Fines and GDPR: How to avoid penalties

What you need to know, in a nutshell

GDPR fines and data privacy violations are designed to make non-compliance a very costly mistake, making it difficult for any company to avoid penalties. These steps and measures will help you avoid the risk of fines:

• Use a holistic data privacy management system
• Protect against costly data breaches with IT security
• Make employees aware of data privacy with internal training
• Obtain the users’ permission to use their data
• Take technical and organisational measures (TOM)
• Observe erasure deadlines
• Make sure data collection is authenticated
• Implement the right to be forgotten
• Be careful not to process private information of employees
• Contact your data protection officer

In this article

• How expensive are data privacy violations?
• How many fines have been handed out?
• What are the main reasons and causes of data privacy violations?
• What are the fines that have been handed out? 
  • British Airways & Marriott – High fines because of a lack of IT security
  • Google France – GDPR fine because of non-transparency
  • H&M – High fine for employee surveillance
  • TIM and Eni Italy – High fines for illegal sales calls
  • Österreichische Post – Illegal data collection punished
  • Deutsche Wohnen – GDPR fine for not observing erasure deadlines
  • 1&1 – GDPR penalty because of a lack of authentication processes
  • Google SE – Violation of the right to be forgotten
• Conclusion – How can companies avoid GDPR fines?

How expensive are data privacy violations?

Twenty years ago, a data protection officer would probably have estimated the fine to be a few thousand pounds maximum for any data privacy violation. However, it is a risk that companies would have taken because the reasonable implementation of data protection measures would have been more expensive than the penalty. Today, the tables have turned – a violation of GDPR can be painfully expensive. You will be able to learn more about GDPR fines for small businesses here.

How many fines have been handed out?

Since GDPR was introduced in May 2018, both the number and severity of fines have grown quickly. While the fines issued across Europe and the UK before 2018 were still in the single-digit millions, the total sum in 2019 was well over 400 million. These figures are only set to increase. In the next few years, companies should generally expect stricter measures in all countries.

What are the main reasons and causes of data privacy violations?

If we look at the 20 highest fines handed out since 2018, the most serious ones can be traced back to a lack of IT security and non-transparency. If we look at the frequency, the main causes can be grouped as follows:

What are the highest fines that have been handed out?

GDPR states that the competent supervisory authorities decide how much to fine companies based on the data privacy violation that has been committed. For particularly severe cases, the fines can be up to 20 million euros, or up to four percent of the global annual revenue in the previous financial year – whichever is greater.

Learn about some of the highest GDPR fines below:

• Marriot (United Kingdom) with over 110 million euros or approximately £99 million (pending final review) and the British Airways (United Kingdom) with over 20 million euros or approximately £18 million*
• Google (France) with 50 million euros or approximately £44 million
• H&M (Germany) with 35 million euros or approximately £32 million
• TIM S.p.A. (Italy) with over 27 million euros or approximately £24 million and Eni gas e luce S.p.A. (Italy) with over 8 million euros or approximately £7 million
• Österreichische Post (Austria) with 18 million euros or approximately £16 million
• Deutsche Wohnen (Germany) with over 14 million euros or approximately £12.5 million
• 1&1 (Germany) with over 9 million euros or approximately £9 million
• Google (Sweden) with over 7 million euros or approximately £6 million

*Due to the Corona crisis, some fines were adjusted downwards. The ICO (Information Commissioner's Office) reduced the fine of British Airways to about 22 million euros and the fine against the Marriott hotel group to 20.3 million euros.

British Airways & Marriott –High fines because of a lack of IT security

The highest fine so far at about 203 million euros or approximately £184 million (1.5% of annual revenue in 2018) was issued to British Airways. This was due to the airline’s massively inadequate IT security. The website was targeted by hackers and user traffic was redirected to a scammer site. As a result, personal card and travel booking details ended up on the dark web. By the time the cyberattack was flagged three months later, some 400,000 customers had been affected. This has since been reduced to about 20 million euros or approximately £18 million since further review was done by the supervisory authority (ICO).

In the Marriott case as well, the staggeringly high fine of 110 million euros or approximately £99 million was because of IT security flaws. The global hotel group’s system was not sufficiently protected against cyberattacks. What’s more, the data breach was only discovered several years later and reported late. As a result, 339 million of the hotel group’s guests worldwide were affected between 2014 and 2018.

The final amount of the fine has been reduced to £18,4 Million following the decision on the British Airways case (learn more here).

How could these fines have been prevented?

By taking IT security seriously and implementing the proper security measures, such as regular penetration testing, these data breaches could have been avoided. The timely reporting of data leakages may also help reduce fines and maintain data privacy. An experienced data protection company can also help in this regard.

Google France – GDPR fine because of non-transparency

Google France was fined for a lack of transparency. The data protection authorities criticised the way in which the company informed people about the use of personal data for marketing purposes. The company’s data privacy policy was said to be confusing and at some points unclear––failing to provide mandatory information, a fine of 50 million euros or approximately £44 million was issued.

The search engine giant must have felt the penalty in its annual balance sheet, at least. However, the significance of the judgment is much more important: It shows that even the large organisations do not have free rein to exploit citizens’ data for business purposes as they please. According to the obligated information, they must clearly explain how they handle personal data.

How could Google have prevented these fines?

