Blog » 5 CURRENT GDPR-FINES ACROSS EUROPE – LEARN FROM OTHERS’ MISTAKES
5 CURRENT GDPR-FINES ACROSS EUROPE – LEARN FROM OTHERS’ MISTAKES
12 February 2020
The supervisory authorities in Europe controlling compliance with the GDPR have not sat on their hands in the last couple of months. In this short article we collected five interesting cases from the recent past. The wide discretionary powers of the data protection authority is well illustrated by the fact that sometimes the GDPR fine was only EUR 2000, but in another case a company has been fined for EUR 11,5 Million! Continue reading if you would like to avoid the same or similar expensive errors.
1. Scoring employee sick leaves in Cyprus
The Cyprus-based Louis Group decided to use an automated system to score the sick leaves of its employees. The reasoning behind the scoring was that short, frequent and unplanned absences lead to a higher disorganizing of the company rather than longer sick leaves. Louis Group claimed that the legal basis of the data processing related to the scoring system was his legitimate interest.
Sadly for Louis Group, the Cypriot supervisory authority was not on the same opinion. In fact, it established that Louis Group did not have a legal basis to process the health data of this employees for the scoring purpose. Neither could Louis Group prove that his legitimate interest would override the data protection related rights and interest of the employees, nor was he entitled to process the health data based on other provisions. The ‘prize’ of Luis Group for his innovative idea was a fine of EUR 82.000 and the ban of the scoring system.
My piece of advice to you: always act extra prudently when processing health data, especially for ‘unusual’ purposes. Further, using legitimate interest as a legal basis may be the ace of trumps but it is certainly not all-powerful.
2. Obstructing the withdrawal of consent in Poland
The company ClickQuickNow got into trouble with the Polish supervisory authority because of his consent withdrawal practices. In short, to withdraw consent one had to click on a link and declare the reason of the withdrawal. If the data subject failed to indicate the reason the withdrawal mechanism has stopped letting ClickQuickNow to further process the data.
Obviously, the Polish authority was not very happy with this situation. It established that ClickQuickNow infringed the provision of the GDPR which sets forth that data subject shall be able to withdraw consent at any time and the it shall be as easy to withdraw as to give consent. The practice of ClickQuickNow, making difficult or even impossible to withdraw consent, was rewarded with a fine of PLN 201.000 (ca. EUR 47.000).
To avoid such sanctions when relying on consent as a legal basis of processing, always educate the data subjects about the possibility of withdrawal and make it easy for them. For example, if your customer can give his consent on your webpage by ticking a checkbox, withdrawal should also be possible by a simple click.
3. Not dealing with data subjects’ request in Romania
BNP Paribas Personal Finance SA’s fault, according to the Romanian supervisory authority, was that it failed to respond on time to data subjects’ request.
The authority started its investigation based on the complaints of BNP Paribas’ clients and came to the conclusion that BNP Paribas failed to respond to its clients’ request within one month as set forth by the GDPR. It was a costly delay for BNP Paribas, it has to pay a fine of ca. 2000 EUR.
It is essential to deal with your clients’ GDPR-related requests on time. Experience shows that the majority of the data protection authorities’ investigations is the result of the complaints of data subjects. By dealing properly with the requests, in many cases the involvement of the authority can be avoided.
4. Unsolicited telemarketing in Italy
The case of the Italian company Eni Gas and Luce confirms my above statement. The supervisory authority started an investigation based on dozens of complaints filed after the entering into force of the GDPR.
The Italian authority established that, among others, Eni Gas made advertising calls without the consent or which is even worse, despite the explicit objection of the contacted persons. Further, the company acquired lists of prospective clients from database providers who have not obtained consent to such disclosure. Together with other GDPR-breaches this amounted in a ‘nice’ fine of EUR 11,5 Million.
When it comes to direct marketing activities I propose to act with the utmost caution. This is an activity which annoys a lot of people and the anger often leads to complaints. Make sure that you have a valid legal basis before you start to make the calls.
5. Inappropriate technical and organizational measures in Germany
Last but not least, here comes the not very pleasant adventure of 1&1 Telecom GmbH before the German data protection authority. The company operated a customer service hotline which only required to provide the customer’s name and birth date to be able to obtain extensive information about the customer.
According to the authority, this authentication system was too simple and a hotbed of personal data misuse and data breaches infringing the obligation of the controller to take appropriate technical and organizational measures to protect personal data. 1&1 Telecom realized the problem and started to work on the solution even during the investigation. Unfortunately, that did not stop the authority to impose a fine of ca. EUR 9,5 Million. However, this was in the lower range as the authority considered the cooperation of 1&1 Telecom.
What you can learn from 1&1 Telecom’s mistake is that when operating customer service hotline use rather strong authentication methods (including for example a password or code word). I hope that the supervisory authority will never investigate your company but if it does, always try to cooperate as it might mitigate the fine like in the above case.
IS THE JUDGE BIASED BECAUSE OF UNFAVOURABLE JUDGMENT IN OTHER CASE?
Can a judge be disqualified from deciding the legal dispute on the grounds of bias if he has delivered a judgment unfavourable to the plaintiff in another case? Can a court be biased if the plaintiff has "challenged" a previous decision of the court before the European Court of Human Rights? In this article, we answer these questions by analysing a recent judgment of the Hungarian Supreme Court.Read more »
CAN INCOMPATIBLE WORKPLACE BEHAVIOUR BE A GROUND FOR DISMISSAL IN HUNGARY?
Refusal of employer 's instructions, unjustified absence, intentional damage: some cases where the justification for dismissing an employee is relatively easy to determine. What happens, however, if the employee does not commit a severe breach of duty similar to the one above, but his or her colleagues consider him incompatible, with whom it is impossible to cooperate, or even afraid of him or her. Can dismissal be justified by behaviour that is incompatible with others and creates disharmony in the working environment? In our article, we seek the answer to this question in the light of Hungarian judicial practice.Read more »
CAN A JUDICIAL ERROR CREATE HUNGARIAN JURISDICTION DESPITE A PLACE OF PERFORMANCE ABROAD?
Can a defendant, domiciled abroad, be sued in Hungary under the Brussels I Regulation in the event of defective performance of an international sales contract if the place of performance is abroad? Can the jurisdiction of a Hungarian court be established based on the fact that the lower court expressly established its jurisdiction at the beginning of the litigation? How is the EXW clause to be interpreted within the meaning of the Brussels I Regulation? In our article, we analyse the recent decision of the Supreme Court of Hungary.Read more »