It did not take long after the entry into force of GDPR on 25th May 2018 for many companies to revise their positions and business priorities following their initial scepticism towards the penalties that were to be imposed by the new regulation.

The reality of the number of financial sanctions enforced by European institutions on companies after barely one year of application of the European General Data Protection Regulation has made it clear that the EU pays close attention to the respect of its citizens data security and privacy rights.


📚 The educational approach to GDPR compliance

Member States dispose of national data protection cells or independent supervisory bodies (FIU) responsible for ensuring compliance with the fundamental principles of the protection of personal data at a national level.

They can carry out verifications at the organisation's premises or online. Checks are carried out based on annual programs, complaints received, or information in the media. For some countries where data privacy regulation is historically strict, fundamental principles of data protection remain mostly unchanged (data security, fair processing, retention period, etc.), and therefore continue to be rigorously checked by the data protection authorities.


On the other hand, the new obligations and rights resulting from GDPR are subject to investigation and remediation controls that are commonly non-punitive. The goal is to help organisations understand the issues and operational implementation of the new provisions and the benefits of compliance.

During the first months of the existence of the new legal European privacy framework, the national privacy authorities have accomplished a tremendous pedagogical work. Educating companies and delivering GDPR awareness in the various sectors of activity, publishing concrete fact sheets on privacy rights, and guides on safety or impact assessment methodologies.

In Belgium, since 25 May 2018, the Data Protection Authority (DPA) has been the successor to the Commission for the Protection of Privacy (better known as the "Privacy Commission")




⚖️ What are the latest sanctions and warnings under GDPR ?

Except the cases of serious data breaches or deliberate bad faith, national privacy supervisory bodies rather alert, support and accompany companies to GDPR compliance than imposing radical fines up to 4% of the company's turnover.

These additional powers, such as issuing warnings of non-compliance, carrying out audits, requiring specific remediation within a specified time frame, ordering erasure of data, and suspending data transfers to a third country, are easily accessible to the data protection supervisory authorities and supplement the new sets of penalties.

Nonetheless, some precedents have already broke records in the number of fines imposed for transgressing data protection principles.
Among the numerous pending national complaints and fine proceedings, sanctions have already been imposed. The following table provides a non-exhaustive regularly updated list of sanctions imposed by national European jurisdictions and authorities against non-compliant organisations.


The up-to-date list of recent GDPR Enforcement Actions


Date
Company
Country
Infos
Sanction
EU DPA
29/08/2019
Skellefteå High School
Sweden
The Swedish DPA fined a school 200,000 Swedish Kroner for creating a facial recognition program in violation of the GDPR.
18.850€
25/07/2019
ACTIVE ASSURANCES
France
Insufficiently protected the data of the users of its website and implemented methods of storing inappropriate data.
180.000 €
06/06/2019
Sergic
France
Insufficiently protected the data of the users of its website and implemented methods of storing inappropriate data.
400.000 €
28/05/2019
City Mayor
Belgium
Misuse of personal data by a mayor for campaign purposes. If the fine is moderate, its message is important: data protection is everyone's business, and data controllers must take responsibility, especially when they hold a public office..
2.000 €
21/01/2019
Google
France
Lack of transparency of the information provided by Google: "not easily accessible to users", unsatisfactory information, it is not "always clear and understandable", and a lack of valid consent for the personalization of advertising (Google appeal currently pending)
50.000.000 €
11/2018
Knuddels
Germany
leak in july 2018 of 808 000 emails and more than1,8 million of usernames and passwords of online chat platform
20.000 €
11/2018
UBER
France, Holland, England
Breach of the obligation to secure data. Failure to disclose a data breach. Leak of 57 million users and 600 thousand drivers account information (in July 2016 before GDPR was applicable)
1.385.000 €
CNIL, AP, ICO
06/2018
"SME"
Austria
Monitoring a public space without proper transparency and notice.retail establishment with a surveillance camera capturing too much of the sidewalk
4.800 €
ODSB - österreichische Datenschutzbehörde
06/2018
Barreiro Hospital
Portugal
Violation of the principles of integrity and confidentiality of data, violation of the principle of limited access to data and inability for the data controller to ensure the integrity of the data.
400.000 €
CNPD - Comissão Nacional de Proteção de Dados


The general obligation of the controller is to always provide appropriate technical and organisational measures to ensure that the processing of European individuals' data is carried out in accordance with the GDPR.

Got your interest ? Don't leave yet !
If you are intersted in learning about our Regulatory Compliance Consultant Services
Browse our journal to find more intersting regulatory news and articles
Oscar Canario da Cunha - Pideeco Network Partner
Oscar Canario da Cunha Associate Director
0 comments
Add your comment

Related articles

How Corporate Governance standards and good practices mechanisms protect the long-term interests of a company and its sh...

Financial firms Sat 27 May 2017

Tthe European Commission published reports including one on money laundering and the financing of terrorism.

Financial Sanctions Mon 09 September 2019

The 5th AML Directive has been newly adopted by the Council of the European Union and gives some new regulations to foll...

European Commission Sat 12 May 2018

Get a clear sense of the International lists of Restrictive Measures (Sanction and Embargo) weighing on Countries consid...

Financial firms Mon 01 April 2019
Experts in risk management and regulatory compliance

Pideeco is a consultancy firm providing legal services, business solutions, operational assistance and educational material for professionals in the financial industry.

We are based in Brussels and we specialize in regulatory risk compliance services covering the Eurozone.

Pideeco combines professional Regulatory knowledge and technical expertise to safeguard your business’ reputational and operational risk. Our unique customer-centric approach helps us build strategical and legitimate cost-efficient remedies.

Working with us means reaching out to complementary people, allowing for original thinking and innovative vision.

Our Network Learn more about us