Notable GDPR Enforcement Actions in the First Year and Key Takeaways

AUSTRIA

Regulatory Report: In its 2018 annual report, the Austrian data protection authority, the Datenschutzbehörde(”DSB”) noted that it received 509 complaints in 2018 and 344 breach notifications. It noted that its biggest fine under the GDPR was a monetary penalty of €4,800 for the video surveillance of business premises.

BELGIUM

Regulatory Report: The Belgian data protection authority, the Autorité de protection des données (“APD”), noted in its 2018 annual report that in 2018 it received 429 data breach notifications and 6,491 requests for information. Common requests for information included data subject rights, surveillance, and direct marketing.

BULGARIA

Regulatory Report: The Bulgariandata protection authority (Комисия за защита на личните данни “CPDP”) reported it has received 531 complaints filed by individuals for allegations of unlawful data processing after the GDPR came into effect.

CYPRUS

Regulatory Report: In January 2019, the Office of the Commissioner for Personal Data Protection noted that by the end of 2018 it had received 281 complaints (103 of which concerned spam) and issued 4 decisions imposing financial penalties totaling EUR 11,500.

CZECH REPUBLIC

Regulatory Report: The Czechdata protection authority, Úřad pro ochranu osobních údajů“ UOOU”), reported that it has imposed a total of 44 penalties in 2018.

DENMARK

March 2019: The Danishdata protection authority, the Datatilsynet, fined a taxi company, Taxa 4×35, DKK 1.2 million (approximately EUR 161,000) for retaining data longer than necessary. The Datatilsynetsaid that although Taxa 4×35 anonymized records (by deleting names) after 2 years, individuals were still identifiable because their phone numbers were retained for 5 years. It commented that companies cannot set a deletion period that is 3 years longer than necessary simply because the company’s systems make GDPR compliance difficult.

Regulatory Report: In March 2019, the Datatilsynetreleased its annual report and noted that it received 2722 data breach notifications in 2018.

ESTONIA

Regulatory Report: In April 2019, the Estonian data protection authority, Andmekaitse Inspektsioon (“AKI”), reported that since May 25, 2018, it had received 101 data breach notifications, the majority of which were caused by either human error or lack of data security.

FINLAND

Regulatory Report: In its 2018 annual report, the Finish data protection authority, Tietosuojavaltuutetun toimisto, announced it has received more than 2,200 security breach notifications and more than 1,200 notifications from data protection officers.

FRANCE

January 2019 (Transparency, Consent): The biggest GDPR fine to date came from the French data protection authority, the Commission nationale de l’informatique et des libertés (“CNIL”), against Google LLC. The CNIL issued a EUR 50 million fine, alleging that Google failed to comply with Articles 12 and 13 of the GDPR by not providing its users with sufficient information about the purposes of its processing activitiesand data retention period for marketing purposes. Also, Google lacked a proper legal basis for processing personal data for personalized advertising as CNIL found that consent was not validly collected. Considering the market share of Google, CNIL reiterated that Google must put all efforts to comply with the fundamental principles and obligations of the GDPR.

November 2018 (Geolocation, Consent): In November 2018, the CNIL published a formal notice against Vectaury S.A.S relating to its processing of geolocation data and mobile identifiers for online marketing and advertising. According to the CNIL, Vectaury was processing geolocation data collected through mobile applications without valid consent. After putting the company on notice for three months, the CNIL closed the investigation in February 2019 and approved Vectaury’s proposed changes to its consent banner. The CNIL considered it better designed inform individuals about the categories of purposes of processing their personal data (e.g., targeted advertising) and the identity(ies) of the controllers, which are now accessible through a single clickable link, as opposed to being buried behind multiple links.

November 2018-February 2019 (Legal Basis, Marketing): There have been a number of instances in which the CNIL has investigated a company and has given it three months to improve or change its compliance efforts with the GDPR. For instance, the CNIL put five companies on notice for alleged unlawful processing of data for marketing purposes. After three months, the CNIL closed the formal notice proceedings, as the companies were found compliant with the GDPR after modifying their practices.

