As we head towards the final quarter of 2021, we have just seen the biggest ever GDPR fine, topping off a year of multi-million fines for GDPR breaches.
We explain the reasons for these penalties and provide tips for how to prevent your company from committing similar breaches!
Top 10 GDPR fines in 2021
- Amazon Europe - €746m fine
- WhatsApp Ireland - €225m fine
- Notebooksbilliger.de - €10.4m fine
- Vodafone España - €8.15m fine
- Caixabank SA - €6m fine
- Fastweb SpA – €4.5m fine
- Iren Mercato - €2.9m fine
- Foodinho - €2.6m fine
- Mercadona - €2.5m fine
- Deliveroo Italy - €2.5 fine
- Unser Ö-Bonus Club - €2m fine
- SGAM AG2R La Mondiale - €1.75 fine
- Storstockholms Lokaltrafik - €1.6 fine
- EDP Energía - €1.5m fine
- EDP Comercializadora - €1.5m fine
- MedHelp - €1.2m fine
- Equifax Iberica - €1m fine
- Air Europa Lineas Aereas - €600k fine
- Municipality of Enschede - €600k fine
- Brico Privé - €500k fine
- OLVG - €440k fine
The biggest 2021 GDPR fines in detail
1. Amazon Europe - €746m fine
GDPR breaches - Non-compliance with general data processing principles
Luxembourg’s National Commission for Data Protection (CNPD) fined Amazon Europe a record-breaking €746 million in respect of the way it uses customer data for targeted advertising purposes.
In 2018, French privacy rights group La Quadrature du Net submitted a complaint.
The complaint, which also targeted Apple, Facebook Google and LinkedIn and was filed on behalf of more than 10,000 customers. It alleged that Amazon had manipulated customers for commercial means by choosing what advertising and information they received.
The CNPD ruled that Amazon must commit to changing its business practices.
2. WhatsApp Ireland - €225m fine
GDPR breaches -Articles 5, 12, 13, 14
Ireland's data authority fined WhatsApp £193m for violating privacy standards. It's the highest penalty the Irish Data Protection Commission (DPC) has ever imposed and the second-highest under EU GDPR standards.
A 2018 investigation revealed that WhatsApp was not transparent enough with its customers on how it collected, managed and processed their data. Following "a lengthy and comprehensive investigation," the Irish DPC said it had communicated its decision to other regulators, as required by under GDPR law, and had received complaints from eight countries, including Germany, France, and Italy.
3. Notebooksbilliger.de - €10.4m fine
GDPR breaches - Articles 5 & 6
The Lower Saxony data protection authority (LfD Niedersachsen) issued a €10.4 million fine against notebooksbilliger.de, an online retailer, for video monitoring its employees for over two years without any legal basis.
The LfD Niedersachsen noted that the cameras recorded workplaces, salesrooms, warehouses, and common areas, among other places. While notebooksbilliger.de claimed that the video camera installation aimed to prevent and investigate criminal offences and to track the flow of goods in the warehouses, a company must first examine milder means, such as random bag checks when employees are leaving the business premises, according to the LfD Niedersachsen.
Video surveillance to uncover criminal offences is lawful if there is justified suspicion against specific persons. If this is the case, it may be permissible to monitor them with cameras for a limited period of time. However, the LfD Niedersachsen discovered that at notebooksbilliger.de, video surveillance was neither limited to a specific period of time nor particular employees.
In many cases, the company saved the recordings for 60 days, which is significantly longer than necessary. In addition, the LfD Niedersachsen outlined that customers of notebooksbilliger.de were also affected by the video surveillance, as some cameras were aimed at seating in the sales area, and that the video surveillance by notebooksbilliger.de was not proportionate in these cases.
4. Vodafone España - €8.15m fine
GDPR breaches - Articles 21, 23, 24, 28, 44, 48
As recent as March 2021, the Spanish data protection authority, AEPD, had imposed its largest-ever fine of €8.15 million on mobile telephone network operator, Vodafone España.
According to the AEPD, Vodafone España had violated multiple data protection laws while carrying out various marketing campaigns and non-compliant data transfers.
Through their investigations, the AEPD found that Vodafone had failed to comply with GDPR as it, along with its distributors, collaborators, and agents, had contacted customers via email, telephone and text who had opted out of its marketing campaigns.
In their defence, Vodafone had claimed that they were trialling the implementation of a new routing system to verify the legality of its data and filter out users who had opted out of marketing communications.
