Belgium + Comments from other countries – Seven months post GDPR: What about fines?
Since the GDPR came into force in May 2018, all European data protection authorities have the power to issue fines for breaches of data privacy and non-compliance. But have they used them? This article explores the first seven months of GDPR enforcement.
The introduction of the General Data Protection Regulation was one of the most hotly anticipated developments the business and legal world has ever seen. One of the main reasons why businesses spend resources on becoming GDPR compliant is the huge fines that can be imposed by the national regulators, known as Data Protection Authorities (DPAs) for not respecting their obligations under the GDPR. Now that the GDPR has been in force for several months, it is interesting to review what has happened with enforcement in practice so far.
Equal powers for DPAs
Before the entry into force of the GDPR, all European countries had a Data Protection Authority (DPA), but there were few countries where the DPA was also able to fine companies that were not compliant with the data protection rules. This led to a huge difference in compliance levels from one country to another, because let’s be honest: the risk of getting fined is an important consideration in choosing whether and how heavily to invest in compliance projects. The GDPR has changed this by granting all EU DPAs the same level of investigatory and corrective powers.
Administrative fines
One of the most far-reaching things a DPA can do since the GDPR, irrespective of the country in which it is located, is to impose administrative fines.
For a number of infringements, the fines can amount to EUR 10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover for the preceding financial year (whichever is higher), for example when:
- the company did not keep a record of processing activities;
- no processor agreement has been entered into; or
- no data protection officer has been assigned when the organisation should have appointed one.
However, the majority of infringements of the GDPR can be punished with a fine of up to EUR 20 million or, in the case of an undertaking, of up to 4% of the total worldwide annual turnover for the preceding financial year (whichever is higher). This will apply, for example, when:
- the organisation did not respect the basic principles or does not have a legal basis for processing;
- the data subjects’ rights are not guaranteed; or
- transfers of personal data to a third country are not protected.
The GDPR states that these fines must be ‘effective, proportionate and dissuasive’. When assessing whether a fine should be imposed and when determining the amount, DPAs will have to take into account a range of mitigating and aggravating circumstances, such as the nature, the gravity and the duration of the infringement, the intentional or negligent character of the infringement, the nature of the personal data (whether or not it is sensitive), previous infringements by the company and so on.
By granting the DPAs the power to impose these heavy penalties, the European legislator aims to strengthen national ‘watchdogs’ to ensure compliance with the GDPR. The purpose of these heavy penalties is therefore clear: pushing GDPR compliance high up on the agenda of all organisations doing business in Europe, wherever they are headquartered.
Have DPAs already imposed fines?
More than a half a year since GDPR implementation, there has not been a deluge administrative fines all over Europe.
In Belgium, for instance, the DPA has taken the time to inform the public of the consequences of the GDPR by updating its website. It has confirmed that in the first half year of GDPR application, not a single fine has been issued, although it does note that some investigations are already ongoing.
In other countries, the DPA has already set an example by issuing a fine. The Austrian DPA imposed the first-known fine under the GDPR of EUR 4,800 for illegal video surveillance activities. Next came the Portuguese authority, which imposed a fine of EUR 400,000 on a hospital after a staff member illicitly accessed patient data. In France, the first fines were also issued under the GDPR: an employer who used a biometric system to monitor employees’ working time and failed to inform them got a fine of EUR 30,000. The most recent case was one of the regional German DPAs, which issued a fine of EUR 20,000 to a social media company which violated its data security obligations. In this case, the German regulator explained the relatively low fine by referring to the company’s exemplary cooperation with the authority after it discovered the hack and the huge investments the company made in strengthening its information security measures.
On the evidence to date, it seems that DPAs are not competing to issue the highest possible fines, but are striving to improve data protection and data security as much as possible.
Employer’s bottom line
Without a doubt, more fines are on the way. In the Ius Laboris Alliance, our specialised lawyers are ready to assist organisations not only in ensuring they are GDPR compliant to avoid fines, but also when they are confronted with investigations by, or discussions with, DPAs.
