GDPR Fines

The General Data Protection Regulation (GDPR) is notorious for its huge fines, and for good reason. While these fines usually relate to huge privacy violations affecting millions of people, the GDPR is enforced against smaller companies, too.

This article will walk you through the GDPR's core requirements, explain how its system of penalties works, and help you learn from the mistakes of other businesses that have been hit by GDPR fines so you can avoid acquiring them yourself.

Examples of Privacy Penalties Before the GDPR

Privacy fines are not a new concept, but the GDPR has increased their potenital sums significantly.

Here are some examples of pre-GDPR penalties so you can see how they compare to current violation outcomes.

• In 2006, AOL released a file that included the search history of over 650,000 users, supposedly for research purposes. Some of the data included the personal information of users, which was soon made available to the entire internet. AOL was ordered to pay a penalty of $5000 for every compromised user.
• In 2007, Google was fined $147,000 for unwittingly releasing images of the faces, activities, and license plates of passerby when they launched their Google Street View software.
• Disney was fined $3 million in May of 2011 when they processed the personal data of children under the age of 13 and shared it with third-party advertisers without parental consent.
• In 2017 Facebook was fined €1.2 million in Spain for collecting sensitive user data, such as religious beliefs and sexuality information, without requesting adequate consent from consumers beforehand.

Key Requirements of the GDPR

The GDPR consists of 99 articles (grouped into 11 chapters) and 173 recitals. The articles set the legally-binding rules and principles that govern the processing of personal data. The recitals provide supporting information and additional context.

Let's take a look at some of the key sections of the GDPR, to help you understand what you'll need to do to avoid a GDPR fine.

Territorial Scope (Article 3): Who the GDPR Applies to

According to Article 3, the GDPR applies to all processing of personal data that takes place in the EU (with limited exceptions), by any person or organization that is either:

• Established in the EU
• Offering goods or services to people in the EU (whether paid or for free)
• Monitoring the behavior of people in the EU (including by using tracking cookies on a website accessible to EU users)

This means that companies from all over the world must comply with the GDPR if they want access to the EU market.

Definitions (Article 4)

First, you'll need to understand the language of the GDPR if you want to comply with it. Some of the GDPR's most important definitions, listed out in Article 4 in full, include:

• Personal data: Information relating to an identifiable individual
• Processing: Any operation performed on personal data (e.g. collecting, storing, sharing, erasing, modifying, etc.)
• Data subject: An individual to whom personal data relates
• Controller: A person or organization that "determines the purposes and means of the processing of personal data," i.e., decides why and how to process personal data
• Processor: A person or organization that processes personal data on behalf of a controller
• Data Protection Authority (DPA): A privacy regulator operating in each EU country
• European Union: A group of 27 European countries. For the purposes of this article, when we refer to "the EU," we're including the European Economic Area countries (Iceland, Liechtenstein, and Norway), and the U.K.

Principles (Article 5)

The GDPR's principles of data processing provide baseline data protection standards and should underpin all processing of personal data by controllers and processors (unless an exemption applies). The principles, outline in Article 5, are:

1. Lawfulness, fairness, and transparency: Always process personal data in a way that complies with EU law. Don't use personal data in any way that individuals wouldn't reasonably expect. Always provide clear and accessible information about your data processing practices (including via a Privacy Policy).
2. Purpose limitation: Only process personal data for a specified, explicit, and legitimate purpose. Don't process personal data for further purposes that are incompatible with the original purpose.
3. Data minimization: Only process the minimum amount of personal data needed for a specific purpose.
4. Accuracy: Keep personal data accurate and up-to-date.
5. Storage limitation: Don't store personal data for longer than necessary.
6. Security: Implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or damage.

Controllers also have a seventh principle of "accountability." You are accountable for your compliance with the GDPR.

Lawful Bases (Article 6)

The lawful bases for processing are a set of valid legal reasons for which you may process personal data. You must not process personal data without determining a lawful basis for doing so.