Regulatory Report: The French data protection authority, CNIL, reported that between May 25 and October 1, 2018 it received 742 notifications of data breaches affecting 33,727,384 individuals. 

GERMANY

November 2018 (Security): The Baden-Württemberg data protection authority, the Landesbeauftragten für den Datenschutz und die Informationsfreiheit (“LfDI”) imposed a sanction of EUR 20,000 on Knuddels, a popular German social media platform, after a data breach exposed the personal data of 330,000 users. According to the LfDI, the company hadn’t appropriately secured data under Article 32, including by storing passwords in plain text. The LfDI cited the company’s cooperation—including immediately notifying the LfDI and understaking measures to improve its transparency and security—as a reason for the seemingly low fine given the number of affected users. 

Regulatory Report: The German Federal Commissioner for Data Protection and Freedom of Information, Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (“BfDI”), highlighted in its 2017-2018 activity report that it had received 6,507 requests and complaints, of which 3,064 involved data subjects exercising their right to lodge a complaint with a supervisory authority.

HUNGARY

Regulatory Report: According to the annual report of the Hungarian data protection authority, the Nemzeti Adatvédelmi és Információszabadság Hatóság (“NAIH”), the NAIH received 244 data breach notifications after the GDPR entered into force.

IRELAND

May 2019 (Legal Basis, Transparency): Just a few days before the one-year anniversary of the GDPR, the Irish Data Protection Commission (“DPC”) announced that it is investigating Google’s online Ad Exchange to determine its compliance with GDPR requirements regarding legal basis, transparency, and data minimization and retention. 

May 2019 (Legal Basis): In response to a complaint filed by Privacy International as part of an effort to target the data broker and ad-tech industries, on May 2, 2019, the DPC announced that it is investigating Quantcast to establish whether the company’s processing and aggregation of personal data for profiling and targeted advertising purposes complies with relevant GDPR requirements, including those relating to legal basis, transparency, and data retention. 

April 2019 (Security): The DPC began investigating Facebook after being notified by Facebook that it had discovered that hundreds of millions of user passwords were stored in plain text. The announcement came 4 months after the DPC said it was investigating a separate Facebook breach that involved unauthorized access to photos that users had uploaded but hadn’t made public. 

Regulatory Report: In its annual report covering the period 25 May to 31 December 2018, the DPC noted that it received 2,864 complaints and 3,542 valid data security breach notifications.

ITALY

April 2019 (Security): The Garante, the Italian data protection authority, imposed a fine of EUR 50,000 on operator of a data processing platform, Rousseau Association, for its failures to implement certain data security measures after a breach. The Garante said that the Rousseau platform, which operates a number of websites affiliated to the Italian political party 5 Star Movement, failed to meet its Article 32 obligating by not having strong passwords, securely storing logs, conducting periodic vulnerability assessments, or adopting anonymization techniques.

March 2019 (GPS tracking):The Garantealso issued a decision against AVR S.p.A, a company that handles the collection of waste on behalf of the Tuscan municipality, to cease using wearable electronic devices equipped with a GPS. AVR provided its employees with wearable electronic bracelets to use for scanning tags placed on waste bins for accurate billing purposes. However, the Garante found that the company did not implement adequate measures to safeguard the employees’ rights and dignity because it was possible to identify employees carrying out the tag surveys and their relative geolocation. Although the Garante found that AVR had complied with the GDPR principles of necessity and proportionality, it ordered AVR to conduct a data protection impact assessment, implement data retention policies, and maintain the GPS data separate from other databases.

LITHUANIA

May 2019 (Necessity principle): The Lithuanian data protection authority, the Valstybinė Duomenų Apsaugos Inspekcija (“VDAI”), issued a fine of €61,500 against MisterTango, a company that provides free bank account and payment services for EU citizens. The VDAI found that the company collected and retained more personal data than necessary for the execution of payments (e.g., that it did not need information about the purpose, nature, and amounts of available loans or types of credit) and retained it for longer than necessary (i.e., for 216 days in storage). The VDAI also found that MisterTango failed to report a data breach where data was accessible on the Internet for two days and did not implement appropriate security measures, noting that companies should pay more attention to the management of data security breaches and cooperation with the supervisory authority during investigations.

