Breaching the GDPR can cost you millions in fines, which is why we are tracking the size and reasons for the biggest GDPR fines of 2020 - to help you avoid them!
Since the General Data Protection Regulation (GDPR) came into effect in 2018 it has completely transformed how companies deal with their clients’ personal data. It brought about reforms which are tailor-made for the world of today and promised to come down hard on any companies which failed to respect them.
Fines totaling €272.5 million have been imposed for a wide range of GDPR infringements. Italy tops the rankings for aggregate fines more than €69.3 million since the application of GDPR on 25 May 2018. Germany and France came second and third with aggregate fines of €69.1 million and €54.4 million respectively.
While most companies have cleaned up their act when it comes to data protection, there are plenty who still fall foul of the law and are being investigated and fined accordingly. The daily rate of breach notifications in Europe experienced double digit growth for the second year running.
"Fines and breach notifications continue their double digit annual growth
and European regulators have shown their willingness to use their enforcement powers. They have also adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead. However we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high profile fines being reduced due to financial hardship. "
This blog goes hand-in-hand with an article we posted last year, which recounts the worst GDPR fines of 2019. To keep up with what happens in 2020, be sure to bookmark this blog!
Countdown of the biggest GDPR fines in 2020
1. Google €50m – GDPR article 5,6, 13 and 14 breaches
In January 2019, Google was fined €50m by the French data regulator CNIL in what remains the biggest GDPR fine handed out in a single case.
According to CNIL, Google was fined for a "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation".
The main penalty is that Google is not transparent about disclosure and does not specify how they collect and use data for ad targeting. Google had objected to this sentence, but in June 2020, the Council of State in France rejected the appeal and upheld the sentence.
Additionally, the regulator said Google had failed to obtain a valid legal basis to process user data.
"The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent," it said.
It said the option to personalise ads was "pre-ticked" when creating an account, which did not respect the GDPR rules.
2. H&M €35.3m – GDPR article 5 and 6 breaches
H&M was fined €35m by the Data Protection Authority in Hamburg for the illegal surveillance of its own employees.
After employees took holiday or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and the data accessible to over 50 H&M managers.
This resulted in the company keeping "excessive" records on the families, religions and illnesses of its workforce at its Nuremberg service centre. The data would then be used to help evaluate employees’ performance and to make decisions about their employment.
3. TIM €27.8m - GDPR article 5, 6, 7, 17, 21 and 32 breaches
Italian data protection regulator Garante fined telecoms provider TIM €27.8 million for its cavalier approach to telemarketing and other GDPR breaches.
First, it sent out hundreds of thousands of unsolicited communications without the consent of data subjects who were on with the "opt out" register or were exercising their right not to receive marketing. In one case, it contacted a single individual 155 times over the course of a month!
Second, the privacy notices for TIM apps and promotions were not transparent and it was unclear about the purpose for which data would be used. Consent was also incorrectly managed and often invalid - with one single consent being used for multiple purposes.
Data retention was also excessive - sometimes exceeding the 10-year time frame required by law and the five-year company policy.
In addition, there were flaws in its data breach procedures. TIM filed multiple breaches with the DPA but had failed to do so within the 72-hour deadline. In short, its systems and procedures failed to meet the "privacy by design" principle.
4. British Airways €22m – GDPR article 5(1) and 32 breaches
The ICO fined British Airways €22m after failing to protect the personal data of more than 400,000 customers.
The investigation found that the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.
The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.
Initially British Airways had been fined an eye-watering £183m for its GDPR failings last July. However, this was later reduced to €22m due to the economic impact of COVID-19.
5. Marriott International Inc €20m – GDPR article 32 breach
Marriott International Inc failed to keep millions of customers’ personal data secure, with 339 million guest records worldwide believed to have been affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack remained undetected until September 2018, by which time the company had been acquired by Marriott.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.
6. Wind Tre €16.7m - GDPR article 5, 6, 12, 24 and 25 breaches
Garante, the Italian data protection authority, issued a €16.7 million fine against Wind Tre for several unlawful data processing activities in relation to direct marketing practices.
Following an extensive investigation, Garante discovered that hundreds of complainants received unsolicited communications, sent without their previous consent, through SMS, email, phone calls, and automated calls. They were also unable to exercise their right to withdraw consent and to oppose the processing for direct marketing purposes.
Claimants' data was published on telephone public lists despite their opposition. In addition to this, Garante found that Wind Tre's apps 'MyWind' and 'My3' required users to provide his/her consent for different processing activities with every access. They were only allowed to withdraw their “consent” only after a 24-hour window had passed.
7. Deutsche Wohnen €14.5m - GDPR article 5 and 25 breaches
The Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine against Deutsche Wohnen, a German real estate company
The infraction related to the over retention of personal data. Deutsche Wohnen failed to establish a GDPR-compliant data retention and deletion procedure for tenants’ personal data. This was aggravated by the fact that in 2017, the Berlin DPA had already flagged the non-compliance with its retention obligations during an on-site audit.
