GDPR fines and penalties: 2020 trends. Whom and for what fined?

Two years have elapsed since the entry into force of The General Data Protection Regulation (EU) 2016/679 (GDPR). Before the start of a new era in the regulation of personal data protection was a lot of discussions. Lawyers attacked their clients. The fines scare – for good reason.

During this period, this Regulation has forced companies from around the world to invest large sums of money in the development of technical and organizational measures to ensure information security. But sometimes these measures were insufficient. Data Protection Authorities from different EU countries have imposed huge fines.

In this article we will tell whom and for what fined. This will give an understanding of what mistakes companies make in processing personal data.

Statistics say that since the beginning of 2019 the number of fines imposed has increased rapidly. If at the beginning of the year we were talking about one dozen cases of GDRP violations, at the end of the year their number exceeds one hundred per month. This upward trend will continue in 2020.


British  Data Protection Authority – Information Commissioner (ICO) has fined a pharmacy because the company left approximately 500,000 documents in unlocked containers at the back of its premises.

Failing to process data in a manner that ensures appropriate security against unauthorized or unlawful processing and accidental loss, destruction or damage is an infringement of the General Data Protection Regulations (GDPR).


Most popular types of gdpr violation:

          Insufficient technical and organisational measures to ensure information security

          Insufficient legal basis for data processing

          Non-compliance with general data processing principles

          Insufficient fulfilment of information obligations

Insufficient technical and organisational measures to ensure information security (art. 32 GDPR)

Британський наглядовий орган – Information Commissioner (ICO) вирішив на прикладі British Airways та Marriott International, Inc. показати що буває у випадку виявлення проблем в інформаційній безпеці. Санкції за порушення сягатимуть 204,600,000 та 110,390,200 відповідно.

Interesting is the fact that these companies notified DPA about cyber incidents in the system of protection of personal data and cooperate with the Data Protection Authority’ investigation. So are they have made improvements to its security.


Insufficient legal basis for data processing

The most famous case of GDPR violation in this category is – Google, which has not created a user-friendly and understandable privacy policy for its users.

DPA was to verify the compliance of the processing operations implemented by GOOGLE with GDPR by analysing the browsing pattern of a user and the documents he or she can have access, when creating a GOOGLE account during the configuration of a mobile equipment using Android. In short, the DPA concluded that the documents were not user-friendly.

Moreover, the restricted committee observes that some information is not always clear nor comprehensive. Users are not able to fully understand the extent of the processing operations carried out by Google.

This also applies to data for marketing purposes. The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent.


What is wrong?

«Before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account.

Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.»



Non-compliance with general data processing principles

The leader in the size of the fine received for this GDPR violation is Deutsche Wohnen SE.

And all because of the fact that during a 2017 audit, it was discovered that the company (1) kept the data of the former renters without checking whether they need saving and (2) used an archiving system that did not allow the removal of unnecessary data.

Of course, they improved their system, but the DPA decided that the measures taken to remedy the breach were not sufficient and still did not comply with the principles of data retention and data minimization.


Insufficient fulfilment of information obligations

La Liga de Fútbol Profesional was fined for using the League’s mobile app which activates the phone’s microphone to detect sound around.

This was done in order to find bars that broadcast football games without paying the appropriate fees.  The DPA decided that the sound can also be attributed to the data by which to identify the person.

La Agencia de Protección de Datos stated that such functionality of the application is not disclosed transparently and clearly in the Terms of use the League’s mobile app. In their opinion must obtain the user’s consent to such function not only when installing a mobile application. The users do not remember what they gave consent. Therefore it is necessary to obtain their consent whenever activated collecting such data.



The GDPR makes it clear that organisations must be accountable for the personal data they hold. Personal data has a real value so companies have a legal duty to ensure its security, just like they would do with any other asset. This can include carrying out proper due diligence to assess not only what personal data has been acquired, but also how it is protected.

    Your question to IT lawyers