LUXEMBOURG

Regulatory Report: In 2018, the Luxembourg data protection authority (Commission Nationale pour la Protection des Données “CNPD”) issued a report which showed that there were 172 data breaches reported between May 25, 2018 and December 31, 2018, most of which were caused by human errors.

NETHERLANDS

March 2019 (Consent): The Dutch data protection authority, the Autoriteit Persoonsgegevens (“AP”), issued a statement about cookies, saying that requiring website visitors to agree to cookies in order to access a website violated the GDPR. The AP said that it had received dozens of complaints from website visitors who were denied access to the web pages after refusing to accept tracking cookies and that it had sent letters on this issue to a number of parties.

Regulatory Report: The AP announced in January 2019 that it has asked 30 companies to provide their data processing agreements (“DPAs”) with data processors for inspection. 

POLAND

March 2019 (Notification of processing obligations): The Polish data protection authority, Urzędu Ochrony Danych Osobowych (“UODO”), issued a fine of €220,000 against a company that failed to be transparent with data subjects under Article 14 of the GDPR. The UODO alleged that the company obtained individuals’ data from publicly available sources and then processed it for commercial purposes, including by selling it. However, in doing so, it informed only 90,000 people about the details of processing via email—out of the 6 million individuals whose data was obtained and processed. For the rest of the individuals, the UODO said the company failed to fulfill its obligations because it did not have their email addresses and only posted a notice on its website. The UODO thus found that the company prevented data subjects from exercising their rights under the GDPR and should have sent a proper notification of processing via regular post or SMS.

PORTUGAL

January 2018 (Security): The Portuguese data protection authority, the Comissão Nacional de Protecção de Dados, fined a hospital EUR 400,000 for violating Article 5, by not limiting access to the patient records, and Articles 5 and 32 by not implementing sufficient measures protect personal data. Among other things, the Portuguese regulator alleged that the hospital didn’t have documented account management rules and gave doctors indiscriminate access to records, regardless of their specialty.

SPAIN

Regulatory Report: The Spanish data protection authority, the Agencia Española de Protección de Datos (“AEPD”), announced in its annual report that it had addressed 547 security breach notifications from May 25, 2018 to December 31, 2018.

SWEDEN

Regulatory Report: The Swedish data protection authority, the Datainspektionen, said in its May 2019 national integrity report it had received 3,000 complaints (the most common of which related to camera surveillance and direct marketing), as well as 3,500 notices of personal data breaches.

UNITED KINGDOM

April 2019 (Sensitive data): Following a complaint from Big Brother Watch, the UK Information Commissioner’s Office (“ICO”) initiated an investigation into the HM Revenue and Customs’ (“HMRC”) Voice ID service that used voice authentication for customer verification. The ICO found that HMRC failed to obtain consent from individuals and automatically signed them up to the Voice ID system for telephone enquiries. Voice data is biometric data under the GDPR, and, as such, is considered as special category information that is subject to stricter conditions. The ICO issued a preliminary enforcement notice that requires HMRC to delete all biometric data for which it does not have explicit consent.

November 2018 (Data protection fee): The ICO has issued 900 notices of intent to fine organizations that had not paid the mandatory annual data protection fee. The fines range from £400 to £4,000 depending on the size and annual turnover of the organization.

October 2018 (Legal basis, Consent): The ICO ordered a Canadian data firm that targeted online ads to voters on behalf of UK political organizations, Aggregate IQ (“AIQ”), to erase personal data of individuals in the UK based on allegations that AIQ violated Articles 5, 6, and 14 of the GDPR by not making data subjects aware of their processing of their personal data and processing personal data for purposes other than those for which it was collected.

Regulatory Report: The UK Information Commissioner’s Office (“ICO”) announced in its 2018 Q2 report that it has received 4,056 data security incident reports.