However, the AEPD had concluded that the system had continued to send marketing messages to those who had specifically opted out of receiving these and noted that there should have been a filtering system for all parties to use.
The AEPD found no guarantees were put in place by the processors to ensure that they had implemented effective technical and organisational measures and that Vodafone had made no such requirements.
Vodafone had also transferred personal customer data to a telecom supplier in Peru, which is outside the European Economic Area. That contract did not provision to abide by the GDPR requisite clauses for sharing data to such countries.
5. Caixabank SA - €6m fine
GDPR breaches - Articles 6 & 14
In mid-January 2021, the AEPD had issued a €6 million fine to Caixabank SA for breaching Articles 6, 13 and 14 of the GDPR.
This Spanish data protection authority found in its investigations that Caixabank did not sufficiently justify the legal basis for processing personal data belonging to its customers and that the bank did not comply with obtaining valid, unequivocal, and informed consent from its customers before processing their data.
There was also insufficient information on the customer user profiles made by the bank, how these were leveraged, what rights customers had over these profiles and what the data retention periods were for these.
6. Fastweb SpA – €4.5m fine
GDPR breaches - Articles 5, 6, 7, 12, 13, 21, 24, 25, 32, 33, 34
In April 2021, the Italian data protection authority, Garante, had issued a €4.5 million fine on Fastweb SpA, a telecommunications company that provides landline, broadband internet, and IPTV (internet protocol television) services in Italy.
Following hundreds of complaints and reports made by consumers, Garante had conducted a complex investigation in which it had found that Fastweb had processed the personal data of millions of its users for telemarketing purposes without obtaining their consent.
Garante had also found that Fastweb used fictitious telephone numbers or numbers not registered with the Register of Communication Operators ('RCO') to contact its users to promote its telephone and internet services.
It had found the security measures for Fastweb's customer data management systems to be inadequate as well.
7. Iren Mercato - €2.9m fine
GDPR breaches - Articles 5(1), 5 (2) 6 (1), 7 (1)
Garante, the Italian data protection authority fined Iren Mercato SpA, a company operating in the energy sector, €3 million for undertaking telemarketing without valid consent.
Following various complaints and reports, it was found that personal data Iren processed for telemarketing had been obtained indirectly from a third-party source, Nethex Digital Merketing.
Nethex had acquired the data, as an independent data controller, from two other companies. Those two companies had obtained the necessary consent from their customers for the telemarketing activities carried out by both themselves and by third parties, including Nethex. Importantly, that consent did not extend to the transfer of customer data from Nethex to Iren.
Garante found that Iren had failed to verify that all of its telemarketing was based on free, specific, and informed consent, hence breaching the principles of lawfulness, transparency and accountability.
8. Foodinho - €2.6m fine
GDPR breaches - Articles 5(1), 13, 22(3), 25, 30(1), 32, 35, 37 (7)
Garante, the Italian data protection authority fined Foodinho €2.6m for its use of performance algorithms in connection with its employees.
They were found in breach of the principles of transparency, security, privacy by default and by design, and for not implementing suitable measures to safeguard employee rights and freedoms against discriminatory automated decision making.
Foodinho made decisions about its riders based solely on automated decision making, by analyzing or predicting aspects of their professional performance, behaviour, and their location and movements. This significantly affected the riders, excluding some riders from work.
The company did not adopt any measures that would allow their riders to exercise their rights or inform them of these rights. No system was adopted to check for accuracy or reduce the risk of discrimination in respect of either the excellency or work allocation system.
The decision was the first relating to algorithmic management of gig workers.
9. Mercadona - €2.5m fine
GDPR breaches – Articles 5(1) 6, 9, 12, 13, 25(1), 35
The Spanish data protection authority, AEPD, fined the Mercadona supermarket chain €2.5 million for unlawful use of facial recognition.
Mercadona was using a facial recognition system in 48 of its Spanish shops to detect individuals with criminal convictions or restraining orders. The system also captured facial images of all customers entering their supermarkets, including children and employees.
The AEPD found the processing of biometric data through its facial recognition system unlawful, as none of the legal grounds available under Article 9 of the EU GDPR could be used by Mercadona. In addition, it found that the processing did not meet the principles of necessity, proportionality and data minimization, transparency and privacy by design.
The data protection impact assessment conducted by Mercadona was insufficient and incomplete as it did not account for the risks posed to Mercadona employees by the data processing.
