GDPR: Data Protection Day – Top 15 Fines

Originally published: www.taxheaven.gr (in Greek)
Date: 1/03/2021

Aimilios Koronaios
Attorney at Law
LL.M. (Aberdeen), LL.M. (Athens)

On 28.01.2021, the European Data Protection Day was celebrated for the 15th time. Its introduction by the Council of Ministers of the Council of Europe, since 2007, aims to inform and raise public awareness on relevant issues. In order to celebrate this day and the purpose it serves, the 15 largest fines in ascending order imposed on 15 different countries of the European Economic Area, namely the Member States of the European Union, Norway, Iceland and Liechtenstein, during the implementation of the GDPR for the year 2020, are presented hereinbelow.

The fines presented are selected amongst the nearly 60 decisions published on the website of the European Data Protection Board (EDPB) last year. These were issued by the supervisory authorities of Belgium, Germany, Denmark, Greece, Estonia, Ireland, Iceland, Spain, Italy, Cyprus, Lithuania, Norway, the Netherlands, Hungary, Poland, Sweden and Finland. Impressive, however, is the absence from the website of important decisions from all supervisory authorities, such as e.g. France, which also imposed heavy fines in 2020.

It is recalled that the EDPB is an instrument of the European Union, according to the explicit provision of the GDPR. Its mission is primarily to contribute to the consistent implementation of the General Data Protection Regulation. It is also emphasized that the GDPR is a legislative text of pan-European application. That is why, despite any differences introduced by national laws with more specific implementing measures, the decisions imposing fines in other countries, in which it is applied, serve as a useful compass for Greece as well.

See last year’s corresponding publication entitled “GDPR: Data Protection Day – Top 14 fines”, which allows relevant comparisons.

15. Lithuania – fine of 15,000 euros

The case (October 2020) concerned an adoptive parent who applied for the education of his adopted child to the municipal authority, stating his e-mail address. However, in the information system of the municipal authority, in which the e-mail address was registered, it was automatically replaced by the e-mail address of one of the biological parents of the child. This was a result of the interconnection of this information system with another public register and its automatic harmonization with the content of the latter at regular intervals. It was therefore held in the present case that the principle of the accuracy of personal data, as well as the principle of its integrity and confidentiality, had been violated.

14. Denmark – fine of 20,172 euros

The case (August 2020) concerned a real estate management company which assisted another legal entity to sell three properties. As part of its assistance, the management company provided material for these properties to the persons residing in them, by providing them with 424 USB sticks. However, part of the distributed material contained personal data of a confidential nature, without the knowledge of the management company, which should not have been disclosed. As it was held, the incident was a result of the non-implementation of appropriate technical and organizational measures. It is noted that this is not a final fine, but a proposal for a fine, and that it was not expressed in euros, but in the national currency.

13. Iceland – fine of 20,643 euros
    

The case (March 2020) concerned a non-governmental organization active mainly in the field of health, which dealt with an incident of personal data breach. The incident occurred when a former employee received boxes that allegedly contained his personal belongings from the time he was employed by the non-governmental organization. In reality, however, the boxes contained the personal health records of 252 former patients, as well as the names of some 3,000 people who had received support services due to their dependence on alcohol and addictive substances. The breach was deemed to have been the result of non-implementation of appropriate personal data protection policies, as well as appropriate technical and organizational measures. It is noted that the fine was not expressed in euros, but in the national currency.

12. Poland – fine of 22,134 euros

The case (September 2020) concerned a state website publishing spatial information under the responsibility of the Polish General Surveyor. Among the data published were property registration numbers, which had been obtained from real estate registers. However, there was no legal basis for their publication, i.e. a relevant legislative provision. In this way, the principle of legality of the processing of personal data was violated. It is noted that the fine imposed on the General Surveyor was not expressed in euros, but in the national currency.

11. Spain – fine of 75,000 euros

The case (November 2020) concerned a telecommunications company, which issued a number of invoices to the wrong person, while the invoices concerned another person. The complainant, who was not a customer of the telecommunications company, contacted the latter in an attempt to resolve the problem, without success. In this way, the principle of legality of the processing was violated, as the processing of the complainant’s personal data took place without a legal basis.

10. Cyprus – fine of 82,000 euros

The case (January 2020) concerned three companies belonging to the same group which carried out  automated processing of employees’ personal data and profiling, as part of the grading of their sick absences according to the Bradford Factor. It is noted that the Bradford Factor is a scale for evaluating the absences of the employee and consequently the employee himself/herself. Applying this factor gives more negative weight to frequent, short and unplanned absences, as they are considered to affect an organization more adversely, compared to longer, individual absences. In this case, the principle of legality was infringed, as there was no legal basis for the processing. The legal interest of the employer could neither be the appropriate legal basis, nor was there a legal basis for processing specific categories of data.

