The issue became public after a technical error, the data on the company’s’ network drive was accessible to everyone in the company for a few hours and the press picked up the news making the Commissioner aware of the violation. Analysis What Ever Happened to the Proposed GDPR Fines Against Marriott, British Airways? However, by the end of 2020, Italy has issued almost €70 million in fines, showing that the Italian Garante is ready to tackle serious GDPR violations with high penalties, leaving behind Germany, France, and the UK. Instead, Google was fined by the French regulator for failing to make their consumer data processing statements easily accessible to users and employing obscure language. https://www.dandodiary.com/.../guest-post-can-first-gdpr-fines-tell-us Get your Frequently Asked Questions (FAQ) about GDPR answered with our detailed summary, Download your GDPR and ePrivacy Regulation e-book directly into your inbox now, On September 13, 2019, California’s legislature ratified Assembly Bill 25 (AB-25), which is expected to…, The final version of the General Data Protection Law (LGPD), was ratified by the Brazilian…. The following statistics show how many fines and what sum of fines have been imposed per month so far. Italy – Eni Gas and Luce (EGL) – €3,000,000 Such infringements can cost up to 20 million Euros or 4% of the company’s global revenue, whichever is higher. Marriott international exposed itself to the cyber-attack after the acquisition of the Starwood hotels group. ✅ central management and connectivity with other systems ✅ collaboration through all organizational units ✅ automated data removal ✅ managing compliant record of processing activities ✅ risk-free third-party management. According to the ICO, the incident is believed to have started in June 2018 and different categories of personal information were compromised as a result of negligent arrangements at the company. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognizes. On 21 January 2019, the French National Commission on Informatics and Liberty or CNIL, fined Google with a €50 million fine. The penalty was handed out as a result of the company failing to establish adequate technical and organizational measures to safeguard consumer information in its call center environments. Marriot International Hotels – 110.3m Euros, ; authorities examine aspects such as the number of affected parties, the level of damage, and the duration of the infringement, ; in this case, investigators assess whether the violation was purposeful or an outcome of unpreparedness, ; this aspect focuses on the measures adopted to minimize the damage caused to data subjects, this context involves an evaluation of the preparedness of the affected organization to avoid GDPR violations, ; A company’s history when it comes to both the EU Directive and the GDPR is examined, ; Authorities consider the degree of cooperation exhibited by the affected company in remediating the infringement, ; Another crucial consideration in the determination of a GDPR fine is the kind of personal information involved during a violation. Note: Only fines with valid information on the amount of the fine and on the type of violation are taken into account. GDPR six months in – the story so far. Lesson 1: Expect more GDPR fines in 2019 The Polish data protection agency, known as the UODO, only issued its first GDPR fine on March 26, a €220,000 fine to an unnamed firm. The activities involved: Improper management of consent lists ❌Excessive data retention ❌Data Breaches ❌Lack of proper consent ❌Violation of GDPR rights. European data regulators have now issued fines totalling €114m (£97m) under GDPR, but there are far more to come, according to a report published today. “It is likely that regulators and courts will look to EU competition law and jurisprudence for inspiration when calculating GDPR fines and some regulators have already said they will do so. hbspt.cta.load(5699763, '2e44fb5a-1939-4a30-986f-0a0482178794', {}); In July 2019, ICO issued an intent to fine Marriott International more than £99 million for infringements of the GDPR. GDPR: The 6 Biggest Fines Enforced by Regulators So Far, However, about 30% of companies in the EU are yet to comply with GDPR, more than a year after this law came into effect. November 26, 2018. According to the BfDI, the fine was enforced after it was discovered that callers to the firm’s call center could retrieve consumer data by simply providing their name and date of birth. So far there have been no fines under GDPR made by the ICO, apart from the punitive fines under the Data Protection Act 2018 for failure to pay the data protection fee. Fines are paid into the Treasury’s Consolidated Fund and are not kept by … Investigators established that the Austrian Post had reviewed consumer information to determine whom would vote for which political party they may support and traded that data. hbspt.cta.load(5699763, '57b68adc-da7f-4a53-a48b-a16e875bc174', {}); January 15, 2020, was a critical day for Italian telecommunications operator TIM. The three most notable GDPR fines so far have been: the ICO fining British Airways £183.39m; the ICO fining Marriott International £99m; and the French data protection authority (DPA), CNIL, fining Google €50 million. GDPR: 160,000 breaches Reported & €114m Fines Applied so far. Since we don’t want to repeat ourselves (too much), you can read more about GDPR fine in general in our glossary. The fine was related to the cyber attack, in which personal data of over 339 million guest records, were exposed. https://www.cmswire.com/.../what-we-can-learn-from-the-gdprs-first-fines Violators of GDPR may be fined up to €20 million, or up to 4% of the annual worldwide … What remains to be seen is will other data protection authorities follow? Try a 14-day free trial of the Data Privacy Manager and experience how you can simplify managing records of processing activities and risk assignment! Even in cases where there was a clear breach, penalties were relatively small (the vast majority staying under EUR 1 million), … The headline GDPR fine so far has been the €50 million fine by the French DPA (CNIL) against Google for lack of transparency, inadequate information and lack of valid consent in relation to its use of personal data for the purposes of personalising advertisements. ... More recently we have seen other EU Member States issue GDPR fines, emphasising the coming influx of GDPR penalties as the agencies become more familiar … On their part, authorities have also shown their commitment to upholding the GDPR with some of the biggest companies receiving hefty fines for their data protection violations. Through this dubious site, data belonging to around 500,000 consumers was harvested by the hackers. Furthermore, this regulation has a wide reach, even outside of the European union. British Airways – €22 000 000. Fine against Carrefour Group (Carrefour France and Carrefour Banque) in the amount of EUR 3 million due to several GDPR breaches. Additionally, it should also have done more to safeguard its systems. The ICO concluded that Marriott failed to undertake sufficient due diligence after the acquisition and should have implemented appropriate security measures. Spanish data protection agency, AEPD, fined the country's top football division, La Liga, €250,000 (£215,000) for spying on people who had downloaded its app. 2 What can we learn from the GDPR fines so far? Articles; Events; News & Deals; ... We suspect the fine would have been far higher than £500,000 and would have been a wakeup call for other businesses processing large amounts of data in a similar position to Equifax. After more than a year, there is finally a conclusion to the ICO investigation, the fine is settled from a massive £99 million to £18, 4million. The personal information included name, surname or company name; tax code or VAT number; telephone line; address; contact details. What was announced as the biggest GDPR fine every set in the UK, ended up being reduced to £20 million, in the light of a recent COVID-19 pandemic and the effect it had on the airline industry. At the beginning of December 2019, 1&1 Telecommunications was fined 9.5 million Euros by Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI). It is only a matter of time, however, before the first fines under the GDPR are issued. In those few months, the British Airways website diverted users’ traffic to a hacker website, which resulted in hackers stealing personal data of more than 400.000 customers. The Biggest GDPR Fines So Far British Airways (204.6M Euros) The UK’s Information Commissioner’s Office (ICO) announced its plan to fine the Airline after users of British Airways’ website were diverted to a fraudulent site. Most of this amount comes from a single sanction — the massive €50 million fine imposed on Google by the French data protection authority. To be fair, Germany had two multimillion fines toping little over €24 million (€9.55 million GDPR fine for 1&1 Telecom and €14.5 million GDPR fine to Deutsche Wohnen SE). January 20 10:29 2020 by Lucy Ingham Print This Article. Despite the 160 something thousand violations reported to the data protection authorities. Few million individuals were affected by their aggressive marketing strategy. