GDPR enforcement be aware of what it means to you

July 15th, 2019 by Stephen Jones Leave a reply »

Reports that in Germany there have already been 101 fines made public worth 484.900 EUR. As well as recent high profile fines recently covered in this blog there many other actions reported on this site.

Some examples

France: SERGIC, a company specialized in real estate development, purchase, sale, rental and property management
The two key reasons were lack of basic security measures and excessive data storage Sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the family allowance fund, divorce judgments, account statements) were accessible online without any authentication procedure in place.
Although the vulnerability was known to the company since March 2018, it was not finally resolved until September 2018. In addition, the company stored the documentation provided by candidates for longer than necessary. The CNIL took into account. the seriousness of the breach (lack of due care in addressing vulnerability and the fact that the documents revealed very intimate aspects of users’ lives), the size of the company and its financial standing.

Google – The fine was imposed on the basis of complaints from both: the Austrian organisation “None Of Your Business” , and the French NGO “La Quadrature du Net” that concerned the creation of a Google account during the configuration of a mobile phone using the Android operating system. The CNIL imposed a fine of 50 million euros for lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR)

UNIONTRAD COMPANY – Complaints were made by several employees of the company who were filmed at their workstation. This was in breach of rules to be observed when installing cameras in the workplace, in particular, that employees should not be filmed continuously and that information about the data processing has to be provided. In the absence of satisfactory measures at the end of the deadline set in the formal notice, the CNIL carried out a second audit in October 2018 which confirmed that the employer was still breaching data protection laws when recording employees with CCTV.

Austria – A fine was imposed against a private person who was using CCTV at his home. The video surveillance covered areas intended for the general use of the residents of the multi-party residential complex: parking lots, sidewalks, courtyard, garden and access areas to the residential complex; and the video surveillance covered garden areas of an adjacent property. The video surveillance subject of the proceedings was therefore not limited to areas which are under the exclusive power of control of the controller. Video surveillance is therefore not proportionate to the purpose and not limited to what is necessary. The video surveillance records the hallway of the house and films residents entering and leaving the surrounding apartments, thereby intervening in their highly personal areas of life without the consent to record their image data.

Romania – WORLD TRADE CENTER BUCHAREST SA - A printed paper list used to check breakfast customers, contained personal data of 46 clients who stayed at the hotel’s WORLD TRADE CENTER BUCHAREST SA and was photographed people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA was sanctioned because it has not taken steps to ensure that data was not disclosed to unauthorized parties.

Hungary a fine was imposed on an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company’s legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasised that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company’s annual net revenue.

Several countries issues fines related to misuses of data in elections.
Several countries issued fines to companies who did not respond to a request by an employee or customer about data that was held about them.

PwC’s own UK Privacy & Security Enforcement Tracker found that fines in the UK alone over data protection law violations totalled £6.5 million in 2018.


Comments are closed.