Last updated on 13 September 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
The General Data Protection Regulation (GDPR) is notorious for its huge fines, and for good reason. While these fines usually relate to huge privacy violations affecting millions of people, the GDPR is enforced against smaller companies, too.
This article will walk you through the GDPR's core requirements, explain how its system of penalties works, and help you learn from the mistakes of other businesses that have been hit by GDPR fines so you can avoid acquiring them yourself.
Privacy fines are not a new concept, but the GDPR has increased their potenital sums significantly.
Here are some examples of pre-GDPR penalties so you can see how they compare to current violation outcomes.
In 2006, AOL released a file that included the search history of over 650,000 users, supposedly for research purposes. Some of the data included the personal information of users, which was soon made available to the entire internet. AOL was ordered to pay a penalty of $5000 for every compromised user.
In 2007, Google was fined $147,000 for unwittingly releasing images of the faces, activities, and license plates of passerby when they launched their Google Street View software.
Disney was fined $3 million in May of 2011 when they processed the personal data of children under the age of 13 and shared it with third-party advertisers without parental consent.
In 2017 Facebook was fined €1.2 million in Spain for collecting sensitive user data, such as religious beliefs and sexuality information, without requesting adequate consent from consumers beforehand.
Key Requirements of the GDPR
The GDPR consists of 99 articles (grouped into 11 chapters) and 173 recitals. The articles set the legally-binding rules and principles that govern the processing of personal data. The recitals provide supporting information and additional context.
Let's take a look at some of the key sections of the GDPR, to help you understand what you'll need to do to avoid a GDPR fine.
Territorial Scope (Article 3): Who the GDPR Applies to
According to Article 3, the GDPR applies to all processing of personal data that takes place in the EU (with limited exceptions), by any person or organization that is either:
Established in the EU
Offering goods or services to people in the EU (whether paid or for free)
Monitoring the behavior of people in the EU (including by using tracking cookies on a website accessible to EU users)
This means that companies from all over the world must comply with the GDPR if they want access to the EU market.
Definitions (Article 4)
First, you'll need to understand the language of the GDPR if you want to comply with it. Some of the GDPR's most important definitions, listed out in Article 4 in full, include:
Personal data: Information relating to an identifiable individual
Processing: Any operation performed on personal data (e.g. collecting, storing, sharing, erasing, modifying, etc.)
Data subject: An individual to whom personal data relates
Controller: A person or organization that "determines the purposes and means of the processing of personal data," i.e., decides why and how to process personal data
Processor: A person or organization that processes personal data on behalf of a controller
Data Protection Authority (DPA): A privacy regulator operating in each EU country
European Union: A group of 27 European countries. For the purposes of this article, when we refer to "the EU," we're including the European Economic Area countries (Iceland, Liechtenstein, and Norway), and the U.K.
Principles (Article 5)
The GDPR's principles of data processing provide baseline data protection standards and should underpin all processing of personal data by controllers and processors (unless an exemption applies). The principles, outline in Article 5, are:
Purpose limitation: Only process personal data for a specified, explicit, and legitimate purpose. Don't process personal data for further purposes that are incompatible with the original purpose.
Data minimization: Only process the minimum amount of personal data needed for a specific purpose.
Accuracy: Keep personal data accurate and up-to-date.
Storage limitation: Don't store personal data for longer than necessary.
Security: Implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or damage.
Controllers also have a seventh principle of "accountability." You are accountable for your compliance with the GDPR.
Lawful Bases (Article 6)
The lawful bases for processing are a set of valid legal reasons for which you may process personal data. You must not process personal data without determining a lawful basis for doing so.
Consent: The data subject has given their consent, defined as "a freely given, specific, informed, and unambiguous indication" of their wishes, given via "a statement or by a clear affirmative action."
Contract: You need to process personal data to fulfill your obligations under a contract, or enter into a contract, with the data subject.
Legal obligation: You need to process personal data to comply with EU law or the national law of an EU country.
Vital interests: You need to process personal data to protect someone's life or health.
Public task: You need to process personal data to carry out a task in the public interest, under official authority.
Legitimate interests: You have a legitimate interest in processing the data subject's personal data, and you can demonstrate that this interest is not overridden by the data subject's interests or rights.
Data Subject Rights (Articles 12-22)
The GDPR provides data subjects with rights over their personal data. Controllers are responsible for facilitating these rights, with help from processors if necessary.
The right of access: Data subjects may request a copy of their personal data.
The right to rectification: Data subjects may request that you amend or update any incorrect or out-of-date personal data you hold about them.
The right to erasure ("the right to be forgotten"): Data subjects may request that you delete any personal data you hold about them.
The right to restriction of processing: Data subjects may request that you stop processing their personal data in specific ways, under certain conditions.
The right to data portability: Data subjects may request that you provide a copy of their personal data in a "machine-readable format" so they can transfer it to another controller.
The right to object to your data being processed.
The right not to be subject to automated processing: Data subjects may request a review of any important decisions made by an AI or algorithm.
Tiers of GDPR Fines and What Triggers Them
There are multiple tiers of fines possible under the GDPR, each triggered by different actions (or inactions) on your part.