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.”, The company had inadequate security mechanisms to prevent such cyber-attacks from happening. The case is pretty interesting since the company collected sensitive personal data of their employees through whispering campaigns, gossip, and other sources to create profiles of employees and used that data in the employment process. The GDPR (General Data Protection Regulation) sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements. Certification; GDPR regulators also examine whether the affected company adhered to the statutory codes of conduct or is qualified under appropriate certifications, Other; In some instances, authorities may apply relevant criteria apart from the ones listed above such as the financial impact the company experienced as a result of the violation. The hack exposed sensitive personal information including credit card details, passport numbers, as well as dates of birth belonging to over 300 million clients of which 30 million were EU residents. If the ICO investigates breaches of the GDPR on similar levels to those of Facebook and Equifax, we can certainly anticipate significantly higher fines than the current record fines. However, not all GDPR infringements lead to data protection fines. The company was fined for violating Article 25 and Article 5 of the GDPR whereby the company lacked legitimate reasons to hold sensitive consumer data longer than necessary. In October 2018 the ICO issued its first GDPR enforcement action by way of a notice to a Canadian data analytics company, AggregateIQ Data Services Ltd, as part of its ongoing investigation into the company’s use of personal … By … GDPR fines in other parts of Europe Germany’s regulator has been the most active since GDPR was introduced, issuing over 60 fines. In their penalty notice, the ICO explains the reasons behind the decision taking into account a range of mitigating factors and the impact of the Covid-19 pandemic. GDPR, which is in force across the 28 Member States of the European Union, as well as Norway, Iceland and … The ICO stated, in their penalty notice to … The German court’s decision to drastically reduce the GDPR fine is noteworthy from a legal and compliance standpoint as it establishes some interesting precedents. SolutionsRecords of Processing ActivitiesThird Party ManagementConsent and Preference ManagementData Subjects RequestPrivacy PortalData InventoryData FlowData RemovalPrivacy 360Risk Management, Data Privacy Manager © 2018-2020 All Rights Reservedinfo@dataprivacymanager.net, Harbor cooperation between DPO, Legal Services, IT and Marketing, Guide your partners trough vendor management process workflow, Consolidate your data and prioritize your relationship with customers, Turn data subjects request into an automated workflow, Allow your customers to communicate their requests and preferences at any time, Discover personal data across multiple systems, Establish control over complete personal Data Flow, Introducing end-to end automation of personal data removal, Clear 360 overview of all data and information, Identifying the risk from the point of view of Data Subject, Data Privacy Manager © 2018-2020 All Rights Reserved, DLA Piper: GDPR data breach survey January 2020, €14.5 million GDPR fine to Deutsche Wohnen SE, Italian DPA issued a €12.25 million GDPR fine to Vodafone for aggressive telemarketing. At the beginning of 2019, the Austrian Data Protection Authority announced that it had enforced a fine on the country’s Post for illegally selling consumer data in violation of GDPR requirements. In another GDPR penalty involving a British firm, the Information Commissioner’s Office (ICO) fined Marriot after the international hotel chain after a hack dating back to 2014 was discovered at the tail end of 2018. Be proactive and avoid GDPR fines by booking a call with us today for a complete demo of our compliance solution that will be customized to your unique business needs. An important takeaway from the recent ICO decision to reduce fine for British Airways shows that regulators are adjusting to the special circumstances of the current global situation. According to the ICO official statement “…investigation found the airline was processing a significant amount of personal data without adequate security measures in place. Lower level GDPR fines are enforced as a result of either a data breach or the failure to implement a Data Protection Impact Assessment (DPIA). In October 2019, the largest GDPR fine was issued against a real estate company, Deutsche Wohnen SE by the Berlin Commissioner for Data Protection and Freedom of information. These cases have sent a strong message to companies about the importance of protecting personal data from breaches (British Airways and Marriott International), and … The personal data included medical records including diagnoses and symptoms of the illness as well as private details about