,000,000)
The Swedish DPA fined medical companies Capio St. Göran, Aleris Sjukvård AB and Aleris Närsjukvård AB for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information systems were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.
- Access management is must have in any IT system holding personal data; access to data has to be granted based on what is required for work and principle of minimum access.
5) Poland: Virgin Mobile Polska fined for not having regular testing of technical measures
Fine: €460,000 (PLN 1.9 million)
Polish DPA stated that the company infringed the principles of data confidentiality and accountability by not carrying out regular and comprehensive tests, measurements and evaluations of the effectiveness of the technical and organisational measures applied to ensure the security of the data processed. Activities in this regard were only undertaken when there were suspicions of vulnerability or in connection with organisational changes. Moreover, no tests were carried out to verify safeguards related to the transfer of data between applications related to the servicing of buyers of prepaid services. The vulnerability associated with data exchange in these systems was used by an unauthorised person to obtain data from some of the company’s clients.
- Data security is permanent, continuous process, not a one-off activity.
- All data transfers between applications must be secured and properly tested.
6) Ireland: DPC fines Twitter €450,000 for breach notification and documentation failures
Twitter was fined for not timely informing DPA about data breach that resulted from a bug in their software that “protected” tweets public without user’s knowledge. A third-party security company discovered the bug and informed Twitter.
The DPA found that twitter did not comply with its obligations to notify a personal data breach within 72 hours of becoming aware of it. It also found that Twitter had breached its obligations to document personal data breaches.
- The data controller is considered to be aware of data breach at the moment it or its data processors determine that incident might have GDPR implications.
- Data controller must ensure that its data processors inform about potential data breaches in timely manner.
- All data breaches (including non-reportable ones) must be properly documented.
7) Poland: UODO fines ID Finance Poland PLN 1M for inadequate technical and organisational security measures
Fine: €250,000 (PLN 1 million)
ID Finance (owner of a lending platform MoneyMan.pl) failed to implement adequate technical and organisational measures to ensure the security of data. The company had not responded to indications about security gaps and that an unauthorised person had subsequently copied and deleted the data in the company’s server also demanding a ransom. The breach had taken place following a failed attempt to restore appropriate security configuration and that the controller, despite being notified about the vulnerability from cybersecurity specialists, failed to exercise due diligence with respect to its security systems and its processor.
This breach would not have occurred if the controller had immediately reacted appropriately to the information that the data on his server was unsecured.
In calculating the fine, Polish DPA took into consideration, among others, the scale of the breach and the controller’s delay in taking appropriate remedial action.
- The controller must be able to detect, address, and notify data breach – this is a critical element of technical and organizational measures.
- Any indications or information about possible technical issues must be taken seriously, investigated and addressed in timely manner.
- Delay in response of service provider is not an excuse for data controller.
- The way controller reacts to incident is taken into account by DPA when deciding on fine.
8) Czech Republic: UOOU fines 11 organisations CZK 3.1M for unsolicited postal marketing
Fine: €119,000 (CZK 3.1 million)
Czech DPA fined 11 organisations for sending unsolicited postal marketing messages to citizens’ mailboxes. DPA stated that the possibility of sending postal messages free of charge until the end of the Coronavirus pandemic emergency period was abused for the purpose of sending marketing messages. DPA highlighted that the organisations processed data subjects’ personal addresses without a valid legal basis. Moreover, the organisations did not provide data subjects information on the commercial use of their data at the time of the first communication.
- Availability to process data does not mean legality of processing – all requirements must be met, including: legitimate purpose, legal basis, proper information to data subjects etc.
9) Romania: ANSPDCP fines Banca Transilvania RON 487,380 for inadequate security measures
Fine: €100,000 (RON 487,380)
Romanian DPA fine Banca Transilvania SA for inadequate security measures that led to the breach of confidentiality and failure to secure data. Investigating a complaint DPA found that a listed document containing a client’s statement, as well as an email containing the internal conversation between the company’s employees was posted on Facebook and a website.
- Company is responsible how its employees process personal data.
- Sufficient security measures must be put in place to safeguard data from misuse and illegal disclosure.
10) Spain: AEPD fines Vodafone €90,000 for GDPR accuracy and security violations
Due to an error in system, clients of Vodafone España were shown data of other customers. The Spanish data protection authority (AEDP) fined Vodafone España for violations of the data accuracy principle, and the integrity and confidentiality of personal data.
- Data security and proper access management is important part of any IT system, as failure may lead to data breach.
What we can se is that million euro fines for GDPR breaches are becoming a norm. At the same time it is still not clear how those fines are calculated as they seem to be scattered “all over the spectrum” even when it comes to large companies. Nevertheless, fines are for breaches of basic principles.
Processing of personal data has to be necessary and proportional. Just because you can collect data does not mean you should. Further, if you relay on consent as legal basis for processing of data, ensure it is lawful and fits all GDPR requirements. Otherwise look for different legal basis. Still, also legitimate interests as legal basis needs careful justification.
Be open about how you process data. Make this information easy to obtain and understand. This task, however, may not be so easy to achieve – especially if processing is very complex.
Companies gave to implement appropriate organisational and technical security measures. While it is open for discussion what that means exactly, there are some basic requirements:
- Take data security seriously. If something can go wrong, chances are – it will. If somebody points at weaknesses – better check it twice.
- Access management – ensure data is accessed only by authorised personnel and only on a “need-to” basis.
- Implement tools and processes that allow detection of data breaches. Your data processors and employees is your problem. Ensure your agreements have proper clauses and instructions are followed.
- Regularly test and review your security measures – it is recurring not “done and forget” process.
- Document all your activities – what you have implemented and how you tested it.