Penalties for non-compliance with the GDPR Principles
The EU General Data Protection Regulation (GDPR) is among the world’s most stringent data protection laws and is designed to apply to all types of businesses, from small businesses to multi-nationals.
Article 83 of the GDPR highlights the two-tier penalty structure which are flexible and scale with the organisation. Any organisation that is not GDPR compliant, regardless of its size, faces a significant liability. Data protection authorities can impose fines of:
- up to up to €20 million (£17.5 million), or 4% of worldwide turnover for the preceding financial year – whichever is higher.
- up to up to €10 million (£8.7 million), or 2% of worldwide turnover for the preceding financial year – whichever is higher.
Non-compliance of the GDPR Principles falls under the higher tier penalty.
Let’s take a look at some of the penalties over the last 4 years. Consider how you can avoid being fined for similar violations of the GDPR Principles.
Principle of Lawfulness, Fairness and Transparency
Google fined 50 million euros by the French Supervisory Authority in 2019, for a breach of the GDPR rules. CNIL levied the fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”
That lack of clarity meant that users were effectively unable to exercise their right to opt out of data-processing for personalisation of ads. Additionally, CNIL found that even when user consent was collected, it did not meet the standards under GDPR that such consent be “specific” and “unambiguous”, since users were not asked specifically to opt in to ad targeting, but were asked simply to agree to Google’s terms and privacy policy collectively.
Principle of Purpose Limitation
The Dutch Data Protection Authority (DPA) imposed a fine of 525,000 euro against the Royal Dutch Lawn Tennis Association (KNLTB), over violations of the GDPR ‘Purpose Limitation’ principle. The DPA found the association unlawfully shared the personal information of its members with two sponsors for tennis and unrelated promotions.
Principle of Data Minimisation
Airbnb was issued with a reprimand by the Irish Commissioner and was ordered to revise its internal policies and procedures for handling erasure requests to ensure that individuals are no longer required to provide a copy of photographic ID when making erasure requests unless Airbnb can demonstrate a valid legal basis for doing so.
Airbnb’s requirement that a data subject verified their identity by way of submission of a copy of their photographic ID constituted an infringement of the principle of ‘data minimisation’. This infringement occurred in circumstances where less data-driven and less intrusive solutions to verify identity were available to Airbnb. In essence, the legitimate interest pursued by Airbnb does not constitute a valid lawful basis under Article 6 of the GDPR for seeking a copy of the Complainant’s photographic ID in order to process their erasure request.
The DPC’s draft decision was submitted to the GDPR Article 60 cooperation mechanism and no objections were raised by the other concerned supervisory authorities.
The decision is available here
Principle of Integrity and Confidentiality (Security)
Interserv Group was penalised by the UK Supervisory Authority in 2022. The penalty of £4,400,000 was issued because of contraventions by Interserve of the GDPR Principle of Integrity and Confidentiality – Article 5(l)(f)
Between 18 March 2019 and 1 December 2020 Interserve Limited (“Interserve”) failed to process personal data in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures as required by Article 5(1)(f) and Article 32 GDPR. This rendered Interserve vulnerable to a cyber-attack which took place in the period 30 March 2020 to 2 May 2020 and affected the personal data of up to 113,000 employees of Interserve.
The decision is available here.