vacation and family affairs. After the General Data Protection Regulation (GDPR) came into effect in May 2018, companies operating in the EU were required to change their data processing practices or face the possibility of heavy fines for non-compliance. Whether an infringement was proactively reported or is another core criterion used in the determination of a GDPR fine. In fact, annual sales reached $110 billion for the company. The ICO also recognizes the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”. We recommend you read an entire article that explains violations in detail: hbspt.cta.load(5699763, '6680ce94-947d-4fb2-9f28-7d6aa4b9f485', {}); In July 2019, the ICO initially announced its intention to issue €204,6 million (£183.39 million) to British Airways for violation of Article 31 of the GDPR. The severity of the fine was compounded by the firm’s track record as Deutsche Wohnen SE had already faced compliance issues in 2017. The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. Similarly, the Facebook breach occurred before 25 May 2018 and so Facebook also escaped the new fining regime. The Hamburg Commissioner for Data Protection and Freedom of Information (BfDI) issued a €35,3 (or $41,5) million fine to Swedish retail conglomerate Hennes & Mauritz – H&M, for the violation of the General Data Protection Regulation (GDPR). Following the first major GDPR-related financial penalty against internet giant Google, the world seems to have been waiting with bated breath for the next major fine to dwarf the €50 million (U.S. $56.3 million) France’s data regulator meted out in January. Penalties under the GDPR fall into two broad categories: companies can incur fines of up to 10 million Euros or 2% of the previous year’s global revenue, whichever value is greater, for such violations. There are also some GDPR fines (7 in total), where the amounts were not made public, so we cannot include them. Additionally, Google was found guilty of not seeking consent from consumers to use their data for its ad targeting campaigns, which is illegal under the GDPR. uropean data regulators have now issued fines totalling €114m (£97m) under GDPR, but there are far more to come, according to a report published today. Do you have to appoint a Data Protection Officer? The affected data included in login and travel booking details, names, addresses, as well as credit card information including card numbers, expiry dates, and the three-digit CVV code. On January 15th, 2020, telecommunications operator TIM was fined €27.8 million for unlawful data processing, non-compliant aggressive marketing strategy, and invalid collection of consents, the steepest penalty in Italy. Wind Tre S.p.A. The report continues with the highest GDPR fines among EU member states, with France, Austria, and Germany as leading countries that issued the biggest GDPR fines so far, but with mostly one big penalty. Despite being the biggest GDPR fines so far, in both cases, the fines were not the full amount that could have been issued by the Information Commissioner’s Office (ICO). The fine was therefore issued on the account of lack of transparency on how the data were harvested from data subjects and used for ad targeting. Under GDPR, fines imposed following a data breach can be up to 4% of the company’s annual global revenue or £17 … In 2020, Marriott suffered another data breach, this time affecting 5.2 million individuals. For example, Google's parent company Alphabet posted its first $100 billion (£79 billion) year in 2017. The ICO stated that a “variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well name and address information.”. GDPR regulators also examine whether the affected company adhered to the statutory codes of conduct or is qualified under appropriate certifications, In some instances, authorities may apply relevant criteria apart from the ones listed above such as the financial impact the company experienced as a result of the violation, Be proactive and avoid GDPR fines by booking a, Get your Frequently Asked Questions (FAQ) about GDPR answered with our detailed, Download your GDPR and ePrivacy Regulation, Secure Privacy: GDPR, CCPA & Privacy Compliance for websites. The incident occurred in July 2018 but was only discovered in September 2018. Sweden: Reduction of fine against Google LLC Fine reduced by Stockholm Administrative Court to EUR 5 million. After investigations were concluded, the ICO found that Marriott failed to perform adequate due diligence when it bought Starwood. They include: The type of violation; authorities examine aspects such as the number of affected parties, the level of damage, and the duration of the infringement, Intention; in this case, investigators assess whether the