High fines for GDPR infringements. Map of financial penalties in Europe.

Fourteen months after the general data protection regulation (GDPR) entered into force, the European Commission has announced its first conclusions. The recently published report stated that the new regulation has been positive for European citizens, providing them with effective tools to ensure control over their personal data.

How does Poland look in the light of the above conclusions?

4.5 thousand recorded complaints concerning GDPR infringements. This is one of Europe’s highest results. Complaints to the Personal Data Protection Office (UODO) usually concerned the following infringements:

• sending paper and electronic correspondence containing personal data to unauthorised persons,
•  loss or theft of information from digital devices and carriers,
•  ineffective documentation destruction, resulting in the disclosure of confidential information.

To date, the President of the Personal Data Protection Office has issued 107 decisions and imposed 2 fines for GDPR infringements. Nearly PLN 1 million for neglecting the information obligation.  Nearly PLN 56,000 for publishing the personal data of football referees on a website.

How do other EU countries look by way of comparison?

In the European Union as a whole, there have been over 60 fines imposed in 14 EU Member States: Austria, Belgium, Bulgaria, Cyprus, Denmark, France, Lithuania, Germany, Hungary, United Kingdom, Italy, Malta, Poland and Portugal.

The greatest number of fines in the European Union were imposed for infringements of the following provisions:

• Article 5 GDPR, i.e. personal data processing in contravention of the GDPR’s provisions,
• Article 6 GDPR, i.e. personal data processing without any legal basis or on the basis of an incorrect legal basis, and
• Article 32 GDPR, i.e. infringement of processing security.

Examples of fines in Europe:

United Kingdom

Two recent affairs in the EU concerned announced fines by the British regulator to be imposed on two entities:

• British Airways received an information from the regulator about an intention to impose a fine of nearly EUR 205 million for infringing its customers’ data in September 2018,
• The Marriot hotel network received an information from the regulator about an intention to impose  a fine of over EUR 110 million for an infringement in November 2018.

France

Interesting penalties include the fine of EUR 50 million charged in France on Google for failure to adhere to the new regulations and failure to provide users with sufficient explanations and transparency regarding data transferred to advertisers.

Lithuania

Another example is the fine charged in Lithuania in the amount of EUR 61.5 thousand on the FinTech company. The fine was imposed due to the failure to notify data subjects about the hacking of the company’s server. Additionally, during the investigation, the Lithuanian authority found irregularities regarding data processing and disclosure.

Germany

The German authority received a fine of EUR 80 thousand for publishing health-related data on the Internet.

Portugal

The Portuguese authorities imposed a fine of EUR 400 thousand on a hospital for allowing unauthorised access to the clinical data of its patients.

It is certainly too early to decide categorically whether or not the GDPR’s implementation has been a legislative success of the European Union. It is undisputable that, within the last twelve months, the implemented solutions have increased the awareness of data subjects concerning their personal data processing and also increased the security of the European Union citizens.

The fines are real and data protection within organisations is very important. The management bodies of companies are aware that they need to pay greater attention to compliance