10. Deliveroo Italy - €2.5 fine
GDPR breaches – Articles 5(1), 13, 22 (3), 25, 30 (1), 32, 35, 37(7)
Garante, the Italian data protection authority fined Deliveroo Italy €2.5m for its use of algorithms in connection with its employees in a similar case to Foodinho.
Deliveroo collected a disproportionate amount of personal data of its riders in violation of the principles of storage limitation, data minimisation, transparency and lawfulness under Article 5 of the GDPR.
The company used this data for the automated rating of rider’s performance and assignment of work. The company was not sufficiently transparent about the algorithms used for the management of its riders, for both the assignment of orders and for the booking of work shifts.
Garante imposed a number of corrective measures on Deliveroo. These included compliance with transparency requirements and implementing appropriate measures to periodically verify the correctness and accuracy of the results from their algorithmic systems.
11. Unser Ö-Bonus Club - €2m fine
GDPR breaches – Articles 6, 7, 12
The Austrian data protection authority fined loyalty program operator Unser Ö-Bonus Club €2 million for unlawful user data collection.
Registrants to the Unser Ö-Bonus Club program had their shopping behaviour and collected and analyzed, to create a unique customer profile. Unser Ö-Bonus Club then passed this information to advertising partners for profit, whilst the users were unaware of both the data processing and the sale of their profiles.
In fact, the procedure was mentioned if a user scrolled down, but the consent prompt was positioned at the top. This meant that everyone accepted the terms without being informed about what they entailed.
The initial investigation alerted Unser Ö-Bonus Club about this problem and they admitted that the form elements were incorrectly laid out.
The company served users with inadequate consent declarations, engaged in unlawful processing of personal customer data for profiling purposes, and didn't rectify the situation even after admitting their wrongdoing.
12. SGAM AG2R La Mondiale - €1.75m fine
GDPR breaches – Articles 5, 13 & 14
The French Data Protection Authority (CNIL) fined SGAM AG2R La Mondiale €1.75 for failing to comply with the GDPR in respect of data retention periods and providing information to individuals.
The first breach involved an excessive retention period for personal data.
The CNIL noted the absence of an archiving mechanism that would allow customer data to be kept for accounting, tax or litigation purposes within the maximum applicable limitation periods, either by transferring them to a dedicated archive or by putting in place access restrictions. This meant that customer data was being retained for an unjustifiable period after customer contracts had ended.
The second breach concerned subcontractors telemarketing calls.
- failing to inform contacts why calls were recorded or their right to object;
- failing to provide information concerning the processing of their personal data or the other rights they have with regard to their data;
- failing to provide information on how to obtain more information on the protection of their personal data, e.g. by sending an e-mail.
13. Storstockholms Lokaltrafik - €1.6m fine
GDPR breaches – Articles 5, 6 & 13
The Swedish Authority for Privacy Protection (IMY) fined Storstockholms Lokaltrafik SEK 16,000,000 for GDPR breaches relating to its use of body-worn camera surveillance equipment used during ticket control checks.
The IMY found that the surveillance had been undertaken unlawfully. It had breached the principles of transparency, data minimisation and also failed to provide data subjects with sufficient information.
14. EDP Energía - €1.5m fine
GDPR breaches – Articles 13 & 25
In May 2021, the Spanish data protection authority, AEPD, issued a €1.5 million fine on EDP Energía, S.A.U, an energy supplier to businesses and communities in Spain.
Following various complaints received from customers about their data being processed and used without their explicit consent, the AEPD conducted an investigation that found that EDP Energía had failed to implement the required technical and organisational measures as well as obtaining consent when contacting customers via representatives.
The AEPD had also found that EDP Energía had provided insufficient information to data subjects when contracting through different service providers as well as severely breaching Article 25 of the GDPR.
15. EDP Comercializadora - €1.5m fine
GDPR breaches - Articles 23 & 25 breaches
Again, in May 2021, the AEPD, which is the Spanish data protection authority, had issued a fine of €1.5M to EDP Comercializadora S.A, a utility provider to companies in Spain, for violating security and transparency clauses within the GDPR.
The AEPD had found that EDP Comercializadora had failed to implement the required technical and organisational security measures to protect customer data when entering a gas services contract through various third parties.
It found that there was no procedure in place whereby representatives could prove that they were working on behalf of EDP Comercializadora, which meant any data that was shared could potentially have been exposed to the risks of identity theft or fraud and other economic damages.