AUSTRIA

Regulatory Report: In its 2018 annual report, the Austrian data protection authority, the Datenschutzbehörde(”DSB”) noted that it received 509 complaints in 2018 and 344 breach notifications. It noted that its biggest fine under the GDPR was a monetary penalty of €4,800 for the video surveillance of business premises.

BELGIUM

Regulatory Report: The Belgian data protection authority, the Autorité de protection des données (“APD”), noted in its 2018 annual report that in 2018 it received 429 data breach notifications and 6,491 requests for information. Common requests for information included data subject rights, surveillance, and direct marketing.

BULGARIA

Regulatory Report: The Bulgariandata protection authority (Комисия за защита на личните данни “CPDP”) reported it has received 531 complaints filed by individuals for allegations of unlawful data processing after the GDPR came into effect.

CYPRUS

Regulatory Report: In January 2019, the Office of the Commissioner for Personal Data Protection noted that by the end of 2018 it had received 281 complaints (103 of which concerned spam) and issued 4 decisions imposing financial penalties totaling EUR 11,500.

CZECH REPUBLIC

Regulatory Report: The Czechdata protection authority, Úřad pro ochranu osobních údajů“ UOOU”), reported that it has imposed a total of 44 penalties in 2018.

DENMARK

March 2019: The Danishdata protection authority, the Datatilsynet, fined a taxi company, Taxa 4×35, DKK 1.2 million (approximately EUR 161,000) for retaining data longer than necessary. The Datatilsynetsaid that although Taxa 4×35 anonymized records (by deleting names) after 2 years, individuals were still identifiable because their phone numbers were retained for 5 years. It commented that companies cannot set a deletion period that is 3 years longer than necessary simply because the company’s systems make GDPR compliance difficult.

Regulatory Report: In March 2019, the Datatilsynetreleased its annual report and noted that it received 2722 data breach notifications in 2018.

ESTONIA

Regulatory Report: In April 2019, the Estonian data protection authority, Andmekaitse Inspektsioon (“AKI”), reported that since May 25, 2018, it had received 101 data breach notifications, the majority of which were caused by either human error or lack of data security.

FINLAND

Regulatory Report: In its 2018 annual report, the Finish data protection authority, Tietosuojavaltuutetun toimisto, announced it has received more than 2,200 security breach notifications and more than 1,200 notifications from data protection officers.

FRANCE

January 2019 (Transparency, Consent): The biggest GDPR fine to date came from the French data protection authority, the Commission nationale de l’informatique et des libertés (“CNIL”), against Google LLC. The CNIL issued a EUR 50 million fine, alleging that Google failed to comply with Articles 12 and 13 of the GDPR by not providing its users with sufficient information about the purposes of its processing activitiesand data retention period for marketing purposes. Also, Google lacked a proper legal basis for processing personal data for personalized advertising as CNIL found that consent was not validly collected. Considering the market share of Google, CNIL reiterated that Google must put all efforts to comply with the fundamental principles and obligations of the GDPR.

November 2018 (Geolocation, Consent): In November 2018, the CNIL published a formal notice against Vectaury S.A.S relating to its processing of geolocation data and mobile identifiers for online marketing and advertising. According to the CNIL, Vectaury was processing geolocation data collected through mobile applications without valid consent. After putting the company on notice for three months, the CNIL closed the investigation in February 2019 and approved Vectaury’s proposed changes to its consent banner. The CNIL considered it better designed inform individuals about the categories of purposes of processing their personal data (e.g., targeted advertising) and the identity(ies) of the controllers, which are now accessible through a single clickable link, as opposed to being buried behind multiple links.

November 2018-February 2019 (Legal Basis, Marketing): There have been a number of instances in which the CNIL has investigated a company and has given it three months to improve or change its compliance efforts with the GDPR. For instance, the CNIL put five companies on notice for alleged unlawful processing of data for marketing purposes. After three months, the CNIL closed the formal notice proceedings, as the companies were found compliant with the GDPR after modifying their practices.