The view from other places
Ius Laboris Russia December 20, 2018 at 08:37
GDPR does not directly apply to data processing in Russia and the Russian DPA is not authorised to impose fines for GDPR breaches. However, Russia has recently joined the amended Convention of European Counsel on the protection of individuals in the course of automated processing of personal data. This means that Russian legislation will be brought in line with the new requirements of the Convention. According to the Russian DPA, this is aimed in particular at harmonisation of Russian legislation with EU legislation, which includes the GDPR. The Russian DPA has already confirmed that the changes will relate to implementation of the GDPR data subjects’ rights and data breach notifications into Russian legislation. – Anastasia Petrova
Ius Laboris France December 20, 2018 at 08:38
In France, the first fines have been issued under the GDPR: the DPA issued a fine of EUR 10,000 for failure to ensure the security of data processing and a fine of EUR 30,000 for illegal use of a biometric system to monitor employee working time and failure to inform employees of data processing. – Guillaume Bordier & Basile Moore – Capstan
Ius Laboris Denmark December 20, 2018 at 08:40
To our knowledge, no GDPR fines have yet been issued in Denmark. The Danish DPA has stated that it will not issue any administrative fines before having tried some cases in the courts to establish a level for the fines. The first cases are said to be being handed over to the police during the autumn: it is then up to the police to bring the cases to court. – Elsebeth Aaes-Jorgensen – Norrbom Vinding
Ius Laboris Czech Republic December 20, 2018 at 08:41
In the Czech Republic the DPA (The Office for Personal Data Protection) was also able to fine companies for failure to comply with data protection legislation prior to the application of the GDPR. According to the publicly available information and consultation with the DPA, there has not yet been any fine issued solely based on the GDPR. However, some inspections in order to check compliance with the GDPR have already occurred.
Nevertheless, the DPA has issued an opinion that between entry into force of the GDPR and adoption of forthcoming national legislation to implement it (this has not yet been adopted and is currently in the legislative procedure in the Senate), the DPA is focussing especially on raising controllers’ awareness of the data protection duties and not primarily on punishing small controllers for minor and negligent misconduct.
Under the old rules, the highest fine which was imposed amounted to EUR 15,000. – Irena Lišková – Randl Partners
Ius Laboris Italy December 20, 2018 at 08:42
According to the Italian DPA’s investigative activities agenda, the second part of 2018 has been focused on companies and organisations managing databases of significant dimensions, banks and telemarketing companies. There is no information available on the amount of fines issued by the Italian DPA in this period but it is known that the highest fines issued so far are connected to violations committed before May 25 2018 (TLC sector).
The above could be due to the fact that a few months after the GDPR becoming effective, the Italian Parliament passed a Decree in order to make the Italian Privacy Code compliant with the GDPR. The Decree stated that, in applying the sanctions and for the first eight months (i.e. from 19 September 2018) the Italian DPA should take into account that it is still in ‘the phase of first application of the sanctions’. – Paola Pucci – Toffoletto De Luca Tamajo e Soci
Ius Laboris Portugal December 20, 2018 at 08:44
Two fines were imposed (EUR 30,000.00 and EUR 100,000.00) as result of hospital staff accessing patient data indiscriminately and the data processor (the hospital) being unable to ensure the confidentiality, integrity and resilience of the system and processing services. The DPA considered that the hospital was severely at fault. The hospital announced that it will appeal the decision in court due to lack of legitimacy of the DPA to impose GDPR-related fines. – Bruno Barbosa – PBBR
Ius Laboris Israel December 20, 2018 at 08:45
Israel is not part of the EU, therefore the GDPR was not adopted into local privacy legislation. Nevertheless, the Israeli Privacy Law sets out administrative fines which can be imposed by the Israeli Protection of Privacy Authority (PPA) for certain breaches of the Privacy Law (e.g. non-registration of a database, the failure to provide privacy notices to data subjects, breach of the obligation to provide access and review rights to data subjects, etc.).