The lawful bases, outlined in Article 6, are:

• Consent: The data subject has given their consent, defined as "a freely given, specific, informed, and unambiguous indication" of their wishes, given via "a statement or by a clear affirmative action."
• Contract: You need to process personal data to fulfill your obligations under a contract, or enter into a contract, with the data subject.
• Legal obligation: You need to process personal data to comply with EU law or the national law of an EU country.
• Vital interests: You need to process personal data to protect someone's life or health.
• Public task: You need to process personal data to carry out a task in the public interest, under official authority.
• Legitimate interests: You have a legitimate interest in processing the data subject's personal data, and you can demonstrate that this interest is not overridden by the data subject's interests or rights.

Data Subject Rights (Articles 12-22)

The GDPR provides data subjects with rights over their personal data. Controllers are responsible for facilitating these rights, with help from processors if necessary.

The data subject rights, outline in Articles 12 to 22, are:

• The right to be informed: You must provide clear, accessible information about your data processing practices, including by creating a GDPR-compliant Privacy Policy.
• The right of access: Data subjects may request a copy of their personal data.
• The right to rectification: Data subjects may request that you amend or update any incorrect or out-of-date personal data you hold about them.
• The right to erasure ("the right to be forgotten"): Data subjects may request that you delete any personal data you hold about them.
• The right to restriction of processing: Data subjects may request that you stop processing their personal data in specific ways, under certain conditions.
• The right to data portability: Data subjects may request that you provide a copy of their personal data in a "machine-readable format" so they can transfer it to another controller.
• The right to object to your data being processed.
• The right not to be subject to automated processing: Data subjects may request a review of any important decisions made by an AI or algorithm.

Tiers of GDPR Fines and What Triggers Them

There are multiple tiers of fines possible under the GDPR, each triggered by different actions (or inactions) on your part.

For minor, unintentional violations, DPAs will work with the offending controller or processor to rectify matters and it may be possible to avoid a financial penalty. That said, the GDPR is well-known for its harsh penalties, and we have seen several DPAs issue fines amounting to tens of millions of euros.

Let's look at how these penalties work.

Article 83 (4) Fines

The fines described under Article 83 (4) are the less severe of the two types of fines available to DPAs. Here's the relevant section of the GDPR:

This tier of fines can apply if the following infringements occur:

• Collecting the personal information of a child 16 years old or younger without parental consent.
• Failure to follow basic Privacy by Design protocols to promote privacy and security.
• Failure to inform users of the joint processing of user data by two or more parties.
• Failure to affirm the privacy compliance of a third party used to process user data, or to inform users of third-party processing.
• Failure to keep records of personal information processing activities.
• Failure to communicate a data breach to a supervisory authority within 72 hours of discovery.
• Failure to communicate a data breach to the end users it affects in a timely manner.
• Failure to perform a data protection impact assessment (DPIA) prior to launching an initiative that puts the personal data of EU users at risk.
• Failure to appoint a Data Protection Officer (DPO), if the nature of the online business requires it.

As you can see, Article 83 (4) GDPR allows DPAs to issues fines of whichever is greater of the following two amounts:

• Up to €10 million (roughly $1,186,000)
• Up to 2 percent of worldwide turnover for the preceding financial year

These less severe penalties are available for violation of the following parts of the GDPR:

• Article 8: Children's consent
• Article 11: De-identification of personal data
• Article 25 to 39: Including obligations around security, Data Processing Agreements, cooperation with DPAs, data breach notifications, Data Protection Impact Assessments, and Data Protection Officers
• Articles 42 and 43: Certification processes
• Article 41 (4): Code of conduct violations

Article 83 (5) Fines

The fines described under Article 83 (5) are the more severe of the two types of fines available to DPAs.

Here's the relevant section of the GDPR:

This tier of fines can apply if the following infringements occur:

• Processing data in an unlawful, dishonest, or unsecure fashion.
• Processing personal data without the unambiguous and freely-given consent of the user, with the exception of cases in which processing is required by law.
• Processing of "sensitive personal data" without due necessity and the express consent of the user.
• Failure to inform users they can opt out of data collection and provide an opt-out method.
• Failure to provide an accessible, clear, and easy-to-understand Privacy Policy.
• Failure to provide users with a copy of the personal information you hold about them upon request.
• Failure to provide users with access to their personal data for the purposes of editing, updating, or erasing it completely.
• Failure to erase personal data or cease marketing efforts targeted at an end user upon request.
• Transferring personal data over international borders without following the appropriate processes and protocols.
• Non-compliance with any order issued by a GDPR supervisory authority.

