Breaching the GDPR can cost you up to €20m or 4% of annual global turnover. Which is why we are tracking the size and reasons for the biggest GDPR fines of 2020 - to help you avoid them!
Since coming into effect in 2018, the General Data Protection Regulation (GDPR) has completely transformed how companies deal with their clients’ personal data. It brought about reforms which are tailor-made for the world of today and promised to come down hard on any companies which failed to respect them.
While most companies have cleaned up their act when it comes to data protection, there are plenty who still fall foul of the law and are being investigated and fined accordingly.
This blog goes hand-in-hand with an article we posted last year, which recounts the worst GDPR fines of 2019. To keep up with what happens in 2020, be sure to bookmark this blog!
Countdown of the biggest GDPR fines in 2020
- TIM - GDPR article 5, 6, 7, 17, 21 and 32 breaches - fined €27.8m
Italian data protection regulator Garante fined telecoms provider TIM €27.8 million for its cavalier approach to telemarketing and other GDPR breaches.
First, it sent out hundreds of thousands of unsolicited communications without the consent of data subjects who were on with the "opt out" register or were exercising their right not to receive marketing. In one case, it contacted a single individual 155 times over the course of a month!
Second, the privacy notices for TIM apps and promotions were not transparent and it was unclear about the purpose for which data would be used. Consent was also incorrectly managed and often invalid - with one single consent being used for multiple purposes.
Data retention was also excessive - sometimes exceeding the 10-year time frame required by law and the five-year company policy.
In addition, there were flaws in its data breach procedures. TIM filed multiple breaches with the DPA but had failed to do so within the 72-hour deadline. In short, its systems and procedures failed to meet the "privacy by design" principle.
- Eni Gas e Luce - GDPR article 5, 6, 7, 21 and 32 breaches - fined €11.5m
In Italy, Eni Gas e Luce (Egl) has been fined €11.5 million by the data protection watchdog for illegal processing of personal data and activating unsolicited contracts.
Its first fine (€8.5m) relates to the unlawful processing of personal information for telemarketing and telesales purposes. An investigation found widespread violations including:
- Marketing calls being made to individuals without their consent or despite them objecting to marketing calls
- Inadequate procedures for checking the public "opt out" register
- No technical or organisational measures to log consent
- Keeping personal data for longer than is necessary
- Acquiring personal information from other entities without checking consent
The second fine of €3m was for unsolicited contracts to supply gas and electricity. Around 7,200 individuals learned of the new contract with the first bill or the termination of contract letter from their previous supplier. Customers complained of forged signatures and incorrect information.
- Google LLC - GDPR article 5, 6 and 17 breaches - fined €7m
In March, the Data Protection Authority of Sweden issued Google LLC with a €7m fine for the insufficient fulfillment of data subjects' rights.
The penalty was handed out after the Swedish DPA discovered that Google had not properly removed a pair of search results listings which it had previously ordered the tech company to delete back in 2017. This comes after the DPA carried out a follow-up audit to its initial order in 2018.
The DPA also objected to Google's practice of informing website owners about which results were being deleted from search results pages, specifically pointing out which links were deleted and who was behind the request for removal, as there is no legal requirement for such practice.
- Unnamed Company - GDPR article 5 and 9 breaches - fined €725,000
In April, the Dutch Data Protection Authority announced its intention to fine an organization (whose name has not yet been released to the public) for GDPR violations regarding processing special categories of personal data. The €725,000 fine in question would make it the largest GDPR penalty issued by the Dutch DPA so far.
The company was making use of a time-management system which scanned employees’ fingerprints. Under the GDPR, biometric data is considered sensitive personal data, and the company is accused of the following GDPR violations:
- Lack of proper lawful basis for sensitive personal data collection
- Lack of additional organizational and technical measures for processing such data
- Excessive data collection
- Lack of data deletion orchestration
- Excessively large number of data subjects involved
- Lengthy duration of the violation (10 months)
- Royal Dutch Tennis Association ("KNLTB") - GDPR article 5 and 6 breaches - fined €525,000
The Dutch Data Protection Authority has issued the Royal Dutch Tennis Association ("KNLTB") with a €525,000 fine for the unauthorised sale of personal data. Over 350,000 KNLTB members had their data sold to the association's sponsors, some of whom then went on to contact members via telephone and through the post for marketing purposes.
The personal data sold by KNLTB included the name, gender and address of its members, which had at no point been consented to by the data subjects themselves. The Dutch DPA also rejected the existence of a legitimate interest for the sale of the data, as claimed by KNLTB, and ruled that there was clearly no legal basis for the sale of such data.
- Vodafone España - GDPR article 5, 6 and 32 breaches - fined €302,000
AEPD, the Spanish data regulator, imposed fines totalling €302k on Vodafone España in February 2020 after numerous violations of the GDPR.
One complainant had access to third party data in his personal Vodafone profile, while another complained that the mobile phone company had sent invoices containing his personal information to a neighbour.
Article 5 and 6 breaches - where there was no legal basis for processing - made up the remainder of the fines, where customers were billed for telephone services and subscriptions that they never requested, resulting in their personal information being processed or stored without a lawful basis.
In Germany, Vodafone was also hit with a €100,000 penalty for illegal telemarketing calls.
Other notable UK data-breach fines in 2020
Currys PC World and Dixon's Travel fined £500k for an historic breach
Only a couple of weeks into 2020, the Information Commissioner's Office (ICO) was already demonstrating its resolution to tackle data breaches. Whilst not a GDPR fine - a bullet dodged for sure - we still feel it is worthy of including in the list.
The ICO handed out a £500k fine to DSG Retail Limited - better known as Currys PC World and Dixon's Travel (the maximum possible) for an historic data breach dating back to 2018.
The investigation found:
- Point-of-sale systems were compromised and malware was installed on 5,390 tills at its stores between July 2017 and April 2018 leading to customers' personal data being harvested.
- The company had failed to secure its systems granting unauthorised access to 5.6 million payment card details of transactions and the personal information (including contact details and failed credit checks) of 14 million people.
- Its security arrangements were poor and the company had failed to adequately protect personal data - with inadequate software patching, no local firewall, a lack of network segregation and routine security testing. The ICO said the breach would significantly affect people's privacy, making them vulnerable to financial theft and identity fraud.
"Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen. The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR."
Want to know more about GDPR?
We have created a glossary of GDPR definitions to help you navigate GDPR and DPA 2018 compliance. And we also have 50+ free compliance training aids as well as regularly publishing informative GDPR blogs.
If you're looking for comprehensive compliance training, why not visit our GDPR course library.
If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!