Currently, the amounts of fines that can be imposed are very low (approximately NIS 10,000 or NIS 25,000 for corporate entities). There is a draft bill that aims to increase the PPA’s administrative powers, including the amount of fines that the PPA can impose for violations of the Privacy Law (up to NIS 3.2 million, depending on the sensitivity of the personal data and the number of affected data subjects involved). However, it is currently unclear if and when such draft bill will come into force. – Ohad Elkeslassy – Herzog Fox & Neeman
Ius Laboris Hungary December 20, 2018 at 08:47
The Hungarian Data Protection Authority (HDPA) has initiated 1063 proceedings in relation to data protection issues and found several infringements since the GDPR became applicable until the end of October. After 26 July, the HDPA initiated 28 data protection procedures applying the GDPR: the amendment of the Hungarian Data Protection Act entered into force on 30 June.
According to information given by Attila Péterfalvi, the president of HDPA, a majority of data protection procedures have not yet reached a stage of the proceedings when decisions will be made, so fines have not been imposed. On the basis of the authority’s experience, typical infringements remain unchanged since the GDPR entered into force: the largest number of complaints submitted relate to video surveillance, monitoring of employees in the workplace and winding-up institutions’, banks’ and online shops’ processing of personal data. – Dr. Nóra Óváry-Papp – CLV Partners
Ius Laboris Netherlands December 20, 2018 at 08:49
The Dutch Data Protection Authority (DDPA) has not issued any fines based on the GDPR yet. However, the DDPA did recently (November 2018) impose a fine on based on the previous privacy legislation. The EUR 600.000 fine was imposed on Über under the Act on Notification of Data Breaches (Wet Meldplicht Datalekken) as a result of a breach in 2016 and the failure to notify this breach to the DDPA within 72 hours. This Act (including the power for the DDPA to impose fines) came into force in the Netherlands in 2016. The obligation to notify data breaches under the GDPR is very similar to the obligation in the Act. – Ilse Baijens – Bronsgeest Deur Advocaten
Ius Laboris Mexico December 20, 2018 at 08:50
The Mexican DPA (’NAI’) has been active in imposing fines for infringements of the data protection law. Fines have often been hefty, as these may be of up to MXN 25.000.000 (or EUR 1.098.000). If sensitive personal data is involved, fines may double. This also applies in cases of recidivism. The NAI imposes approximately 65- 85 fines per year. – Teresa Espinosa – Basham, Ringe y Correa, S.C.
Ius Laboris Germany December 20, 2018 at 08:51
The example described above is indeed the first published case of a fine being handed out in Germany. Many would have expected one of the larger companies, potentially one of the data-hungry Internet companies such as Facebook, to be the first victim. Instead, it was social network Knuddels, a smaller network aimed mostly at teenagers, with an annual turnover of EUR 1.7 million in 2016 according to online sources. During a hack in July 2018, data from about 330,000 users (including email addresses and passwords) became known because they were not protected against hacking by means such as encryption. When the network became aware of the hack, they filed a data breach report to the authority on 8 September 2018.
As stated above, the Data Protection Authority took into account that the network proactively reported the breach, and were very transparent during the process. They also made investments in their data security very swiftly and are planning further improvements over the coming weeks. – Jessica Jacobi – KLIEMT.Arbeitsrecht
Ius Laboris Austria December 20, 2018 at 08:52
Since the entry into force of the GDPR in Austria, more than 60 official investigations have been initiated and more than 110 administrative criminal proceedings are currently pending. So far, fines on the basis of the GDPR and the national legislation implementing it have been imposed in four cases. All four decisions concerned illegal video surveillance and the imposed fines varied from EUR 300 to EUR 4800. The highest penalty so far was imposed on a betting shop operator, who had not sufficiently marked his video surveillance system and taped an unnecessarily extensive part of the pavement in front of the shop. The Austrian data protection authority stated that in this case a higher penalty would have been disproportionate.
According to the Austrian Data Protection Act, the implementation of the GDPR regulations must be proportionate and therefore an initial infringement will only lead to a warning and not to immediate sanctions. It is not clear from the information available if in the four cases mentioned a previous warning has been given or if the fines were imposed based on the extensive public surveillance, which was already forbidden before the GDPR regulations came into force. – Birgit Vogt-Majarek – Schima Mayer Starlinger Rechtsanwälte
- Link, where you can find the article https://theword.iuslaboris.com/hrlaw/insights/belgium-seven-months-post-gdpr-what-about-fines
- Date: 18. 09. 2019