• Hope & May

Recent EU GDPR Fines

The European Union’s General Data Protection Regulation (GDPR) was designed to apply to all types of businesses, from multi-nationals down to micro-enterprises. The fines imposed by the GDPR under Article 83 are flexible and scale with the firm. Any organisation that is not GDPR compliant, regardless of its size, faces a significant liability.

The GDPR’s stiff fines are aimed at ensuring best practices for data security are too costly not to adopt. While it remains to be seen how fines will be applied by different EU member states, these fines loom for any organisation not making strides to ensure GDPR compliance.


Fined €50,000

Article 31, 58 & 37 of the GDPR

Lack of appointment of a data protection officer

April 28th 2020

According to the data protection authority, the company's data protection officer was not sufficiently involved in the processing of personal data breaches and the company did not have a system in place to prevent a conflict of interest of the DPO, who also held numerous other positions within the company (head of compliance and audit department), which led the DPA to the conclusion that the company's DPO was not able to fulfil their responsibilities and requirementnts.

The Netherlands

Fined €725,000

Article 5 & 9 of the GDPR

Insufficient legal basis for data processing

April 30th 2020

The organisation had required its staff to have their fingerprints scanned to record attendance. However, as the decision of the data protection authority stated, the organisation could not rely on exceptions to the processing of this special category of personal data and the company could also not provide any evidence that the employees had given their consent to this data processing.


Fined €18,700

Article 33 & 34 of the GDPR

Insufficient fulfilment of data breach notification obligations

April 29th 2020

The Swedish data protection authority announced, that it had issued a decision fining the National Government Service Centre ('NGSC') for violations of the General Data Protection Regulation, having failed to notify a data breach. In particular, the decision highlights that the Datainspektionen had initiated an investigation against the NGSC upon receiving a number of personal data breach notifications concerning an error in the IT system relating to the possibility of unauthorised access to personal data of both personnel of authorities using the system and of the personnel of the NGSC. 

In addition, the decision outlines that it had taken almost five months for the NGSC to notify the concerned parties and close to three months for the Datainspektionen to recieve a data breach notification. Moreover, the decision notes that the Datainspektionen has ordered the NGSC to introduce internal routines for the documentation of personal data breaches and to verify that those routines are complied with.   


Fined €5,000

Article 32 of the GDPR

Insufficient legal basis for data processing

May 5th 2020

The data protection authority finds that the company has not taken adequate technical and organisational measures to ensure an adequate level of information security. This applies in particular to the collection and transmission of copies of customers' identification documents via WhatsApp.


Fined 11,200

Article 5 & 6 of the GDPR

Insufficient legal basis for data processing

May 12th 2020

The Swedish data protection authority announced, that it had issued a decision fining the Health and Medical Board for violations of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), by illegally publishing the sensitive personal data of a patient. In particular, the Datainspektionen found that the Board did not have a legitimate purpose, a legal basis, or an exemption from the prohibition against the handling of sensitive personal data under the GDPR.

27 views0 comments

Recent Posts

See All