For minor, unintentional violations, DPAs will work with the offending controller or processor to rectify matters and it may be possible to avoid a financial penalty. That said, the GDPR is well-known for its harsh penalties, and we have seen several DPAs issue fines amounting to tens of millions of euros.
Let's look at how these penalties work.
Article 83 (4) Fines
The fines described under Article 83 (4) are the less severe of the two types of fines available to DPAs. Here's the relevant section of the GDPR:
This tier of fines can apply if the following infringements occur:
Collecting the personal information of a child 16 years old or younger without parental consent.
Failure to follow basic Privacy by Design protocols to promote privacy and security.
Failure to inform users of the joint processing of user data by two or more parties.
Failure to affirm the privacy compliance of a third party used to process user data, or to inform users of third-party processing.
Failure to keep records of personal information processing activities.
Failure to communicate a data breach to a supervisory authority within 72 hours of discovery.
Failure to communicate a data breach to the end users it affects in a timely manner.
Failure to perform a data protection impact assessment (DPIA) prior to launching an initiative that puts the personal data of EU users at risk.
Failure to appoint a Data Protection Officer (DPO), if the nature of the online business requires it.
As you can see, Article 83 (4) GDPR allows DPAs to issues fines of whichever is greater of the following two amounts:
Up to €10 million (roughly $1,186,000)
Up to 2 percent of worldwide turnover for the preceding financial year
These less severe penalties are available for violation of the following parts of the GDPR:
Although it is not possible to show visual examples of every kind of infraction, below you can see a few very obvious violations.
Non-Compliant Consent Practices
Valid consent is one of the cornerstones of GDPR compliance. Violations are not difficult to spot.
The McDonald's registration form does not give users an opportunity to provide their express and unambiguous consent for marketing communications; In this form, consent is assumed when a user registers for an account:
Although Apple's registration form includes marketing consent checkboxes, this method of consent is not considered freely-given because the boxes are pre-ticked by default:
This is implied consent and will not be considered legal under the GDPR. Consent for most types of cookies must be obtained via a clear action on the part of the user, such as the click of a button or tick of a checkbox.
Readability and Accessibility
Another fine-worthy infringement involves clear, easy-to-understand Privacy Policies. The long-winded, confusing legalese that was so popular in Privacy Policies of the past will no longer be accepted.
Ironically, it may be government agencies that will have the hardest time with this requirement.
Here's the current version, which is much more readable and organized:
In addition, a user should have easy access to their own personal information and consent choices. According to the GDPR, "it shall be as easy to withdraw consent as to give it."
Examples of GDPR Fines
Now we're going to take a look at some real GDPR fines.
This isn't a list of the biggest GDPR fines to-date. Instead, we've chosen a selection of GDPR fines that small to medium-sized businesses need to learn from.
On July 28, 2020, the French DPA issued a €250,000 fine to online shoes retailer, Spartoo. The company was also given three months to comply with the GDPR, after which it would receive a fine of €250 per day until it was fully compliant.
The fine was issued following a "dawn raid" on the company's premises which revealed multiple GDPR violations, including:
Article 5 (1) (c): Unnecessarily storing phone calls between employees and clients; unnecessarily collecting ID documents
Article 5 (1) (e): Storing personal information of prospective clients for longer than necessary, failing to implement a data retention schedule
Article 32: Using weak passwords, failing to encrypt payment card details
Here's what you can do to avoid a fine like this:
Only store recordings of phone calls where necessary in relation to a specific purpose, and for as short a period as possible.
Carefully consider how long you need to store each type of personal data you process, and draw up a data retention schedule to that effect.
Use strong passwords and multi-factor authentication, and encrypt all personal data wherever reasonably possible.
The standout lesson from this case is about analytics cookies. Jubel's website used Google Analytics cookies, which require consent under EU law. However, the site had no cookie consent mechanism. The company attempted to argue that it did not require consent, but the DPA disagreed.
Jubel's violations in this case included:
Article 6: Failing to obtain consent for website analytics cookies
Article 7: Attempting to rely on "opt-out" cookie consent
Here's what you can do to avoid a fine like this:
Provide a cookie consent notice on your website that allows users to opt into or out of analytics cookies.
Don't set cookies on users' devices without obtaining their consent.
On September 12, 2018, the Austrian DPA issued its first GDPR fine of €5,280 (later reduced on appeal). The offending company was a betting shop, which was accused of the following GDPR violations:
Article 5 (1) (e): Storing CCTV camera footage for longer than necessary
Article 5 (1) (c): Failing to limit the processing of personal data by filming a public area unnecessarily
Article 6 (1) (f): Relying on the lawful basis of "legitimate interests," where the company's interests did not outweigh those of the data subjects
Article 13: Failing to provide adequate notice of how it used CCTV cameras on its premises
In this case, a particular point of interest is that although the betting shop had signs warning data subjects about its use of CCTV, it hadn't provided "layered" privacy information in multiple formats.
Here's what you can do to avoid a fine like this:
Store CCTV footage for as short a period as necessary (in this case, the DPA ordered the company to reduce its retention period from 14 days to 72 hours).
Carefully restrict your CCTV recording to the necessary areas of your premises.