Although Deutsche Wohnen had taken initial measures to remedy the non-compliance, the supervisory authority revealed during its second audit in 2019 that these measures had not led to the establishment of a GDPR compliant archiving system as Deutsche Wohnen was still unable to demonstrate a clean-up of its database or legal grounds for the ongoing storage.
According to the head of the Berlin DPA, Deutsche Wohnen could have readily complied by implementing an archiving system which separates data with different retention periods, thereby allowing differentiated deletion periods as such solutions are commercially available.
8. Vodafone Italia €12.25m - GDPR article 5(1) (2), 6(1), 7, 15(1), 16, 21, 24, 25(1), 32, 33 breaches
Garante fined Vodafone Italia €12.25m over aggressive telemarketing practices.
Garante launched its investigation after receiving ‘hundreds’ of complaints of nuisance calls from Vodafone’s sales networks. It found that Vodafone’s customer information storage system had multiple flaws and that the company had purchased contacts lists from external providers – with the information of up to 4.5 million people secured without user consent.
Vodafone justified the unwanted communication as human error, but this was not deemed an appropriate excuse by the regulator, with other factors including the ‘significantly negligent nature’ and recurrence of the calls.
The regulator has ordered Vodafone to overhaul its telemarketing procedures in Italy, and has been prohibited from processing personal data acquired from third parties without first gaining user consent.
9. Notesbookbilliger.de €10.4m - GDPR article 5 and 6 breaches
The Lower Saxony data protection authority (LfD Niedersachsen) issued a €10.4 million fine against notebooksbilliger.de, an online retailer, for video monitoring its employees for over two years without any legal basis.
The LfD Niedersachsen noted that the cameras recorded workplaces, sales rooms, warehouses, and common areas, among other places. While notebooksbilliger.de claimed that the aim of the video camera installation was to prevent and investigate criminal offences and to track the flow of goods in the warehouses, a company must first examine milder means, such as random bag checks when employees are leaving the business premises, according to the LfD Niedersachsen.
Video surveillance to uncover criminal offences is lawful if there is justified suspicion against specific persons, and that, if this is the case, it may be permissible to monitor them with cameras for a limited period of time. However, the LfD Niedersachsen discovered that at notebooksbilliger.de, video surveillance was neither limited to a specific period of time nor to specific employees, and that, in many cases, the recordings were saved for 60 days, which is significantly longer than necessary. In addition, the LfD Niedersachsen outlined that customers of notebooksbilliger.de were also affected by the video surveillance, as some cameras were aimed at seating in the sales area, and that the video surveillance by notebooksbilliger.de was not proportionate in these cases.
10. Eni Gas e Luce €11.5m - GDPR article 5, 6, 7, 21 and 32 breaches
In Italy, Eni Gas e Luce (Egl) has been fined €11.5 million by the data protection watchdog for illegal processing of personal data and activating unsolicited contracts.
Its first fine (€8.5m) relates to the unlawful processing of personal information for telemarketing and telesales purposes. An investigation found widespread violations including:
- Marketing calls being made to individuals without their consent or despite them objecting to marketing calls
- Inadequate procedures for checking the public "opt out" register
- No technical or organisational measures to log consent
- Keeping personal data for longer than is necessary
- Acquiring personal information from other entities without checking consent
The second fine of €3m was for unsolicited contracts to supply gas and electricity. Around 7,200 individuals learned of the new contract with the first bill or the termination of contract letter from their previous supplier. Customers complained of forged signatures and incorrect information.
Other notable UK data-breach fines in 2020
Currys PC World and Dixon's Travel fined £500k for an historic breach
Only a couple of weeks into 2020, the Information Commissioner's Office (ICO) was already demonstrating its resolution to tackle data breaches. Whilst not a GDPR fine - a bullet dodged for sure - we still feel it is worthy of including in the list.
The ICO handed out a £500k fine to DSG Retail Limited - better known as Currys PC World and Dixon's Travel (the maximum possible) for an historic data breach dating back to 2018.
The investigation found:
- Point-of-sale systems were compromised and malware was installed on 5,390 tills at its stores between July 2017 and April 2018 leading to customers' personal data being harvested.
- The company had failed to secure its systems granting unauthorised access to 5.6 million payment card details of transactions and the personal information (including contact details and failed credit checks) of 14 million people.
- Its security arrangements were poor and the company had failed to adequately protect personal data - with inadequate software patching, no local firewall, a lack of network segregation and routine security testing. The ICO said the breach would significantly affect people's privacy, making them vulnerable to financial theft and identity fraud.
"Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen. The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR."
Want to learn more about GDPR?
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape we have collated searchable glossaries of key terms and definitions across complex topics including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines. And if you're looking for a compliance training solution, why not visit our GDPR Course Library.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!