GDPR Fines: Who are the Biggest Culprits
GDPR has already been put to work if the number of enforcement actions taken by various EU data protection agencies is anything to go by.
Since its implementation in May 2018, GDPR has already been put to work if the number of enforcement actions taken by various EU data protection agencies is anything to go by.
In this article, I outline the major GDPR fines that have been enforced so far. However, I will not cover the light penalties in the region of thousands of Euros that do not even make regional news.
How Many GDPR Fines have been enforced so far?
Major fines applied so far;
Total Amount of Penalties in Euros
- 2018:424, 800
- 2019: 358, 780, 500
It is important to note that these figures are according to the latest update, which was on August 5, 2019.
Major GDPR Enforcement Actions in 2019
Marriot, UK - 99,000,000 Pounds
In a bizarre turn of events, Marriot discovered that a central reservation database belonging to Starwood, the main competitor whom it had acquired earlier, was hacked. This breach comprised 5 million encrypted passcodes and 8 million credit card records. It was discovered that this hack was ongoing from 2014 to 2018. Up to 30 million EU residents were affected.
Hotel GDPR Compliance: more on the Marriot GDPR fine.
Haga Hospital, Netherlands – 460,000 Euros
This fine was enforced as a result of this Dutch hospital having slack controls over logging and access to patient information. For example, there was a case where 197 employees managed to access the medical records of a certain Dutch celebrity.
British Airways, UK – 183,000,000 Pounds
This fine came after a malicious third party hacked the airline’s webpage and extracted 500,000 consumer records.
The British data protection body claimed that BA's website was breached due to lax cybersecurity structures. This penalty represents the biggest fine enforced as a result of GDPR so far.
La Liga Soccer League, Spain – 250,000 Euros
The Spanish football league was accused of eavesdropping for piracy through its smartphone application. Essentially, the football body turned on user microphones to listen for sounds of a football game and match it to any pirated stream using geolocation.
After obtaining this information, La Liga utilized it to open cases against 600 restaurants for pirating soccer matches.
Sergic, France – 400,000 Euros
Reports indicate that this real estate firm had lax restrictions regarding access to other people's data. All you needed to do was change the URL, and you could access a person's ID cards, tax notices, and other crucial documents. The absence of user validation attracted the penalty.
MisterTango UAB, Lithuania – 61, 500 Euros
This firm exposed a website with records of customer payments and details, inclusive of personal data by mistake for two days. The subsequent investigations revealed that the organization gathered too much data and held it for too long.
Another factor that attracted the fine was the fact that the firm had only a single individual in charge of its IT infrastructure.
Unknown Data Processor, Poland – 220,000 Euros
A Polish data processor faced retributive action after it scraped the internet for public contacts and carried out business outreach to over 90,000 individuals, out of which 12,000 denied consent to the use of their information.
Taxa 4X35, Denmark – 1, 200,000 DKK
This fine was enforced after a random audit revealed that this Danish taxi firm had over 9 million personal records that it did not need to have. Therefore, they were fined for failing to get rid of this unused data. Learn about the Danish DPA cookie guidelines.
Google, France – 50,000,000 Euros
The French data regulation body penalized the tech giant for lacking transparency and permission in ad personalization, as well as having a pre-checked option to personalize advertisements.
Google, France - 150,000,000 Euros
French CNIL fined Facebook 60 Million EUR for failing to provide the users with the ability to withdraw previously given consent as easily as it was given. For the same reasons as Facebook, the French CNIL fined Google 150 million EUR.
In 2022, 81% of French companies are still not compliant with GDPR.
Major GDPR Enforcement Actions in 2018
A hospital near Lisbon, Portugal – 400,000 Euros
Employees at this facility used bogus accounts to access patient data.
Knuddels.de, Germany – 20, 000 Euros
The German social media and chatting platform notified authorities about a data breach. However, following investigations, the local data protection body established that the platform had been keeping user passwords in plaintext without encryption. Fundamentally, the fine was enforced as a result of illegal data storage practices, as opposed to the breach itself.
Update: Germany's 1&1 Telecom Fined $10.6 Million for a GDPR Violation.
Small local company, Austria – 4,800 Euros
A local enterprise had a CCTV camera taking footage of too much public space.
Here are more of the highest GDPR fines enforced by regulators so far.
How can you Avoid GDPR Fines?
As a business owner or a Chief Executive Officer, the last thing you want is to be fined for failing to comply with this regulation as the companies highlighted found out the hard way. Secure Privacy offers software solutions that can help you make your company and website compliant with GDPR. Request a demo or try these solutions for free to avoid being penalized for violation of GDPR requirements.
Our free GDPR e-book provides a simplified step-by-step breakdown of the two laws to help you understand what you need to become compliant with the GDPR.
CPRA Data Retention
Unlike other data protection laws, such as the GDPR of the EU, the CPRA does not prevent you from collecting personal data freely without asking anyone. However, it doesn’t allow you to keep it longer than needed. This article will delve into the CPRA requirements for data retention.
CPRA and Employee Data: What You Need to Know
Under the CPRA, employee personal information is any information that could be used to determine who a person is and how they work. California employees have all the same rights guaranteed by the California Privacy Rights Act as any other consumer. Learn all you need to know about CPRA and Employee Data here.
Your users have the right to know what personal information is being collected about them, and they may contact you with a request to get information about how you handle personal information, ask you to delete it, transfer it to another company, or do something similar. Under the CPRA, you are obliged to respond to them. In this article, we explain how to comply with such consumer requests and the CPRA.