Blog » 5 CURRENT GDPR-FINES ACROSS EUROPE – LEARN FROM OTHERS’ MISTAKES
5 CURRENT GDPR-FINES ACROSS EUROPE – LEARN FROM OTHERS’ MISTAKES
12 February 2020
The supervisory authorities in Europe controlling compliance with the GDPR have not sat on their hands in the last couple of months. In this short article we collected five interesting cases from the recent past. The wide discretionary powers of the data protection authority is well illustrated by the fact that sometimes the GDPR fine was only EUR 2000, but in another case a company has been fined for EUR 11,5 Million! Continue reading if you would like to avoid the same or similar expensive errors.
1. Scoring employee sick leaves in Cyprus
The Cyprus-based Louis Group decided to use an automated system to score the sick leaves of its employees. The reasoning behind the scoring was that short, frequent and unplanned absences lead to a higher disorganizing of the company rather than longer sick leaves. Louis Group claimed that the legal basis of the data processing related to the scoring system was his legitimate interest.
Sadly for Louis Group, the Cypriot supervisory authority was not on the same opinion. In fact, it established that Louis Group did not have a legal basis to process the health data of this employees for the scoring purpose. Neither could Louis Group prove that his legitimate interest would override the data protection related rights and interest of the employees, nor was he entitled to process the health data based on other provisions. The ‘prize’ of Luis Group for his innovative idea was a fine of EUR 82.000 and the ban of the scoring system.
My piece of advice to you: always act extra prudently when processing health data, especially for ‘unusual’ purposes. Further, using legitimate interest as a legal basis may be the ace of trumps but it is certainly not all-powerful.
2. Obstructing the withdrawal of consent in Poland
The company ClickQuickNow got into trouble with the Polish supervisory authority because of his consent withdrawal practices. In short, to withdraw consent one had to click on a link and declare the reason of the withdrawal. If the data subject failed to indicate the reason the withdrawal mechanism has stopped letting ClickQuickNow to further process the data.
Obviously, the Polish authority was not very happy with this situation. It established that ClickQuickNow infringed the provision of the GDPR which sets forth that data subject shall be able to withdraw consent at any time and the it shall be as easy to withdraw as to give consent. The practice of ClickQuickNow, making difficult or even impossible to withdraw consent, was rewarded with a fine of PLN 201.000 (ca. EUR 47.000).
To avoid such sanctions when relying on consent as a legal basis of processing, always educate the data subjects about the possibility of withdrawal and make it easy for them. For example, if your customer can give his consent on your webpage by ticking a checkbox, withdrawal should also be possible by a simple click.
3. Not dealing with data subjects’ request in Romania
BNP Paribas Personal Finance SA’s fault, according to the Romanian supervisory authority, was that it failed to respond on time to data subjects’ request.
The authority started its investigation based on the complaints of BNP Paribas’ clients and came to the conclusion that BNP Paribas failed to respond to its clients’ request within one month as set forth by the GDPR. It was a costly delay for BNP Paribas, it has to pay a fine of ca. 2000 EUR.
It is essential to deal with your clients’ GDPR-related requests on time. Experience shows that the majority of the data protection authorities’ investigations is the result of the complaints of data subjects. By dealing properly with the requests, in many cases the involvement of the authority can be avoided.
4. Unsolicited telemarketing in Italy
The case of the Italian company Eni Gas and Luce confirms my above statement. The supervisory authority started an investigation based on dozens of complaints filed after the entering into force of the GDPR.
The Italian authority established that, among others, Eni Gas made advertising calls without the consent or which is even worse, despite the explicit objection of the contacted persons. Further, the company acquired lists of prospective clients from database providers who have not obtained consent to such disclosure. Together with other GDPR-breaches this amounted in a ‘nice’ fine of EUR 11,5 Million.
When it comes to direct marketing activities I propose to act with the utmost caution. This is an activity which annoys a lot of people and the anger often leads to complaints. Make sure that you have a valid legal basis before you start to make the calls.
5. Inappropriate technical and organizational measures in Germany
Last but not least, here comes the not very pleasant adventure of 1&1 Telecom GmbH before the German data protection authority. The company operated a customer service hotline which only required to provide the customer’s name and birth date to be able to obtain extensive information about the customer.
According to the authority, this authentication system was too simple and a hotbed of personal data misuse and data breaches infringing the obligation of the controller to take appropriate technical and organizational measures to protect personal data. 1&1 Telecom realized the problem and started to work on the solution even during the investigation. Unfortunately, that did not stop the authority to impose a fine of ca. EUR 9,5 Million. However, this was in the lower range as the authority considered the cooperation of 1&1 Telecom.
What you can learn from 1&1 Telecom’s mistake is that when operating customer service hotline use rather strong authentication methods (including for example a password or code word). I hope that the supervisory authority will never investigate your company but if it does, always try to cooperate as it might mitigate the fine like in the above case.
DOES THE LACK OF HANDOVER MAKE THE DISMISSAL UNLAWFUL IN HUNGARY?
Whether the lack of handover makes the dismissal unlawful based on the recent judgment of the Hungarian Supreme Court? What happens in case the employee fails to take over the dismissal? We address these issues in our article by analysing a recent judgment of Hungarian Supreme Court.Read more »
UNPAID CAPITAL CONTRIBUTION IN A HUNGARIAN LLC? HOW TO SOLVE THIS PROBLEM?
The „start-up capital” of the limited liability company is the initial capital which is the totality of the capital contributions provided by the shareholders. Since the shareholders may declare that the capital contribution shall only be provided after the establishment of the company in a later date, the painful situation might occur that the shareholder does not provide or only partly provides the capital contribution. Given that this may create unwanted consequences, the settlement of the capital-related problem is the common interest of the shareholders. In this article we summarize the possible methods to solve this issue.Read more »
COVID-19 BRIEFING – RESTRICTIONS ON NON-EUROPEAN FOREIGN INVESTMENTS IN HUNGARY
After the bill, passed in 2018 on restrictions of foreign investments, Hungary further limits the domestic investments of the foreigners because of the COVID-19. The new decree extends the scope of the investments to be notified and introduces fines, too. We explain the most important provisions of the decree in this article.Read more »