The AEPD had also found that the EDP Comercializadora has breached Article 13 of the GDPR because it had failed to provide sufficient information to data subjects when entering contracts through different service providers.
16. MedHelp - €1.2m fine
GDPR breaches – Articles 5, 6, 9, 13, 32
In June 2021, the Swedish Authority for Privacy Protection, IMY, issued a €1.2 million fine to MedHelp, for a leak of sensitive data.
Although the company had contracted out the processing of call recordings to another company, the regulator judged that as the data controller MedHelp's responsibility to ensure that the data was stored securely. Instead, it was stored on a server that didn't even have passwords set up.
The issue came to light via an anonymous tip to a journalist.
As the third party processor fell outside Swedish jurisdiction they only received an administrative fine, as did the municipal region for failing to inform citizens of their rights in this case.
17. Equifax Iberica - €1m fine
GDPR breaches - Articles 5, 6 & 14
In April 2021, the AEPD had issued a €1M fine on Equifax Iberica for violating the lawfulness, accuracy, and transparency clauses within the GDPR.
The AEPD had received 96 complaints where personal data of individuals associated with alleged debts were included in the File of Judicial Claims and Public Bodies ('FIJ') without their consent.
This data was made publicly available – through newspapers and newsletters – to notify the public that an administrative or judicial resolution was to be made effective in this matter.
This also meant that Equifax Iberica had failed to comply with the transparency clauses as stated in Article 14 of the GDPR.
18. Air Europa Lineas Aereas - €600k
GDPR breaches - Articles 32 & 33
In March 2021, the AEPD issued a €600k fine on Air Europa Lineas Aereas for a massive data security breach that affected approximately 489,000 individuals and 1,500,000 data records.
The Spanish data protection authority had also found that this airline had failed to implement the required technical and organisational measures as well as failing to notify the AEPD of the data breach by a delay of 41 days.
19. Municipality of Enschede - €600k
GDPR breaches - Articles 5 & 6
Towards the end of April 2021, the Dutch city of Enschede was fined €600k by the country's privacy watchdog for tracking mobile Wi-Fi signals using a system that is meant to measure crowds.
The municipality has been using this system till 1st May 2020, over two years after the new legislation came into force. GDPR deems using such data surveillance technologies without the prior consent of the individuals concerned as unlawful.
However, the watchdog has said that while the municipality's intention may not have been to track individuals, the fact that such a provision has been in place is a data security breach in itself.
The Mayor of Enschede feels the city has been "unjustly punished" and says it will appeal for this fine to be withdrawn.
20. Brico Privé - €500k fine
GDPR breaches - Articles 5, 13, 17, 32
The French data regulator, CNIL fined company Brico Privé €500k.
The company was retaining data from customers that had not bought a product in the last five years. Data subjects were also not adequately informed of their rights, and the right to be forgotten was not being respected. Finally, data security was not strong enough.
21. OLVG - €440k fine
GDPR breach - Article 32
In February 2021, the Dutch data protection authority, AP, issued a €440k fine on OLVG Hospital for violating patient privacy.
After receiving a tip from a concerned citizen, the AP had conducted an investigation that found that the hospital did not take sufficient security measures that would prevent unauthorised employees from gaining access to medical records. It also found inadequate computer security and a low level of checks on those who could view patient files.
OLVG Hospital has implemented the required improvements following this investigation.
What can we learn from these GDPR fines?
In some instances, the only conclusion is that the companies involved seemed to have forgotten that the GDPR existed. However, amongst the other penalties there are some common themes to be learned from:
- Always make proper disclosures to individuals (in contracts and privacy notices) about what personal data you process and what your lawful basis is for doing so.
- Never use personal information in ways that are unfair, detrimental, unexpected or misleading.
- Ensure personal information is promptly deleted or securely destroyed once the purpose for which it was collected no longer applies.
- Set up procedures and enforce rules to keep personal data secure - don't underestimate the inconvenience, worry or distress to individuals if their personal data is lost or stolen.
- Appoint a Data Protection Officer (DPO), someone with overall responsibility who can ensure proper governance and accountability across your company.
Want to learn more about GDPR?
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech, and RegTech news, subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape, we have collated searchable glossaries of key terms and definitions across complex topics, including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines. And if you're looking for a compliance training solution, why not visit our GDPR Course Library.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 70+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!