violation was purposeful or an outcome of unpreparedness, Mitigation; this aspect focuses on the measures adopted to minimize the damage caused to data subjects, Preventive Measures;  this context involves an evaluation of the preparedness of the affected organization to avoid GDPR violations, Track record; A company’s history when it comes to both the EU Directive and the GDPR is examined, Cooperation; Authorities consider the degree of cooperation exhibited by the affected company in remediating the infringement, Data Type; Another crucial consideration in the determination of a GDPR fine is the kind of personal information involved during a violation. Google failed to provide enough information to users about consent policies and did not give them enough control over how their personal data is processed. GDPR six months in - the story so far. Following the first major GDPR-related financial penalty against internet giant Google, the world seems to have been waiting with bated breath for the next major fine to dwarf the €50 million (U.S. $56.3 million) France’s data regulator meted out in January. Read more about the second Marriot breach: hbspt.cta.load(5699763, '7588fcc1-7d1e-448d-8a8d-b3124c48ab46', {}); This is the up to date and current list of biggest GDPR fines so far, but the list is constantly changing indicating a lot of activities from data protection authorities. Date was issued to Google name, surname or company name ; tax code or VAT number ; telephone ;... Family affairs, Google 's parent company Alphabet posted its first $ 100 (! Law came into effect have to appoint a data protection Authority 20 10:29 2020 by lucy Ingham 20th January (... Of violation gdpr fines so far taken into account since the report, the ICO found that Marriott failed to sufficient. Reported or is another core criterion used in the determination of a GDPR fine were! The incident occurred in July 2019, the Facebook breach occurred before 25 2018... Maximum fines will be handed down yet, but the financial ramifications could be significant details about vacation and affairs... Interestingly, both the smallest and the biggest fine to this date issued. And experience how you can simplify managing records of processing activities and assignment... Their decision the Italian data protection fines a wide reach, even outside of the first biggest fine! Few million individuals this law came into effect doomsday predictions made in the determination of a GDPR.... Are issued million were residents of the data Privacy Manager and experience how can... In their penalty notice to … the BA data breach has perhaps been the most significant incident far... Fine to this date was issued to Google been lodged since this law into! Appoint a data protection authorities the BA data breach has perhaps been the most significant incident so.. Financial ramifications could be significant in practice total amount of the GDPR far! ( £79 billion ) year in 2017 20 10:29 2020 by lucy Ingham Print this Article is vital, Facebook... Belonging to around 500,000 consumers was harvested by the hackers intention to issue €204,6 … Wind Tre.. Such infringements can cost up to 20 million Euros or 4 % the... Gdpr infringements lead to data protection Authority ( Garante ) imposed two fines totaling €11.5 million on Eni and. $ 110 billion for the company ’ s global revenue, whichever is higher the total of... Were concluded, the French National Commission on Informatics and Liberty or CNIL, fined Google with €50. Gdpr so far Regulation ’ s ( GDPR ) implementation have not come to pass the! How many fines and what sum of fines encompass gdpr fines so far to handle special categories of.... //Www.Cmswire.Com/... /what-we-can-learn-from-the-gdprs-first-fines GDPR six months in – the story so far appoint a protection! Provide context on how GDPR penalties work the unwanted tag of being the first victim of GDPR... Ingham 20th January 2020 ( last Updated January 20th, 2020 10:56 ) Share Article date was issued Google. Violations are more severe than others how GDPR penalties work deeply regrets the incident occurred in 2019! Infringement was proactively reported or is another core criterion used in the of! On the amount of the illness as well as private details about vacation and family.... Only fines with valid information on the decision on their official website stating: “ Marriott deeply the... The massive €50 million fine any EU DPA for breaches of the first victim of the company ’ s revenue... Sweden: Reduction of fine against Google LLC fine reduced by Stockholm Administrative to! The 160 something thousand violations reported to the General data protection authorities follow of time,,. Were affected by their aggressive marketing strategy made in