5 takeaways from the first year and a half of GDPR fines
1. Data protection principles matter
Art 5 of the GDPR defines the 7 principles relating to processing of personal data, which form the backbone of the GDPR and data protection law in general. According to Art 5, personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (principle of lawfulness, fairness and transparency);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (principle of purpose limitation);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of data minimisation);
- accurate and, where necessary, kept up to date (principle of accuracy);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (principle of storage limitation);
- processed in a manner that ensures appropriate security of the personal data (principle of integrity and confidentiality); and
- the controller shall be responsible for and be able to demonstrate compliance with the previous (principle of accountability).
When preparing for the GDPR, businesses often concentrated on the specific, tangible things that need to be done under the GDPR, e.g., records of processing activities (Art 30), data processing agreements (Art 28), privacy policies (Art 13-14), etc. Although preparing all those documents require taking the principles relating to processing of personal data into account, a thorough analysis of the principles, especially such that would enable to demonstrate compliance as required under the principle of accountability, was often lacking.
However, it is clear from the fines issued so far that the data protection authorities (DPAs) consider the principles extremely important and are not shy to issue fines if someone’s data processing practices violate the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and even accountability:
- The Lithuanian DPA imposed an administrative fine in the amount of EUR 61 500 on MisterTango UAB, a payment services provider, for, among others, the breach of Art 5 of the GDPR. It was determined that the company processed more personal data than necessary for effecting the payment. The DPA considered that, in accordance with the principle of data minimisation, only such data as the name, surname and, if the payer wishes, his/her identification code, bank account number, currency and balance, purpose of the payment/payment code necessary for effecting the payment should be collected. However, in addition to the aforementioned data, the company also collected dates of provision of not reviewed electronic invoices, names of the senders and amounts; dates, topics of submission of not read notifications and a part of the text of the notification; purposes, types, amounts of the loans; names of the pension funds, accumulated units, value thereof, accumulated amounts; types of credits (e.g., mortgage credit), due balances, amounts and dates of other payments, numbers of the issued payment cards and amounts in such payment cards. Furthermore, it was determined that the company stored the data longer than it had established and indicated as necessary by itself – 216 days instead of 10 minutes – therefore breaching the principle of storage limitation. The company also failed to provide sufficient evidence as regards its compliance with the data protection principles during the investigation, therefore breaching the principle of accountability.
- The Danish DPA has proposed a fine of DKK 1,5 million (approx. EUR 200 000) to IDDesign A/S, a furniture company, for failure to delete data about 385 000 customers. Some of the furniture stores of the company used an older system, where personal data (names, addresses, telephone numbers, e-mail addresses and purchase history) had never been deleted. That was considered a breach of the principle of storage Limitation.
- The Polish DPA imposed an administrative fine of PLN 40 000 (approx. EUR 9000) on a public entity for failure to conclude personal data processing agreements with the entities to whom personal data was transferred to, therefore breaching Art 28(3), Art 5(1)(a) and Art 5(1)(f) of the GDPR. However, it was also found that there were no internal procedures in place to review the resources available in the Public Information Bulletin (BIP) in order to determine the timing of their publication, which caused that the property declarations were available past their storage period. The DPA concluded that the controller violated the principle of storage limitation. Additionally, it was established that the recorded materials from the city council meetings were available in the BIP only through a link to a dedicated YouTube channel, without any backup copies. No risk analysis was carried out for the publication of recordings from board meetings exclusively on YouTube, which in the DPA’s view breached the principle of integrity and confidentiality and the principle of accountability. The principle of accountability was also breached in connection with the shortcomings in the register of processing activities, which did not indicate all data recipients and the planned dates of data deletion for certain processing activities.
- The Berlin Commissioner for Data Protection and Freedom of Information issued a fine of approx. EUR 14,5 million against Deutsche Wohnen SE for structural breach of Art 5 and Art 25 of the GDPR. The DPA found that the company used an archive system for the storage of personal data of tenants that did not provide the possibility of removing data that was no longer required and that personal data of tenants (e.g., salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data and bank statements) were stored without checking whether storage was permissible or necessary. The DPA found that the company breached the principle of storage limitation, as well the principles of data protection by design and default (Art 25). In addition to sanctioning the structural violation, the DPA imposed fines between EUR 6000 and EUR 17 000 for the inadmissible storage of personal data of tenants in 15 specific individual cases as well.
2. Size doesn’t matter
The assumption may be that companies with thousands or even millions of natural person customers are those targeted by the DPAs and receiving all the fines. After all, it is well known that one of the first GDPR fines was that imposed by the French DPA on Google in the amount of EUR 50 million. However, practice shows that it is the breach, not the size of the company, that matters:
- The French DPA fined UNIONTRAD COMPANY, a translation company with 9 employees, EUR 20 000 for its use of cameras in the workplace so that the employees were filmed continuously and without giving them proper information about the presence of cameras.
3. It only takes one
The violation does not have to concern thousands of people to be considered and processed by the DPA. Even a complaint by only one person may bring about supervisory proceedings:
- The Finnish DPA processed a case concerning Svea Ekonomi after a complaint made by a single data subject. It concerned the personal data used to assess creditworthiness and the data subjects’ right to inspect data concerning them.
4. “Burdensome” is not an excuse
Although old habits and old systems may be comfortable and new, expensive investments are not preferred, the argument that a system makes compliance with the GDPR burdensome does not fly with the DPAs:
- The Danish DPA issued a statement declaring that it proposes to fine Taxa 4x35, a taxi company, for a total of DKK 1,2 million (approx. EUR 160 000) for failure to delete customers’ data. According to Taxa 4x35, although they delete the customer’s name after two years, they do not delete the customer’s phone number and information on the customer’s trip (incl. addresses) before after five years because the number is key to the system’s database and therefore necessary in relation to the company’s product and business development. According to the Danish DPA, it is not acceptable to store personal data three years longer than necessary, only because the company’s system makes compliance with the GDPR burdensome.
5. Public sector is not safe
Although a well-known fact, it should somehow still be emphasised – the GDPR also applies to the personal data processing activities by the public sector. And the DPAs have not been afraid to issue fines if the public sector has breached its personal data processing obligations:
- The Norwegian DPA notified that it had imposed an administrative fine of NOK 1,6 million (approx. EUR 160 000), on the Municipality of Bergen for lack of appropriate measures to protect the personal data in the computer file systems.
- The Swedish DPA has fined a municipality SEK 200 000 (approx. EUR 20 000) for using facial recognition technology to monitor the attendance of students in school. The school processed biometric data based on consent, which the DPA considered unlawful given the clear imbalance between the data subject and the data controller, and failed to carry out an adequate impact assessment, including seeking prior consultation with the Swedish DPA.
- The Norwegian DPA has issued an administrative fine of approx. EUR 49 300 to the City of Oslo for having stored patient data outside the electronic health record system at the city’s nursing homes/health centres from 2007 to November 2018.
The first year and a half of GDPR fines has shown that GDPR compliance must be nothing less than a continuous process – something that all companies should seriously keep in mind for 2020.
Article provided by: Mari-Liis Orav (TGS Baltic, Estonia)
Dr. Tobias Höllwarth (Managing Director INPLP)