Penalties for breaching the GDPR can reach up to €20 million or 4% of annual global turnover, whichever is highest. We examine the size and reasons for the biggest GDPR fines of 2019.
Ever since coming into effect in 2018, the General Data Protection Regulation (GDPR) has completely transformed how companies deal with their clients’ personal data. It brought about reforms which are tailor-made for the world of today and promised to come down hard on any companies which failed to respect them.
While most companies have cleaned up their act when it comes to data protection, there are plenty who still fall foul of the law and are being investigated and fined accordingly.
Countdown of the highest GDPR fines in 2019
- SERGIC (Real Estate) – GDPR article 32 breach - fined €400,000 (circa £344,588)
The French Data Protection Authority (CNIL) found SERGIC guilty of two major GDPR breaches. It took SERGIC six months to fix the offending issue, during which time no emergency measures were taken to limit the impact.
Firstly, the company was retaining information and documents of unsuccessful rental candidates for far longer than necessary for processing.
Secondly, they had failed to implement a basic authentication procedure on their website. As a result, personal documents, including tax notices, account statements and divorce judgements could be viewed by others.
- Haga Hospital – GDPR article 32 breach - fined €460,000 (circa £396,276)
A large teaching hospital, HagaZiekenhuis, was fined for lacking internal security on patient records by the Dutch Data Protection Authority (DPA).
In a nutshell, most members of staff could access any patient’s medical records, regardless of whether they had the clearance to do so or not.
How did this happen? For starters, the hospital’s database lacked 2-factor authentication, which made accessing files a breeze.
What’s more, the hospital was found to have no way of flagging unauthorised access to its database in real-time. Hence, it was almost impossible to hold anyone accountable for such breaches.
- DSK Bank – GDPR article 32 breach - fined €511,000 (circa £440,211)
The Bulgarian DPA fined DSK Bank for failing to safeguard the personal data of over 33,000 clients. Information accessed by outsiders included property deed data, full names and addresses, ID card copies, and private account information.
Bulgaria’s DPA opened an investigation after DSK confessed to negotiating with a former convict who claimed to have possession of the bank’s client database.
Worryingly, the bank did not even know if its system had been hacked or not, leaving the source of the leak in the dark.
- Morele.net – GDPR article 32 breach - fined €644,780 (circa £555,458)
Online retailers Morale.net also had to face the music in September when they were fined by Poland’s Personal Data Protection Office (UODO) for breaching the GDPR.
The retailer’s enormous data breach is believed to have affected around 2.2 million people who made purchases via the group’s network of websites.
UODO concluded that Morale.net failed to respond to the emergence of irregular traffic. As a result, many of those affected were at a high risk of suffering from adverse effects, including identity fraud.
- National Revenue Agency - GDPR article 32 breach – fined €2.6m (circa £2.2m)
A massive data breach occurred when a hacker gained access to the National Revenue Agency’s confidential database. Five out of the seven million people living in Bulgaria had their personal data disclosed.
After gaining access, the hacker then posted half of the database onto public forums and handed the other half over to the press.
The Data Protection Commission of Bulgaria (KZLD) found that the hack took advantage of poor organisational and technical protection of information security. The far-reaching extent of this GDPR breach meant that KZLD had no option but to issue a substantial fine.
- Deutsche Wohnen – GDPR article 5/25 breaches - fined €14.5m (circa £12.5m)
One of Germany’s most prominent real estate companies, Deutsche Wohnen was issued a €14.5 million which was the largest in the country since the GDPR came into effect.
According to the Data Protection Authority of Berlin the company didn't comply with general data processing principles. Personal data that should have been erased years ago was still accessible by employees.
Curiously, the fine was originally meant to be almost twice as large at €28 million. But the Berlin Commissioner took into consideration that the company cooperated immediately and attempted to fix the issues. Because no other data abuses occurred, they lowered the fine.
- Austrian Post – GDPR article 5.1.a/6 breaches - fined €18m (circa £15.5m)
Even national postal carriers aren’t exempt from the repercussions of breaching the GDPR. After an investigation, the Austrian Data Protection Authority (DSB) discovered that Austrian Post had drafted profiles of over three million Austrian nationals.
These profiles included personal information such as habits, personal preferences, residential addresses, and even possible political affinities. The data gathered was then sold to interested parties, such as private companies and political parties.
DSB ruled that Austrian Post had insufficient legal basis for processing this kind of data. The fine was so high because they were financially profiting from this behaviour.
- Google Inc - GDPR article 4/5/6/13/14 breaches - fined €50m (circa £43m)
In what was one of the most high-profile cases of the year, the French data regulator (CNIL) fined Google an astounding €50 million.
The fine was for "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". Ad personalisation information was diluted throughout several different documents, hindering users from being made aware of their full extent.
Additionally, the choice to receive personalised ads was “pre-ticked” upon opening a new account, which is in direct defiance of the GDPR.
- Marriott International - GDPR article 32 breaches – fined £99m (pending)
Marriott International faces a staggering £99 million fine for a personal data breach affecting 339m people of which 30m reside within the European Economic Area (EEA).
The breach is believed to have taken place in 2014 after the Starwood hotels group had their systems compromised. Despite Starwood being acquired by Marriott in 2016, the breach remained undiscovered until 2018.
The ICO judged that Marriott had not carried out proper due diligence when acquiring Starwood and should have taken further steps to keep its systems secure.
- British Airways - GDPR article 32 breach - fined £183m (pending)
British Airways is now facing the mother of all fines as the result of a cyberattack which is believed to have started in June 2018.
Traffic on the British Airways website was redirected to a fraudulent website, where hackers were then able to harvest personal data.
The customer details of around 500,000 users were found to have been compromised by the attack, and it wasn’t until September of the same year that the ICO were made aware of it. Investigators found that British Airways was to blame due to poor security arrangements.
Want to know more about GDPR?
We have created a glossary of GDPR definitions to help you navigate GDPR and DPA 2018 compliance. And we also have 50+ free compliance training aids as well as regularly publishing informative GDPR blogs.
If you're looking for comprehensive compliance training, why not visit our GDPR course library.
If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!