• Hope & May

Recent EU GDPR Fines

The European Union’s General Data Protection Regulation (GDPR) was designed to apply to all types of businesses, from multi-nationals down to micro-enterprises. The fines imposed by the GDPR under Article 83 are flexible and scale with the firm. Any organization that is not GDPR compliant, regardless of its size, faces a significant liability.

Twitter has been facing investigations by the Irish DPC since 2019 when they reported a data breach within the 72-hour deadline. What appeared to be a relatively simple case took a turn, as EU counterparts began to weigh in on the case. Failures to agree on the best course of action has resulted in significant delays to settle the case. This month, the Irish DPC was forced to trigger a dispute-resolution mechanism provided by the GDPR for the first time. The mechanism is used where one regulator is leading an EU-wide investigation and other EU regulators don’t agree on the approach. This came to fruition following the Irish DPC’s publication of a draft decision against Twitter in May 2020. Other supervisory bodies did not agree with the approach laid out in the draft decision. The dispute mechanism is laid out in Article 65 of the GDPR and gives other national regulators the power to have a say in the final outcome. It is thought some of the other big tech cases which are pending in Ireland may meet with the same fate. The Irish DPC has 23 live investigations into multinational tech companies including against Whatsapp, Instagram and Facebook. The Irish DPC has faced scrutiny from privacy advocates for taking too long to resolve these investigations into tech companies. They remain in the spotlight after the Schrems II judgement so it will be interesting to see how this might affect their strategy. The outcome of this dispute resolution mechanism in the Twitter case will shed crucial light for other companies on how EU regulators are likely to deal with privacy violations going forward.


Fined €250,000

Under Article 5(1), Article 13 & Article 14 of the GDPR

Non-compliance with general data processing principles

A fine of EUR 250000 was imposed on the online retailer Spartoo. The reason for this was that the company, which has its headquarters in France but supplies a large number of European countries, fully recorded all telephone hotline conversations (including personal data such as address and bank details of orders) and in addition stored bank details partially unencrypted. Among other things, this represents a violation of the principle of data minimization. Furthermore, the supervisory authority also found a violation of the information obligations according to Art. 13 GDPR, as the company's data protection information was partially incorrect.


Fined €15,000

Under Article 5, Article 6, Article 12, Article 13, Article 15, Article 17 of the GDPR

Insufficient Legal Basis for Processing

The company had left the e-mail account of the data subject active even after the termination of his employment and had automatically forwarded incoming e-mails. The company did not provide sufficient information about this. In addition, the company did not react to claims for access and erasure.


Fined €20,100

Under Article 5 and Article 32 of the GDPR

Insufficient technical and organisational methods to ensure information security

The company had distributed USB sticks to tenants in the context of a sale of real estate, which contained not only non-personal information on the real estate objects in question but also personal data of other persons such as lease agreements and other documents containing confidential personal data.


Fined €2,000

Under Article 32 of the GDPR

Insufficient technical and organisational measures to ensure information security

Processing of personal data, namely the telephone numbers and e-mail addresses of 81 data subjects, by the Romanian Post as data controller, failing appropriate technical and organisational measures, such as pseudonymisation.


Fined €2,000

Article 17 of the GDPR

Insufficient fullfillment of data subject rights

The company had not informed the data subject within one month (or up to three months if a reason for the delay is given) of the measures taken following the request for deletion of data.


Fined €3,000

Under Article 13 of the GDPR

Insufficient fulfilment of information obligations

Just Landed was fined with EUR 3000 for insufficient cookie information according to national data protection laws and at the same time warned due to insufficient fulfilment of information obligations according to Art. 13 GDPR (privacy policy only in English language).


Fined €5,000

Under Article 5 (1)(b) of the GDPR

Non-compliance with general data processing principles

The Socialist Party of Catalonia has used the personal data provided by a professional doctor to send a letter to the complainant's relative asking for political support. This constitutes a different purpose from the original purpose of the collection and therefore violates the principle of purpose limitation.

57 views0 comments

Recent Posts

See All