The General Data Protection Regulation (GDPR) is called the world’s toughest privacy and security law. It has been designed and complies with by the European Union (EU), but it also imposes obligations on organizations elsewhere as long as they target people in the EU or collect data on them. Any organization that uses individuals’ personal data in the European Union countries must comply with this regulation. Otherwise, sanctions such as fines will be imposed on the institutions.
In the GDPR regulations, the rights regarding the user’s personal data are strictly determined. In order for the information of the relevant persons to be collected, stored, and processed, it should be clearly stated for what purpose it will primarily be addressed. If the purpose here changes, permission must be obtained from the person concerned. As a result, this regulation requires all companies in Europe to conduct meticulous scrutiny of how they will use personal data.
The GDPR, which aims to protect consumer data more consistently and reliably, has requirements that apply to every member state of the European Union. Some of the GDPR’s basic privacy and data protection requirements are given below:
- A brief explanation of how data will be processed using very clear and plain language
- Data owners do not object while processing their data
- Requesting consent of subjects for data processing
- Anonymizing the collected data to protect privacy
- Safely processing data transfer across borders
- Appoint a data protection officer from some companies to check GDPR compliance
- GDPR, to establish a basic set of standards for companies that better process the data of EU citizens to protect their personal data processing and movements
The data protection regulator manages fines covered by the GDPR in each EU country. Regulators determine whether there is a violation under the GDPR and the severity of the penalty. If regulators determine that an organization has multiple GDPR violations, they will only be penalized for the most serious violation. There are basically ten criteria to determine whether and how much these penalties will be assessed before the GDPR imposes fines. These criteria are as follows:
- Gravity and nature: The most common view of the GDPR violation. In other words, exactly what this violation is, why it happened, how it happened, the number of people affected by this violation, the damage it caused, and how long it took to resolve this violation.
- Intention: It is checked whether GDPR violations are intentional or negligent.
- Mitigation: It is checked whether the companies take any measures to mitigate the damage suffered by the people affected by the GDPR violation.
- Precautionary measures: It looks at the number of techniques and organizational preparations that have been applied to companies to comply with GDPR.
- History: It looks at all previous relevant violations, including violations under the Data Protection Directive in Europe and compliance with past administrative corrective actions under the GDPR.
- Cooperation: It is checked whether there is any cooperation with the supervisory authorities to discover and remedy the companies’ violations.
- Data category: Personal data affected by the GDPR violation are looked at.
- Notification: It is checked whether companies or a designated third party proactively report the supervisory authority’s GDPR violation.
- Certification: It is checked whether the companies comply with the approved code of conduct.
- Aggravating factors: Other problems arising from the circumstances of lawsuits that occurred as a result of GDPR violations are looked at.
According to the researches, GDPR penalties are mostly seen in Germany, France, and Austria. The total number of GDPR fines in 2020 is 19, and when we look in terms of Euros, we see that this number is 135.253.736 € in 2020. There are two GDPR penalty levels: the lower level GDPR penalty covers up to € 10 million or 2% of worldwide annual income for the previous year, whichever is higher. Senior GDPR Penalty: Covers up to 20 million Euros and 4% of worldwide annual income. Here are the biggest GDPR penalties in 2020:
The Italian Data Protection Authority (Garante) has fined TIM, a telephone network operator, for various illegal actions associated with advertising and marketing campaigns affecting up to several million people. These illegal activities included enrolling people in prize contests without their consent, making unsolicited promotional calls, excessive data retention, violation of GDPR rights. TIM Garante, therefore, fined it to € 27.8 million GDPR.
The Spanish Data Protection Authority fined Vodafone España € 120,000 for violations of the GDPR. The reason for this penalty was that Vodafone España, a telephone operator, could not prove that it had any permission to process its user’s personal data. In addition, this company has committed data breaches by disclosing personal data to various credit institutions.
The Swedish Data Protection Authority also fined Google € 7 million GDPR in Sweden. The main reason for the punishment is that Google did not remove personal information from various people who requested exclusion from search results. (March 2020) Unnamed Bank (Croatia) The Croatian Personal Data Protection Authority fined an anonymous bank of € 20 million for GDPR violations. The reason for the penalty was that approximately 2,500 people who requested visibility for their data at the bank did not access their personal information.
The Dutch Data Protection Authority fined the Royal Dutch Tennis Association € 525,000 for GDPR violations. The Royal Dutch Tennis Association fined the tennis association for selling personal data of more than 350,000 association members to sponsors. Later, these sponsors contacted some members via mail and phone for marketing purposes.
The Dutch Data Protection Authority fined an unnamed company under GDPR fines of € 725,000. This anonymous bank fined it for illegally using fingerprint scans of its own employees for time and attendance retention records.
The Finnish Data Protection Ombudsman sanctions board fined Posti Group Oyj € 100,000 for GDPR violations. Posti Group Oyj has been fined organizations that use personal information for direct marketing to disclose personal information of their users and fail to notify individuals of the use of their data to the appropriate authorities.
In January 2019, the French National Commission for Informatics and Freedom fined Google 50 million Euros for GDPR violations. This penalty has gone down in history as the largest GDPR fine ever given. Google has faced this penalty for finding multiple GDPR violations under Articles 5, 6, 13, and 14. The main penalty is that Google is not transparent about disclosure and does not specify how they collect and use data for ad targeting. Google had objected to this sentence, but in June 2020, the Council of State in France rejected the appeal and upheld the sentence.
AOK Baden-Württemberg, a health insurance company, was fined 1.240.000 Euro GDPR by the Baden-Württemberg Data Protection Authority (DPA). The reason why DPA! Sent this penalty was because AOK sent marketing messages to 500 people without permission and took insufficient measures to protect personal data.
The Danish Data Protection Authority fined Arp-Hansen Hotel Group 147,675 € for GDPR violations. The reason for the punishment was that the Arp-Hansen Hotel Group kept the personal data of more than 500,000 people.
Wind Tre, a mobile telecom operator, has been fined GDPR of over € 16.7 million by the Italian Garante (Data Protection Authority). The basis of GDPR violations is the use of data without the consent of individuals, as well as the creation of confusing interfaces for users to allow. Besides, there are some omissions, such as Wind Tre, not using direct marketing techniques that violate the GDPR.
The Hamburg data protection and freedom of information representative (HmbBfDI) fined the German subsidiary of Swedish fashion retailer H&M Hennes & Mauritz € 258,707.95 for GDPR violations. The reason for the penalty stems from the fact that the company has collected the absences of employees due to vacation and sickness since 2014, recorded these details, and the employees argued among managers about their situation in the company.
In July 2019, the ICO fined British Airways € 204.6 million for violating Article 31 of the GDPR. This money was reduced to £ 20 million in October 2020, compared to the recent COVID-19 outbreak and its impact on the airline industry. Although the incident occurred in July 2018, it appeared in September 2018. In those few months, the British Airways website diverted users’ traffic to a hacker website, which resulted in hackers of their computer stealing personal data of more than 400,000 customers.