After just over a year of GDPR enforcement across Europe, we can start to draw some conclusions about which countries have fallen foul of the regulations and been hit with some serious fines as a result. That said, it’s the early days of enforcement, and so, the amount of infractions is perhaps to be expected as businesses adapt to GDPR’s new regulations.
Whether it’s negligence or carelessness with regards to these fines, it’s tough to tell at this stage. But where the qualitative data is perhaps lacking, the quantitative data that’s been accrued is still telling. From the results so far, we can see which countries have incurred the most fines, been hit with the highest fine amounts and what the most common reasons for GDPR fines are. Below we’ll go into the results of every GDPR and enforcement action to date.
Which country has the most fines to date, volume-wise?
In terms of the number of fines, the clear “winner” was Spain, with a whopping 38 instances. Even Germany and Romania, who both racked up the second highest amount, was a comparatively smaller 17 instances. At the other end of the scale, the countries of Italy, Malta and Lithuania had one infraction each to their name, as of January 2020.
Which country has the highest fine amounts to date?
However, as the results show, the most fines don’t necessarily equate to the dearest fines. Despite garnering the highest number, Spain’s 38 infractions cost just over one million euros. Compare this to the UK, which was hit with only 3 fines – one of the lowest amounts – but these high-profile instances (which came at the expense of Marriott International and British Airways) came in at an enormous cost of 315,310,200 euros. Compare this to second place France’s 51 million euros and the UK’s costs are clearly in front by some margin.
The most common reasons for GDPR fines
Insufficient legal basis for data processing
In order to process personal data, there must be a valid lawful basis. Companies who have incurred this type of fine lack one of the six lawful bases needed for processing, which are as follows:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party.
Insufficient fulfilment of information obligations: GDPR ensures that individuals have a right to be informed about the collection and use of their personal data. If these information obligations are not fulfilled by a company or organisation then they’re in violation of the terms laid out by GDPR.
Insufficient fulfilment of data subject rights: Individuals have a right to know what data an organisation is collecting and what they are doing with it. They also have a right to obtain a copy of the collected data, as well as have this data corrected, and have the right to have said data erased. A company that fails to provide individuals with these rights is in breach of its information obligations
Non-compliance with general data-processing principles: GDPR sets out seven principles for the lawful processing of personal data, which are broadly:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Failure to comply with these principles will thus incur a fine.
Insufficient cooperation with supervisory authority:
Companies that fail to comply with any order from the monitoring bodies of the GDPR run the risk of facing a vast fine, regardless of what the original infringement was.
Insufficient technical and organisational measures to ensure information security:
Technical and organisational measures, also known as the security principle, involve the way information is stored and transmitted, as well as how data is accessed, altered and deleted. It also ensures that it is easily recoverable in the event of deletion or alteration. Organisations without these measures in place are in violation of GDPR and thus face a fine as a result.
*Data correct as of January 2020 (Source)
For more of the latest news, guides and features from the CDL team, click here to visit our blog. If you’d like to find out more about our IT disposal solutions, visit our homepage or call our team now on 0333 060 5623.