Breaching the GDPR can cost you millions in fines, which is why we are tracking the size and reasons for the biggest GDPR fines of 2021 - to help you avoid them!
We are only halfway into 2021, and there have already been some multi-million fines for GDPR breaches. To help you avoid joining this list, make sure you read our tips for how these fines could have been avoided!
Top 10 GDPR fines in 2021
- Notebooksbilliger.de - €10.4m fine
- Vodafone España - €8.15m fine
- Caixabank SA - €6m fine
- Fastweb SpA – €4.5m fine
- EDP Energía - €1.5m fine
- EDP Comercializadora - €1.5m fine
- Equifax Iberica - €1m fine
- Air Europa Lineas Aereas - €600k
- Municipality of Enschede - €600k
- OLVG - €440k fine
The biggest 2021 GDPR fines in detail
1. Notebooksbilliger.de - €10.4m fine
GDPR breaches - Articles 5 & 6
The Lower Saxony data protection authority (LfD Niedersachsen) issued a €10.4 million fine against notebooksbilliger.de, an online retailer, for video monitoring its employees for over two years without any legal basis.
The LfD Niedersachsen noted that the cameras recorded workplaces, salesrooms, warehouses, and common areas, among other places. While notebooksbilliger.de claimed that the video camera installation aimed to prevent and investigate criminal offences and to track the flow of goods in the warehouses, a company must first examine milder means, such as random bag checks when employees are leaving the business premises, according to the LfD Niedersachsen.
Video surveillance to uncover criminal offences is lawful if there is justified suspicion against specific persons. If this is the case, it may be permissible to monitor them with cameras for a limited period of time. However, the LfD Niedersachsen discovered that at notebooksbilliger.de, video surveillance was neither limited to a specific period of time nor particular employees.
In many cases, the company saved the recordings for 60 days, which is significantly longer than necessary. In addition, the LfD Niedersachsen outlined that customers of notebooksbilliger.de were also affected by the video surveillance, as some cameras were aimed at seating in the sales area, and that the video surveillance by notebooksbilliger.de was not proportionate in these cases.
2. Vodafone España - €8.15m fine
GDPR breaches - Articles 21, 23, 24, 28, 44, 48
As recent as March 2021, the Spanish data protection authority, AEPD, had imposed its largest-ever fine of €8.15 million on mobile telephone network operator, Vodafone España.
According to the AEPD, Vodafone España had violated multiple data protection laws while carrying out various marketing campaigns and non-compliant data transfers.
Through their investigations, the AEPD found that Vodafone had failed to comply with GDPR as it, along with its distributors, collaborators, and agents, had contacted customers via email, telephone and text who had opted out of its marketing campaigns.
In their defence, Vodafone had claimed that they were trialling the implementation of a new routing system to verify the legality of its data and filter out users who had opted out of marketing communications.
However, the AEPD had concluded that the system had continued to send marketing messages to those who had specifically opted out of receiving these and noted that there should have been a filtering system for all parties to use.
The AEPD found no guarantees were put in place by the processors to ensure that they had implemented effective technical and organisational measures and that Vodafone had made no such requirements.
Vodafone had also transferred personal customer data to a telecom supplier in Peru, which is outside the European Economic Area. That contract did not provision to abide by the GDPR requisite clauses for sharing data to such countries.
3. Caixabank SA - €6m fine
GDPR breaches - Articles 6 & 14
In mid-January 2021, the AEPD had issued a €6 million fine to Caixabank SA for breaching Articles 6, 13 and 14 of the GDPR.
This Spanish data protection authority found in its investigations that Caixabank did not sufficiently justify the legal basis for processing personal data belonging to its customers and that the bank did not comply with obtaining valid, unequivocal, and informed consent from its customers before processing their data.
There was also insufficient information on the customer user profiles made by the bank, how these were leveraged, what rights customers had over these profiles and what the data retention periods were for these.
4. Fastweb SpA – €4.5m fine
GDPR breaches - Articles 5, 6, 7, 12, 13, 21, 24, 25, 32, 33, 34
In April 2021, the Italian data protection authority, Garante, had issued a €4.5 million fine on Fastweb SpA, a telecommunications company that provides landline, broadband internet, and IPTV (internet protocol television) services in Italy.
Following hundreds of complaints and reports made by consumers, Garante had conducted a complex investigation in which it had found that Fastweb had processed the personal data of millions of its users for telemarketing purposes without obtaining their consent.
Garante had also found that Fastweb used fictitious telephone numbers or numbers not registered with the Register of Communication Operators ('RCO') to contact its users to promote its telephone and internet services.
It had found the security measures for Fastweb's customer data management systems to be inadequate as well.