With an incredibly long data privacy policy where crucial information was unclear or even hidden, Google did not act in consideration of its data privacy obligations. For this reason, the company would have had to explain what happens with user data when they use a certain Google service in the first sentence of their policy. This way, the user can make a conscious decision to use the service or not.

H&M – GDPR fine for not respecting employees' private matters

Our next case concerns Hennes & Mauritz, the large clothing retail company. The company was presented with a GDPR fine of 35 million euros or approximately £32 million in Germany. The reason was that they had extensive records of their employees in Nuremberg. They took notice of their vacation plans and details of their sick leaves and about their family lives. This information was used for work decisions and access to the data was given to more than 50 managers in the company.

How could H&M have avoided the GDPR fine?

H&M should have observed the right to privacy in employee matters. Companies are not allowed to record any non-necessary data in the personal file.

TIM and Eni Italy: High fines for illegal sales calls

Perhaps you have already realised that you have been receiving fewer sales calls recently. This is just one of the welcomed consequences of GDPR. Two cases in Italy have served as an example – cases in which telecommunications service provider TIM, and oil and energy group Eni Italy, were punished with fines of about 27 million and 8 million euros (£24 million or £8 million approximately).

At TIM, people were called millions of times without their consent – one person was even called 155 times in one month. Eni also called people for marketing purposes without their consent, despite them opting out, their phones kept ringing. Both companies had clearly not taken adequate technical and organisational measures (TOM).

How could Eni and TIM have avoided the fines?

Both companies could have spared themselves the GDPR fines relatively easily – by obtaining the consent of the users. Eni and TIM could also have programmed their platforms with data privacy in mind (privacy by design) and guaranteed the protection of user data by applying the according default settings (privacy by default).

Österreichische Post – Illegal data collection punished

Is Österreichische Post allowed to collect highly sensible data about the political leanings of over 2.2 million customers? When delivering letters and parcels, do they need to know that Mrs. Meyer received 15 parcels in May and only three in June, or how often she moves house? The Austrian data protection authorities don’t think so. In the end, the company (which is partially state-owned), had to pay a fine of 18 million euros or approximately £16 million for the data privacy violation.

How could Österreichische Post have avoided the penalty?

According to the principles of data minimisation and lawfulness, the postal company was only allowed to collect and process data that was absolutely necessary to perform its tasks. For example, the collection of anonymised data about delivery frequency is permitted, but the profiling of individual customers’ order behavior is not. After all, the aim of data privacy is to obtain as much as necessary, but as little as possible.

Deutsche Wohnen – GDPR fine for not observing erasure deadlines

The second largest fine issued in Germany so far by the data protection authorities (14.5 million euros or approximately £12 million) was handed to Deutsche Wohnen. The reason: The real estate company had been storing unlimited tenant data for several years. This data included wage statements and creditworthiness assessments for the storage of which there was no legal basis.

How could Deutsche Wohnen have avoided the GDPR fine?

Deutsche Wohnen had already been asked in 2017 by the data protection authorities to review its IT archive and clean the datasets in terms of the right to erasure. Had the company taken the problem seriously back then and observed the erasure deadlines, it would have spared itself the large fine.

1&1: GDPR fine due to problems in the authentication process

In the case of 1&1, the devil is in the detail: A customer’s ex-partner managed to call the hotline and obtain the customer’s mobile phone number by stating his name and date of birth. Although this was an individual case and 1&1 worked closely with the data protection authorities, it incurred a fine of about 9.5 million euros or £9 million (approx). The company now plans to appeal against it. However, in this case it is not clear if the matter was also a systematical problem with the technical and organisational measures (TOM), as it was portrayed by the data privacy authority. There was not a single case that led to the fine.

How could 1&1 have avoided a GDPR penalty?

This judgment is a matter of debate because 1&1 reacted quickly and took several measures. By introducing two-step authentication and implementing technical and organisational measures (TOM), the company should not have any more problems with authentication processes in the future.

Google SE – Violation of the right to be forgotten

Our last case concerns Google again – the company was presented with a GDPR fine of 7 million euros or approximately £6 million in Sweden. The reason was several entries from search results that related to criminal convictions and crimes of individuals. The data subjects had requested the erasure of these entries as per the right to be forgotten, but Google did not comply to the required extent.

What could Google have done differently?

Google should have offered the data subjects the opportunity to delete this highly sensitive, partially unsubstantiated information from the search results without the ability to trace who prompted the erasure. For this purpose, the implementation of the right to be forgotten is necessary so that entries can be deleted fully and within the statutory time limits.

Conclusion: How can companies avoid GDPR fines?

The cases above show that many of the worst violations can be traced back to insufficient IT security, a lack of consent or inadequate understanding of the employee rights. Observing erasure deadlines and complying with the right to be forgotten also influence the assessment of GDPR fines and violations.

In order for companies to avoid large fines in the first place, they should accept data privacy as a legal reality, address the topic holistically and start moving in good time. After all, GDPR conformity does not happen overnight. With an experienced data protection officer at their side, companies also send a signal to supervisory authorities that they are on the right path in terms of data privacy. Find out how DataGuard's corporate compliance solutions can help your organisation seamlessly navigate GDPR requirements and avoid hefty fines.

There are still some questions that you would like to get answered? Feel free to reach out to one of our GDPR experts.