9. Estonia – fine of 100,000 euros

The case (November 2020) concerned three pharmacy chains, which maintained an e-pharmacy. In this it was possible for each user to view the medical prescriptions of another person, without the consent of the latter, using his personal identification number. It is clear that appropriate technical and organizational measures had not been taken in this case to ensure that access to medical prescriptions would be granted only to the person concerned, in breach of the principle of integrity and confidentiality of personal data.

8. Finland – fine of 100,000 euros

The case (May 2020) concerned a large postal service company. Many complainants claimed that they had received promotions from various companies, after announcing the change of address to the postal service company. As indicated by the relevant investigation, the postal service company had not informed the subjects of personal data about their rights, including the right to object to the disclosure of their personal data, when declaring a change of address. In this case, it was considered that the principle of objectivity and transparency of the processing of personal data was violated by inadequate information towards the subjects.

7. Norway – fine of 276,000 euros

The case (October 2020) concerned a municipality which was responsible for the operation of a communication system between school and residence, i.e. a system that enabled parents to communicate with their children’s school through a portal or special application. The supervisory authority handled the case following the notification of an incident of violation by the municipality regarding said communication system. As held, the principle of integrity and confidentiality was not observed in this case, as the appropriate technical and organizational measures for the security of personal data had not been taken. It is noted that the fine was not expressed in euros, but in the national currency.

6. Ireland – fine of 450,000 euros

The case (December 2020) concerned Twitter. The supervisory authority took over the case after notification of a breach incident by the well-known social media. As it was held, the latter violated the relevant notification obligations, as it did not take the appropriate actions in time and with the appropriate documentation. It is noted that according to the GDPR, the notification to a supervisory authority must take place without delay, and if possible within 72 hours, after having become aware of the incident, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. It must also be accompanied by appropriate documentation.

5. Belgium – fine of 600,000 euros

The case (July 2020) concerned Google. A citizen requested the removal of links with negative information about him from the results of the well-known search engine, but his request was not accepted. Upon examination of the case by the supervisory authority, it was considered that certain links should not be removed for reasons of public interest, as the citizen involved played a role in public life. Other links, however, concerned unfounded and outdated information that could seriously harm him. The latter should have been deleted from Google. Furthermore, a problem of lack of transparency was identified both in the relevant link deletion form and in the response received by the citizen concerned.

4. The Netherlands – fine of 830,000 euros

The case (August 2020) concerned the national credit register of the Netherlands. Following complaints, it was found that the persons concerned had many difficulties in accessing their personal data kept in this register. Among other things, they were obliged to pay fees in order to make this possible in digital form, and in printed form the free satisfaction of the right of access was possible only once a year. As the supervisory authority considered, the imposition of the relevant charges were not permissible and the process of satisfying the right of access by mail had to be on the one hand simple and on the other hand possible to re-exercise after a reasonable period of time.

3. Sweden – fine of 7,000,000 euros

The case (March 2020) concerned Google. The supervisory authority has been investigating since 2017 the practices followed by the internet giant in relation to the requests to delete links from the results of its search engine. Among other breaches, it found that when Google deleted a result from its search engine, it then notified the owner of the website to which the link was pointing. Thus, the latter was informed on the one hand about the deletion of the link and on the other hand about the person who submitted the deletion request. This allowed the site owner to republish the content in question in a new link, which reappeared in the search engine results. In this way, the exercise of the right of deletion did not produce any results. As the supervisory authority considered, this information took place in breach of the principle of legality of the processing of personal data, as there was no legal basis. It is noted that the fine was not expressed in euros, but in the national currency.

2. Italy – fine of 27,802,496 euros

The case (February 2020) concerned a telecommunications company that carried out illegal promotions against millions of people. The supervisory authority received hundreds of complaints, mainly for unsolicited promotional phone calls, without the consent of the recipients and while many of them were registered in the special register for non-receipt of promotional calls. It is typical that in one case the company had contacted a person 155 times in a month. The number of breaches found included, inter alia, the ineffective breach management system, the misapplication of the principle of data protection already from the design and the non-observance of the principle of limiting the period of storage of personal data.

1. Germany – fine of 35,258,707 euros

And the 1st place is occupied by Germany (Hamburg supervisory authority) for which the largest fine published on the website of the EDPB is about 35,260,000 euros. The case (October 2020) concerned a multinational clothing company. The company illegally carried out an extensive “file keeping” of the private life of many of its employees at its Nuremberg facilities. Via this, among other things, were recorded: the experiences from their vacations, the health problems they may have had during their leave, sometimes the corresponding medical diagnoses, information about “innocent” details of their private daily life, their religious beliefs and their family problems. These personal data were then made available to dozens of senior company executives on a case-by-case basis. They were used to create an employee profile, which played a role in their professional development. The company’s illegal practices became unexpectedly known due to a technical error in the relevant information system, which made personal data widely accessible within it.