As you can see, Article 83 (5) GDPR allows DPAs to issues fines of whichever is greater of the following two amounts:

• Up to €20 million (roughly $2,372,000)
• Up to 4 percent of worldwide turnover for the preceding financial year

These more severe penalties are available for violation of the following parts of the GDPR:

• Article 5: Principles of data processing
• Article 6: Lawful bases for processing
• Article 7: Conditions for consent
• Article 9: Processing special category (sensitive) data
• Articles 12 to 22: Data subject rights (for example, failure to maintain a Privacy Policy under "the right to be informed," or provide copies of personal data on request under "the right of access")
• Articles 44 to 49: International data transfers
• Chapter 9: National data protection laws set by EU countries
• Article 58 (1) and (2): Disobeying a DPA's order to cease data flows or provide access to personal data

Examples of GDPR Violations

Although it is not possible to show visual examples of every kind of infraction, below you can see a few very obvious violations.

Non-Compliant Consent Practices

Valid consent is one of the cornerstones of GDPR compliance. Violations are not difficult to spot.

The McDonald's registration form does not give users an opportunity to provide their express and unambiguous consent for marketing communications; In this form, consent is assumed when a user registers for an account:

Although Apple's registration form includes marketing consent checkboxes, this method of consent is not considered freely-given because the boxes are pre-ticked by default:

TechTarget's Cookies Policy includes the following terminology: "By continuing to use the site, you agree to the use of cookies."

This is implied consent and will not be considered legal under the GDPR. Consent for most types of cookies must be obtained via a clear action on the part of the user, such as the click of a button or tick of a checkbox.

The same goes for Privacy Policies. In order for a user to validly consent to a Privacy Policy they must click an agreement button or tick a checkbox.

Readability and Accessibility

Another fine-worthy infringement involves clear, easy-to-understand Privacy Policies. The long-winded, confusing legalese that was so popular in Privacy Policies of the past will no longer be accepted.

Ironically, it may be government agencies that will have the hardest time with this requirement.

This is the old, previous intro to the Privacy Policy for USA Citizen and Immigration Services. The language is unnecessarily complex and dense:

Here's the current version, which is much more readable and organized:

Although it is still unclear how serious these types of infractions will be, it is advisable to ensure your Privacy Policy is written clearly in simple language.

Accessibility to the Privacy Policy as well as to a user's choices regarding their personal information is a key point in the GDPR.

For example, the Privacy Policy should be prominent and easy-to-find within the business's website or mobile app.

In addition, a user should have easy access to their own personal information and consent choices. According to the GDPR, "it shall be as easy to withdraw consent as to give it."

Further, usually the Privacy Policy would provide instructions on how to unsubscribe from marketing communications.

Make sure your Privacy Policy is up to date and includes GDPR-required information, is written in an easy-to-understand way, and that you get the appropriate level of consent whenever you collect personal information. Do these things and incorporate sound privacy practices into your business and you should avoid being penalized.

Examples of GDPR Fines

Now we're going to take a look at some real GDPR fines.

This isn't a list of the biggest GDPR fines to-date. Instead, we've chosen a selection of GDPR fines that small to medium-sized businesses need to learn from.

France: Excessive Data Collection and Incorrect Privacy Policy

On July 28, 2020, the French DPA issued a €250,000 fine to online shoes retailer, Spartoo. The company was also given three months to comply with the GDPR, after which it would receive a fine of €250 per day until it was fully compliant.

The standout lesson from this case is that you should only collect and store personal data when you need to. You should also provide a comprehensive Privacy Policy that explains how you collect and store personal data.

The fine was issued following a "dawn raid" on the company's premises which revealed multiple GDPR violations, including:

• Article 5 (1) (c): Unnecessarily storing phone calls between employees and clients; unnecessarily collecting ID documents
• Article 5 (1) (e): Storing personal information of prospective clients for longer than necessary, failing to implement a data retention schedule
• Article 13: Providing a Privacy Policy that gave incorrect information about the company's lawful basis for processing, and excluded key information about recording phone calls
• Article 32: Using weak passwords, failing to encrypt payment card details

Here's what you can do to avoid a fine like this:

• Ensure your Privacy Policy complies with all of the GDPR's transparency requirements, providing accurate and comprehensive information about your data processing practices.
• Only store recordings of phone calls where necessary in relation to a specific purpose, and for as short a period as possible.
• Carefully consider how long you need to store each type of personal data you process, and draw up a data retention schedule to that effect.
• Use strong passwords and multi-factor authentication, and encrypt all personal data wherever reasonably possible.

