• Hope & May

Recent GDPR Fines in the EU

The new UK-GDPR, (Data Protection, Privacy and Electronic Communications Regulation 2019), is essentially the same as the EU GDPR with only minor revisions to cover areas of domestic law not adequately catered for by the current EU regulation. These include amongst other matters, national security, the intelligence services and immigration.

It will remain the responsibility of the ICO to enforce the EU GDPR until it is no longer applicable at the end of the transition period on December 31st, 2020. On the 1st January 2021, the ICO will become the enforcer, supervisor and regulator of the domestic UK-GDPR.

With the first quarter of 2020 behind us, authorities across the EU have continued to issue fines for not complying with the GDPR. With a total of 76 fines in the EU already in 2020, we believe this could be a busy year for the authorities whilst the European Data Protection Board has clearly decided to remind organisations of the importance of complying with Data Protection Law regardless of the current circumstances. Once the UK leaves the EU, the big question of whether the ICO will want to keep in step with the EU’s Data Protection standards will become clearer. We will keep you informed of developments.


Fined €7,000

Article 5(1)(f) & 32

Insufficient technical and organisational measures to ensure information security

March 10th 2020 

An employee had his work computer stolen, which contained the personal data of about 1,600 employees, including sensitive information and information about social security numbers that were not encrypted.

It is important to note the importance of encryption on all organisation devices to avoid risk to the data subjects you are responsible for protecting.


Fined £500,00

Article 5(2) & Data Protection Act 1998

Failure of sufficient technical and organisational measures to ensure information security

a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people. an attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine month period before the attack was detected.

“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen. “The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”


Fined €4,600 

Article 5 & 9

Insufficient basis for processing

March 4th 2020 

A School had used biometric fingerprint scanners to authenticate students for the payment process in the canteen. Although the parents had given written consent, the processing was considered unlawful, as the consent to data processing was not given voluntarily.

Consent should be collected and abided by the guidelines set out under Article 7 of the GDPR which is as follows; unambiguous, demonstrable, specific, informed and most importantly, in this case, freely given. Consent must be optional and transparent.


Fined €3,000 

Article 6 & 21

Insufficient legal basis for data processing 

March 25th 2020 

An organisation has sent a commercial e-mail to a client though the client had previously unsubscribed from commercial communications.

Under Article 5 (d) of the GDPR, you are required to keep your data accurate and up to date. It is vital to remove your data subjects information if they have requested it. Always give your data subjects the option to opt out, this will enhance the consent you have from them and make your organisation more transparent.

19 views0 comments

Recent Posts

See All