Regulatory Report: The French data protection authority, CNIL, reported that between May 25 and October 1, 2018 it received 742 notifications of data breaches affecting 33,727,384 individuals. 

GERMANY

November 2018 (Security): The Baden-Württemberg data protection authority, the Landesbeauftragten für den Datenschutz und die Informationsfreiheit (“LfDI”) imposed a sanction of EUR 20,000 on Knuddels, a popular German social media platform, after a data breach exposed the personal data of 330,000 users. According to the LfDI, the company hadn’t appropriately secured data under Article 32, including by storing passwords in plain text. The LfDI cited the company’s cooperation—including immediately notifying the LfDI and understaking measures to improve its transparency and security—as a reason for the seemingly low fine given the number of affected users. 

Regulatory Report: The German Federal Commissioner for Data Protection and Freedom of Information, Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (“BfDI”), highlighted in its 2017-2018 activity report that it had received 6,507 requests and complaints, of which 3,064 involved data subjects exercising their right to lodge a complaint with a supervisory authority.

HUNGARY

Regulatory Report: According to the annual report of the Hungarian data protection authority, the Nemzeti Adatvédelmi és Információszabadság Hatóság (“NAIH”), the NAIH received 244 data breach notifications after the GDPR entered into force.

IRELAND

May 2019 (Legal Basis, Transparency): Just a few days before the one-year anniversary of the GDPR, the Irish Data Protection Commission (“DPC”) announced that it is investigating Google’s online Ad Exchange to determine its compliance with GDPR requirements regarding legal basis, transparency, and data minimization and retention. 

May 2019 (Legal Basis): In response to a complaint filed by Privacy International as part of an effort to target the data broker and ad-tech industries, on May 2, 2019, the DPC announced that it is investigating Quantcast to establish whether the company’s processing and aggregation of personal data for profiling and targeted advertising purposes complies with relevant GDPR requirements, including those relating to legal basis, transparency, and data retention. 

April 2019 (Security): The DPC began investigating Facebook after being notified by Facebook that it had discovered that hundreds of millions of user passwords were stored in plain text. The announcement came 4 months after the DPC said it was investigating a separate Facebook breach that involved unauthorized access to photos that users had uploaded but hadn’t made public. 

Regulatory Report: In its annual report covering the period 25 May to 31 December 2018, the DPC noted that it received 2,864 complaints and 3,542 valid data security breach notifications.

ITALY

April 2019 (Security): The Garante, the Italian data protection authority, imposed a fine of EUR 50,000 on operator of a data processing platform, Rousseau Association, for its failures to implement certain data security measures after a breach. The Garante said that the Rousseau platform, which operates a number of websites affiliated to the Italian political party 5 Star Movement, failed to meet its Article 32 obligating by not having strong passwords, securely storing logs, conducting periodic vulnerability assessments, or adopting anonymization techniques.

March 2019 (GPS tracking):The Garantealso issued a decision against AVR S.p.A, a company that handles the collection of waste on behalf of the Tuscan municipality, to cease using wearable electronic devices equipped with a GPS. AVR provided its employees with wearable electronic bracelets to use for scanning tags placed on waste bins for accurate billing purposes. However, the Garante found that the company did not implement adequate measures to safeguard the employees’ rights and dignity because it was possible to identify employees carrying out the tag surveys and their relative geolocation. Although the Garante found that AVR had complied with the GDPR principles of necessity and proportionality, it ordered AVR to conduct a data protection impact assessment, implement data retention policies, and maintain the GPS data separate from other databases.

LITHUANIA

May 2019 (Necessity principle): The Lithuanian data protection authority, the Valstybinė Duomenų Apsaugos Inspekcija (“VDAI”), issued a fine of €61,500 against MisterTango, a company that provides free bank account and payment services for EU citizens. The VDAI found that the company collected and retained more personal data than necessary for the execution of payments (e.g., that it did not need information about the purpose, nature, and amounts of available loans or types of credit) and retained it for longer than necessary (i.e., for 216 days in storage). The VDAI also found that MisterTango failed to report a data breach where data was accessible on the Internet for two days and did not implement appropriate security measures, noting that companies should pay more attention to the management of data security breaches and cooperation with the supervisory authority during investigations.