5. EDP Energía - €1.5m fine
GDPR breaches – Articles 13 & 25
In May 2021, the Spanish data protection authority, AEPD, had issued a €1.5 million fine on EDP Energía, S.A.U, an energy supplier to businesses and communities in Spain.
Following various complaints received from customers about their data being processed and used without their explicit consent, the AEPD conducted an investigation that found that EDP Energía had failed to implement the required technical and organisational measures as well as obtaining consent when contacting customers via representatives.
The AEPD had also found that EDP Energía had provided insufficient information to data subjects when contracting through different service providers as well as severely breaching Article 25 of the GDPR.
6. EDP Comercializadora - €1.5m fine
GDPR breaches - Articles 23 & 25 breaches
Again, in May 2021, the AEPD, which is the Spanish data protection authority, had issued a fine of €1.5M to EDP Comercializadora S.A, a utility provider to companies in Spain, for violating security and transparency clauses within the GDPR.
The AEPD had found that EDP Comercializadora had failed to implement the required technical and organisational security measures to protect customer data when entering a gas services contract through various third parties.
It found that there was no procedure in place whereby representatives could prove that they were working on behalf of EDP Comercializadora, which meant any data that was shared could potentially have been exposed to the risks of identity theft or fraud and other economic damages.
The AEPD had also found that the EDP Comercializadora has breached Article 13 of the GDPR because it had failed to provide sufficient information to data subjects when entering contracts through different service providers.
7. Equifax Iberica - €1m fine
GDPR breaches - Articles 5, 6 & 14
In April 2021, the AEPD had issued a €1M fine on Equifax Iberica for violating the lawfulness, accuracy, and transparency clauses within the GDPR.
The AEPD had received 96 complaints where personal data of individuals associated with alleged debts were included in the File of Judicial Claims and Public Bodies ('FIJ') without their consent.
This data was made publicly available – through newspapers and newsletters – to notify the public that an administrative or judicial resolution was to be made effective in this matter.
This also meant that Equifax Iberica had failed to comply with the transparency clauses as stated in Article 14 of the GDPR.
8. Air Europa Lineas Aereas - €600k
GDPR breaches - Articles 32 & 33
In March 2021, the AEPD had issued a €600k fine on Air Europa Lineas Aereas for a massive data security breach that affected approximately 489,000 individuals and 1,500,000 data records.
The Spanish data protection authority had also found that this airline had failed to implement the required technical and organisational measures as well as failing to notify the AEPD of the data breach by a delay of 41 days.
9. Municipality of Enschede - €600k
GDPR breaches - Articles 5 & 6
Towards the end of April 2021, the Dutch city of Enschede was fined €600k by the country's privacy watchdog for tracking mobile Wi-Fi signals using a system that is meant to measure crowds.
The municipality has been using this system till 1st May 2020, over two years after the new legislation came into force. GDPR deems using such data surveillance technologies without the prior consent of the individuals concerned as unlawful.
However, the watchdog has said that while the municipality's intention may not have been to track individuals, the fact that such a provision has been in place is a data security breach in itself.
The Mayor of Enschede feels the city has been "unjustly punished" and says it will appeal for this fine to be withdrawn.
10. OLVG - €440k fine
GDPR breach - Article 32
In February 2021, the Dutch data protection authority, AP, issued a €440k fine on OLVG Hospital for violating patient privacy.
After receiving a tip from a concerned citizen, the AP had conducted an investigation that found that the hospital did not take sufficient security measures that would prevent unauthorised employees from gaining access to medical records. It also found inadequate computer security and a low level of checks on those who could view patient files.
OLVG Hospital has implemented the required improvements following this investigation.
What can we learn from these GDPR fines?
In some instances, the only conclusion is that the companies involved seemed to have forgotten that the GDPR existed. However, amongst the other penalties there are some common themes to be learned from:
- Always make proper disclosures to individuals (in contracts and privacy notices) about what personal data you process and what your lawful basis is for doing so.
- Never use personal information in ways that are unfair, detrimental, unexpected or misleading.
- Ensure personal information is promptly deleted or securely destroyed once the purpose for which it was collected no longer applies.
- Set up procedures and enforce rules to keep personal data secure - don't underestimate the inconvenience, worry or distress to individuals if their personal data is lost or stolen.
- Appoint a Data Protection Officer (DPO), someone with overall responsibility who can ensure proper governance and accountability across your company.
Want to learn more about GDPR?
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech, and RegTech news, subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape, we have collated searchable glossaries of key terms and definitions across complex topics, including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines. And if you're looking for a compliance training solution, why not visit our GDPR Course Library.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 70+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!