By Vitaliia Stelmashchuk GDPR compliance, meaning, rights

GDPR fines 2020. What are they imposed for and how to avoid them?

It has been over two years since the General Data Protection Regulation (“GDPR”) has been implemented. Strict data protection requirements and the liability in case of non-compliance made almost all companies to change their business processes so that all data collected have been processed in a proper way. However, not every business put enough efforts into compliance with the GDPR, thus big fines have been imposed on them. It should be noted that punishable situations may be revealed through proactive data protection authorities actions, mass media, customers complainants, or even through the company making self-denonciation.

As it is stated in the GDPR, the fines are applied in addition to or instead of further remedies or corrective powers, such as the order to end a violation, an instruction to adjust the data processing to comply with the GDPR, as well as the power to impose a temporary or definitive limitation including a ban on data processing. Processors may also be subject to penalties, whether in conjunction with the data controller or on its own. The fines might be so large: up to 20 million euros, or in case of undertaking, or up to 4% of their total global turnover of the preceding fiscal year. What do GDPR fines 2020 impose for?

€1,000

There are certain rights under the GDPR data subject may enjoy. One of the certain is a right to erasure. On May 29, 2020, the Litigation Chamber of the Belgian Data Protection Authority imposed a fine of €1,000. It was fined because a non-profit organisation ignored the request to erasure and continued to send promotional material for (at least) five months after the individual’s request and three months after being notified of the complaint submitted to the Belgian Data Protection Authority in this respect.

€50,000

Earlier, on 14 May 2020, the Belgian Data Protection Authority imposed a significantly bigger fine of €50,000 for GDPR infringement in relation to a social media provider’s “invite a friend” function. To offer this “invite-a-friend” functionality, the social media provider collected and stored personal data concerning its members’ contacts for the purpose of sending invitations to connect on the platform. However, the Belgian DPA’s Litigation Chamber concluded that the social media provider did not obtain valid consent from the concerned contacts and did not have an alternative legal ground under the GDPR to lawfully process its members’ contacts’ data. In light of this, the processing of personal data in connection with the “invite-a-friend” function is considered to be unlawful due to a lack of legal ground.

Therefore, the social media provider could not rely on the consent obtained from its members to legitimize the processing of personal data of contacts who were not members of the platform, and thus never consented to the processing of their contact information.

€525,000

Dutch Data Protection Authority recently imposed a fine of €525,000 on the Royal Dutch Tennis Association for sharing the personal data of its members with two of its sponsors for its own commercial interests without legal grounds. It was stated they could not rely on the legitimate interest ground (one of the six legal grounds for processing) for data processing where, in fact, commercial interest prevailed.

In its legitimate interests guidance, the Article 29 Working Party indicates that an interest needs only be acceptable under the law to be legitimate.

Commercial activities are in general acceptable under the law but do not necessarily follow from a legal norm – other than (potentially) the generic right to entrepreneurship.

€20,000,000

The Personal Data Protection Authority of Croatia fined an unnamed bank for failing to provide access to the personal information of approximately 2,500 individuals who had requested visibility into their data at the bank. The complaints were filed between May 2018 to the end of April 2019. In all those cases, the individuals were denied copies of their personal information. As it may be seen, fines may also be imposed in the situations when the enterprise just refuses to provide the data subject with the information on the data processed.

€57,000,000

In January 2019, Google was fined €57,000,000 by the French Data Protection Authority. The fine was levied for Google’s limited information, lack of transparency, for not properly disclosing to users how data is collected across its services — including its search engine, Google Maps and YouTube — to present personalized advertisements. Under the GDPR, companies are required to gain the user’s “genuine consent” before collecting their information, which means making consent an explicitly opt-in process that’s easy for people to withdraw.

Google’s fine is from last year, and the search engine giant challenged the verdict. In June 2020, the Council of State in France rejected the appeal and upheld the penalty. The appeal was filed on the basis that the French DPA doesn’t have jurisdiction over Google’s European headquarters as the office is located in Dublin, Ireland. However, this argument has not been accepted.

As we may see from the mentioned cases as of 2020, European Data Protection Authorities imposed fines for violation of GDPR requirements on different grounds: failure to provide data subjects with their basic rights, to receive consent or to have an appropriate legal basis for data processing. Even such minor non-compliance with the data protection obligations may lead to such huge fines. How to avoid GDPR fines? At least the following measures should be taken:

All data subject rights listed in Chapter 3 of the GDPR should be satisfied. Do not ignore their request to enjoy some of them. In particular, a company should respond to such a request within 30 days. Businesses need to adjust in order to ensure they can quickly and efficiently respond to data subjects.
Appropriate legal grounds for processing should be chosen. When no legal grounds for processing except consent apply, the requirements of the GDPR on that matter should be followed. The company should receive consent if it collects cookies, provides personalised advertisements, sends data to third parties etc. It should be remembered that withdrawal of consent should be as easy as its provision. If consent is withdrawn by company, it can no longer process it.

There are much more GDPR requirements to be followed. In this article we highlighted the most often violated. To be sure you are in compliance with the GDPR, it is better to contact a legal counsel. The latter will make sure you did not miss any important issues and take into consideration specifics of your unique business case.