LUXEMBOURG

Regulatory Report: In 2018, the Luxembourg data protection authority (Commission Nationale pour la Protection des Données “CNPD”) issued a report which showed that there were 172 data breaches reported between May 25, 2018 and December 31, 2018, most of which were caused by human errors.

NETHERLANDS

March 2019 (Consent): The Dutch data protection authority, the Autoriteit Persoonsgegevens (“AP”), issued a statement about cookies, saying that requiring website visitors to agree to cookies in order to access a website violated the GDPR. The AP said that it had received dozens of complaints from website visitors who were denied access to the web pages after refusing to accept tracking cookies and that it had sent letters on this issue to a number of parties.

Regulatory Report: The AP announced in January 2019 that it has asked 30 companies to provide their data processing agreements (“DPAs”) with data processors for inspection. 

POLAND

March 2019 (Notification of processing obligations): The Polish data protection authority, Urzędu Ochrony Danych Osobowych (“UODO”), issued a fine of €220,000 against a company that failed to be transparent with data subjects under Article 14 of the GDPR. The UODO alleged that the company obtained individuals’ data from publicly available sources and then processed it for commercial purposes, including by selling it. However, in doing so, it informed only 90,000 people about the details of processing via email—out of the 6 million individuals whose data was obtained and processed. For the rest of the individuals, the UODO said the company failed to fulfill its obligations because it did not have their email addresses and only posted a notice on its website. The UODO thus found that the company prevented data subjects from exercising their rights under the GDPR and should have sent a proper notification of processing via regular post or SMS.

PORTUGAL

January 2018 (Security): The Portuguese data protection authority, the Comissão Nacional de Protecção de Dados, fined a hospital EUR 400,000 for violating Article 5, by not limiting access to the patient records, and Articles 5 and 32 by not implementing sufficient measures protect personal data. Among other things, the Portuguese regulator alleged that the hospital didn’t have documented account management rules and gave doctors indiscriminate access to records, regardless of their specialty.

SPAIN

Regulatory Report: The Spanish data protection authority, the Agencia Española de Protección de Datos (“AEPD”), announced in its annual report that it had addressed 547 security breach notifications from May 25, 2018 to December 31, 2018.

SWEDEN

Regulatory Report: The Swedish data protection authority, the Datainspektionen, said in its May 2019 national integrity report it had received 3,000 complaints (the most common of which related to camera surveillance and direct marketing), as well as 3,500 notices of personal data breaches.

UNITED KINGDOM

April 2019 (Sensitive data): Following a complaint from Big Brother Watch, the UK Information Commissioner’s Office (“ICO”) initiated an investigation into the HM Revenue and Customs’ (“HMRC”) Voice ID service that used voice authentication for customer verification. The ICO found that HMRC failed to obtain consent from individuals and automatically signed them up to the Voice ID system for telephone enquiries. Voice data is biometric data under the GDPR, and, as such, is considered as special category information that is subject to stricter conditions. The ICO issued a preliminary enforcement notice that requires HMRC to delete all biometric data for which it does not have explicit consent.

November 2018 (Data protection fee): The ICO has issued 900 notices of intent to fine organizations that had not paid the mandatory annual data protection fee. The fines range from £400 to £4,000 depending on the size and annual turnover of the organization.

October 2018 (Legal basis, Consent): The ICO ordered a Canadian data firm that targeted online ads to voters on behalf of UK political organizations, Aggregate IQ (“AIQ”), to erase personal data of individuals in the UK based on allegations that AIQ violated Articles 5, 6, and 14 of the GDPR by not making data subjects aware of their processing of their personal data and processing personal data for purposes other than those for which it was collected.

Regulatory Report: The UK Information Commissioner’s Office (“ICO”) announced in its 2018 Q2 report that it has received 4,056 data security incident reports.