Tag Archives: Fines

Calculation of administrative fines under GDPR – standardized concept published in Germany

After a month of rumors, uncertainty, and German data protection authorities being nontransparent, the German conference of data protection authorities (Datenschutzkonferenz, DSK) published the concept for calculating administrative fines for data protection violations (Concept, available here) on October 16, 2019. The Concept sets out a standardized approach regarding the calculation of administrative fines in accordance … Continue Reading

Not quite everything everywhere – ICO fines EE £100,000 for unsolicited text messages

The Information Commissioner’s Office (ICO) announced a £100,000 fine imposed on the telecoms company, EE Limited (EE), for breaching the Privacy and Electronic Communications Regulations 2003 (PECR). The timing of the breach meant that the General Data Protection Regulation 2016/679 (GDPR) was not applicable. What happened? EE sent customers a text message encouraging them to … Continue Reading

First sanction decision rendered by the CNIL regarding data breaches worth almost 1 per cent of the company’s yearly turnover: the era of tolerance seems to be over

By a new decision of sanction rendered on 28 May 2019, the French data protection authority Commission nationale de l’informatique et des libertés (CNIL) imposed a €400,000 fine on French property management company Sergic for failure to comply with its obligation to maintain the security of and to limit the storage of personal data. This … Continue Reading

One year of GDPR – How have EU member states implemented and enforced the new data protection regime?

The GDPR just had its first birthday. Before the GDPR became effective, organisations were anxious because the Regulation provides for heavy penalties. But was their anxiety justified? And as a first step, how have EU member states themselves implemented the GDPR? This article will provide short answers to these questions. Local implementation efforts Although the … Continue Reading

The Highest French administrative Court slightly reduces the amount of a penalty imposed by the CNIL: is this the tip of the iceberg ?

A few days before the entry into force of the GDPR, the CNIL imposed a 250,000 euros penalty to the company Optical Center for failure to secure personal data on its website – where a breach occurred, allowing access to invoices and purchases orders containing personal and sensitive data of customers. Further to Optical Center’s … Continue Reading

Sharing a Bounty of Personal Data? ICO issues £400,000 fine against UK pregnancy and parenting club for illegally sharing personal data

The Information Commissioner’s Office (ICO) announced its intent to fine Bounty (UK) Limited (Bounty) £400,000 for breaching the Data Protection Act 1998 (the Act). Due to the timing of this breach, it was governed by the Act rather than by the General Data Protection Regulation 2016/679 (GDPR). The maximum penalty permitted under the pre-GDPR regime … Continue Reading

Danish DPA issues its first GDPR fine for late deletion of customer telephone numbers

Denmark’s Data Protection Authority Datatilsynet (DPA) recently recommended its first fine for a breach of the GDPR by the taxi company, Taxa 4×35 (Taxa), due to its over-retention of certain customer data. Breach of the data minimisation principle The Danish DPA found that Taxa did not adhere to the GDPR’s data minimisation principle by over-retaining … Continue Reading

Processing publicly available personal data without telling data subjects? The Polish data protection authority has (bad) news for you…

The Polish Data Protection Authority (UODO) imposed its first fine for a violation of the General Data Protection Regulation 2016/679 (GDPR). Bisnode, a data aggregation company headquartered in Sweden, was fined just under PLN 1 million (around EUR 220,000). The decision found that Bisnode had failed in its duties to inform data subjects how it … Continue Reading

First sanction decision rendered by the CNIL under the GDPR: GDPR awareness 2.0 has begun

In an interview dated February 2018,[1] Isabelle Falque-Pierrotin, at the Head of the French data protection authority (CNIL), stated that the CNIL would adopt a flexible and pragmatic approach from May 2018 onwards when controlling compliance with data protection requirements. The first decision of sanction rendered by the CNIL on Monday January 21, 2019, which … Continue Reading

ICO publishes its 2017/2018 Annual Report

The Information Commissioner’s Office (‘ICO’) has published its 2017/2018 Annual Report, covering the 12 months leading up to 31 March 2018. The report is the ICO’s annual report to Parliament as required by the Data Protection Act 1998 (‘DPA’), and outlines the achievements and work of the ICO. Among the findings reported are the number … Continue Reading

Spanish DPA fines Facebook €1.2 million for data protection infringements

The Spanish Data Protection Authority (AEPD) has imposed a fine of €1.2 million against Facebook following its investigation into whether Facebook’s data processing activities were in accordance with the Spanish Data Protection Act (Law 15/1999) (the Act). In its decision, the AEPD concluded that Facebook had committed serious breaches of the Act, as discussed further … Continue Reading

Fines under GDPR – German DPAs provide guidance

The German Data Protection Authorities (“DPAs”) released a paper on fines under Art. 83 General Data Protection Regulation (“GDPR”) in July 2017. Fines are hanging like a Sword of Damocles over the organizations that are getting ready for GDPR, since the upper limits of fines have been increased substantially. For example, German DPAs can currently … Continue Reading

German Data Protection Authority fines companies for transferring data to the United States

Following the CJEU’s judgment of October 2015 invalidating the European Commission’s Safe Harbor Decision, the Data Protection Authority Hamburg (“DPA Hamburg“) started investigations against 35 internationally operating companies in Hamburg. According to a press release of DPA Hamburg of 6 June 2016, these investigations revealed that the majority of the companies under investigation had used … Continue Reading

UK ICO Annual Report highlights 100% success rate for monetary penalties imposed

The ICO, the UK’s data protection authority, published its 2014-2015 annual report. Most noticeably, the ICO announced that they had enforced no successful appeals against Monetary Penalty Notices. The ICO can impose civil monetary penalties of up to £500,000 for serious breaches of the Data Protection Act 1998, but this can be reduced by 20% … Continue Reading

The UK Information Commissioner’s Office issues the largest monetary penalty in its history to NHS hospital trust

This post was written by Cynthia O’Donoghue. The UK Information Commissioner’s Office (“ICO”) has issued its largest-ever fine of £325,000 GBP ($503,705 USD) to Brighton and Sussex University Hospitals NHS Trust following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff, including information relating to sexual health and … Continue Reading
LexBlog