One year DSGVO - the five biggest misdemeanours and highest penalties
On May 25, 2018, the EU General Data Protection Regulation (EU GDPR), the most comprehensive data protection law in the world to date, came into effect. One year later, Micro Focus reveals some of the kinks of the GDPR. According to Micro Focus, numerous breaches of the GDPR have been identified to date - in Germany, for example, 81 cases have been recorded with fines totalling €485,490.
The GDPR has also left its mark across Europe. Many of these violations are rather small, but there have been some notable missteps by companies with high fines. Micro Focus has compiled the five most interesting cases below:
1) 50 million euros - the Internet giant Google goes for the collar
January 2019
The French data protection authority CNIL imposed its first GDPR fine on Google, making it the largest fine in the history of European data protection to date: 50 million euros. The authority accuses Google of two violations of the European GDPR. The essential data protection information was spread over several documents and could thus not be found at all or only with difficulty by laypersons. This violates the principle of transparency. Furthermore, the information provided by Google, even if it was found in its entirety, is too imprecise to provide the user with real information about the purposes of the data collection. In addition, the setting functions for personalised advertising are illegal. The complaint was lodged by the organisation Noyb and by the French organisation La Quadrature du Net filed. In addition to the current action against Google, Noyb has also recently filed similar complaints against major streaming services such as Netflix, Apple Music, Amazon Prime and Spotify. The sanctions could theoretically be even higher than 50 million euros, as up to two percent of the annual turnover achieved worldwide is possible as a penalty.
2.) Not a good deal - Almost 1 million zloty fine for unrepentant data trader
April 2019
The Polish data protection authority UODO imposed a fine of 943,000 zlotys, which is equivalent to around 220,000 euros, on the joint stock company Bisnode AB. The sanctioned company is a provider of digital business information that had collected personal data in order to collect them in its own database and use them for commercial purposes. The company obtains its data sets from publicly available sources. The fine was imposed because the company had failed to comply with its information obligations. In total, almost six milli
ones of data records affected. According to Art.14 GDPR, the company should have informed the data subjects about the use of the data - in all six million cases. As it turned out in the proceedings, the responsible parties acted deliberately and knowingly failed to inform data subjects about the use of their personal data. This circumstance, as well as the lack of insight on the part of the company, had a direct influence on the amount of the fine imposed.
3.) Sensitive patient data in the hands of fake doctors?
October 2018
In October 2018, the Portuguese data protection authority CNPD imposed the first significant fine in Europe for a breach of the GDPR. Accordingly, the Barreiro Montijo hospital near Lisbon had to pay a total of 400,000 euros. Among other things, the data protection authorities cited the fact that too many people had unauthorized access to confidential patient data as the reason. The hospital operator had thereby "knowingly" and with full intent granted internal IT technicians access to data that should only be accessible to doctors. In addition, a total of 985 active users were registered as "physicians" in the system, even though only 296 physicians worked at the hospital in 2018. The hospital justified this by saying that temporary profiles were created as part of a service contract, which would explain the discrepant figures.
4.) Not up for cuddling - Germany's first GDPR sanction
November 2018
Germany imposed its first fine for a breach of the GDPR in November 2018, with social and dating website Knuddels.de reporting a data breach of 1.87 million username and password combinations and 800,000 user email addresses in September. The data protection authority of the German state of Baden-Württemberg found that the website had stored the passwords in plain text, which violated the DSGVO's directive on "pseudonymisation and encryption of personal data". However, due to the promptness in reporting the breach, the authority showed significant leniency towards Knuddels. Moreover, the website responded promptly and informed the affected users by return of post. The fine of 20,000 euros was therefore comparatively small.
5.) It doesn't cost anything to ask? That does not apply to the GDPR!
December 2018
In May 2018, the small mail order company Kolibri Image asked the Hessian Commissioner for Data Protection for advice. The company had asked one of its service providers several times for an order processing contract, but had not received it. Kolibri Image wanted to find out from the Hessian data protection authority how to proceed. The latter replied that both parties were obliged to conclude such a contract. Not only the service provider, but also the client is responsible here for data protection reasons. The company is obliged to draw up a corresponding agreement itself and send it to the service provider for signature. Corresponding templates can be found on the administration's site. On December 17, 2018, the State Commissioner imposed a fine of 5,000 euros plus 250 euros in fees. He justified the decision to Kolibri Image on the grounds of a breach of Article 83 (4) of the GDPR. The principle "asking questions costs nothing" did not apply here.
Conclusion
In the initial phase of the GDPR, there was a clear grace period. This is now noticeably over. The number of warnings is increasing and the data protection authorities are imposing higher sanctions. As before, the biggest problem of the GDPR is that the regulation does not distinguish between the local sports club and a large corporation. Implementation involves considerable effort and is often not easy for smaller companies to manage. High penalties have a deterrent effect on companies such as Facebook or Google, which generate a high turnover, but only marginally harm them in view of their capital reserves. The situation is often different for small and medium-sized companies and associations. Overall, it can be stated that due to the increasing sanctions awareness of data protection has increased significantly on all sides. Nevertheless, there is certainly still room for improvement with regard to the protection of our data, especially on the part of large corporations that juggle vast amounts of personal data.