Belgium: Inadequate Cookie Information and Privacy Policy

On 17 December, 2019, the Belgian DPA issued a €15,000 fine to legal news website, Jubel. The fine is seen as a deterrent to other websites that violate the GDPR and the ePrivacy Directive (another EU law that sets rules on the use of cookies).

The standout lesson from this case is about analytics cookies. Jubel's website used Google Analytics cookies, which require consent under EU law. However, the site had no cookie consent mechanism. The company attempted to argue that it did not require consent, but the DPA disagreed.

Jubel's violations in this case included:

• Article 6: Failing to obtain consent for website analytics cookies
• Article 7: Attempting to rely on "opt-out" cookie consent
• Articles 12 and 13: Providing a Privacy Policy only in English, when Dutch and French speakers also used the site; failing to make its Privacy Policy easily accessible; failing to set out its legal basis for processing cookie data in its Privacy Policy

Here's what you can do to avoid a fine like this:

• Provide a cookie consent notice on your website that allows users to opt into or out of analytics cookies.
• Don't set cookies on users' devices without obtaining their consent.
• Provide a Privacy Policy in whatever languages are spoken by your users.
• Make your Privacy Policy easily accessible on your website.
• Ensure that your Privacy Policy explains your lawful basis for processing.

Austria: Excessive Use of CCTV and Failure to Provide a Privacy Policy

On September 12, 2018, the Austrian DPA issued its first GDPR fine of €5,280 (later reduced on appeal). The offending company was a betting shop, which was accused of the following GDPR violations:

• Article 5 (1) (e): Storing CCTV camera footage for longer than necessary
• Article 5 (1) (c): Failing to limit the processing of personal data by filming a public area unnecessarily
• Article 6 (1) (f): Relying on the lawful basis of "legitimate interests," where the company's interests did not outweigh those of the data subjects
• Article 13: Failing to provide adequate notice of how it used CCTV cameras on its premises

In this case, a particular point of interest is that although the betting shop had signs warning data subjects about its use of CCTV, it hadn't provided "layered" privacy information in multiple formats.

Here's what you can do to avoid a fine like this:

• Explain your use of CCTV in your Privacy Policy.
• Store CCTV footage for as short a period as necessary (in this case, the DPA ordered the company to reduce its retention period from 14 days to 72 hours).
• Carefully restrict your CCTV recording to the necessary areas of your premises.
• Ensure you carry out a proper Legitimate Interests Assessment whenever relying on the lawful basis of legitimate interests.

Spain: No Cookies Information and Privacy Policy Only Available in English

On 23 July, 2020, the Spanish DPA issued a €3,000 fine to Spanish travel website, Just Landed. The company was accused of violating both the GDPR and the ePrivacy Directive.

The standout lesson from this case is about providing up-front information about cookies, and always allowing your users to make an informed decision to opt in or out of cookies.

Just Landed was accused of violating:

• ePrivacy Directive Article 34 (4) (g): Failing to provide a cookie consent solution; failing to provide information about cookies (for example via a Cookies Policy)
• Article 13: Providing a Privacy Policy only in English, despite being based in Spain

Here's what you can do to avoid a fine like this:

• Implement a GDPR-compliant cookie consent solution that allows data subjects to reject or accept your website's use of cookies.
• Provide a Cookies Policy, or a section in your Privacy Policy, explaining how you use cookies and how users can manage your use of cookies.
• Provide a Privacy Policy in whatever languages are spoken by your users.

Summary

GDPR compliance is a big task for any business. But it's well worth putting in the work up-front to avoid the penalties associated with non-compliance.

Here are some of the standout compliance lessons we can learn from the cases above:

• Comply with the GDPR's transparency obligations by providing clear, comprehensive and accessible information via your Privacy Policy.
• Always ensure you have a lawful basis for processing personal data, including by obtaining consent for your use of cookies.
• Obey the principles of data processing, including by minimizing the amount of personal data you collect, and the duration for which you store it.