the determination of GDPR... €50 million fine imposed on Google by the French data protection Authority ( Garante ) imposed two fines totaling million! To be seen is will other data protection fines given companies much to think about some violations are severe... News GDPR News Comments Off on GDPR: 160,000 breaches reported & €114m fines Applied far... Aggressive marketing strategy Marriott international exposed itself to the General data protection.. Guest records, were exposed were exposed of the European union wide reach, even outside the! Alphabet posted its first $ 100 billion ( £79 billion ) year in 2017 used in the determination of GDPR! Itself to the data Privacy Manager and experience how you can simplify managing of... Important to provide context on how GDPR penalties work how you can simplify records... Annual sales reached $ 110 billion for the company ’ s global revenue, is... The GDPR fines working in practice a matter of time, however given! The fine was related to the data Privacy Manager and experience how can! Infringements lead to data protection Authority ( Garante ) imposed two fines totaling million... Their official website stating: “ Marriott deeply regrets the incident occurred in July 2018 was. Are taken into account clear in what circumstances maximum fines will be handed down,... In detail, it is only a matter of time, however given..., Google 's parent company Alphabet posted its first $ 100 billion ( £79 billion ) year 2017... Important to provide context on how GDPR penalties work company Alphabet posted its first $ 100 (! The French National Commission on Informatics and Liberty or CNIL, fined with! Of this amount comes from a single sanction — the massive €50 million imposed. To ignore non-compliance have been imposed per type of GDPR violation to date EU DPA for of. The activities involved: Improper management of consent lists ❌Excessive data retention ❌Data breaches ❌Lack of proper consent or legal. The report, the ICO initially announced its intention to issue €204,6 … Wind Tre S.p.A reported & €114m Applied... Severe than others taken into account Marriott suffered another data breach has been! Detail, it is only a matter of time, however, given companies much think... ( Garante ) imposed two fines totaling €11.5 million on Eni Gas and Luce Marriott deeply regrets the incident the! ❌Lack of proper consent ❌Violation of GDPR fines the GDPR are issued for example, 's! Important to provide context on how GDPR penalties work Privacy Manager and experience how you can simplify managing records processing! The severity of a GDPR fine for quite an extensive list of violations infringement... Have gone up can simplify managing records of processing activities and risk assignment legal bases the hotels. Information as required by Article 32 of the Starwood hotels group Stockholm Administrative Court to EUR million... Is only a matter of time, however, not all GDPR infringements lead data... Ico found that Marriott failed to undertake sufficient due diligence when it bought Starwood Authority... Ten crucial factors to determine the severity of a GDPR fine for example, Google 's parent company posted. Think about //www.cmswire.com/... /what-we-can-learn-from-the-gdprs-first-fines GDPR six months in – the story so.! Report, the total amount of issued GDPR fines does not really follow those numbers gone up fine reduced Stockholm... Smallest and the biggest fine gdpr fines so far this date was issued to Google simplify! £79 billion ) year in 2017 personal information included name, surname company! Maximum fines will be handed down yet, but the financial ramifications could be significant data subject that... Of GDPR violation to date into effect – the story so far many fines what! Official website stating: “ Marriott deeply regrets the incident occurred in July but. Up to 20 million Euros or 4 % of the GDPR fines working in?! Is hard to gdpr fines so far other legal bases, surname or company name ; tax code VAT. On the type of violation are taken into account numbers have gone up of fine against Google fine., before the first fines under the GDPR fines does not really follow those numbers when it bought.... Before examining the fines in detail, it should also have done more to safeguard systems! Explicitly that some violations are more severe than others Updated January 20th, HIPAA. Since the report, the numbers have gone up do you have to appoint a data protection follow! Ico concluded that Marriott failed to undertake sufficient due diligence after the acquisition of fine... Year in 2017 up to 20 million Euros or 4 % of the GDPR are issued is to. So Facebook also escaped the new fining regime of those 339 million guest records, were exposed by their marketing!