Please ensure Javascript is enabled for purposes of website accessibility

Summer 2020: the largest fines for non-compliance with the GDPR

In this article, we are going to list the largest fines for non-compliance with the GDPR that were imposed during the period from June to August 2020.

August 2020

France - SPARTOO - 250,000 euro
CNIL (the French data protection authority) fined SPARTOO for 250,000 euro
The online shop violated several GDPR Articles, including the following:
a) the principle of data minimization (by fully recording calls by representatives of customer support and collecting an overly big amount of information in several redundant formats);
b) the obligation to limit the retention of data (by permanently storing conversation recordings, retention of data about potential leads during 5 years instead of 2 years and storing pseudo-anonymous and not anonymous e-mails and passwords for more than 5 years);
c) the obligation of providing people with information (by stating that a “consent” was the reason for data collection while not informing the employees about the kind of information they were gathering and why they did it);
d) the obligation to protect the data (by not requiring reliable passwords and saving not encrypted scans of bank cards).

July 2020

Denmark - Arp-Hansen Hotel Group A / S - 147,675 euro (1,100,000 Danish krones)
Denmark’s Data Protection Authority fined Arp-Hansen Hotel Group for 1,100,000 Danish krones (approximately 147,675 euro) because Arp-Hansen Hotel Group kept personal data of over 500,000 persons, while these data profiles should have been deleted in accordance with the GDPR. There was no information about a data leakage but a mere fact of company’s storing the data caused the DPA to recommend imposing this sizable fine.

Belgium - Google - 600,000 euro
Belgium’s Data Protection Authority fined Google for 600,000 euro because Google did not respect the right to be forgotten – Google dismissed a request by a citizen of Belgium to delete obsolete and negative data from search results. Google maintained that the data controller was Google LLC in the USA and not Google Belgium therefore the complaint was addressed to a wrong corporate person and, thus, must be dismissed. The DPA ruled that these two organizations act as a unified corporate person and, therefore, the complaint was justified.

Italy - Iliad Italia - 800,000 euro
The Garante Italian Data Protection Authority fined the Iliad mobile operator for 800,000 for improperly recording payment information and processing personal data when SIM Cards were activated as well as for violating the requirements regarding proper storage, processing and use of personal data, including the telephone telematic data. An interesting aspect of the irregularities identified in the course of SIM Card activation was the fact that Iliad used cameras that could capture images of passing-by people and not only of the person performing the transaction.

Italy - Wind Tre - 16,729,600 euro
The Garante Italian Data Protection Authority fined Wind Tre, another mobile operator, for 16.7 million euro. Its violations included the use of personal data without consent of the data subject and the creation of complicated and burdensome interfaces for the users to grant their consents, including the availability of a large number of emails, some of which did not exist, while the others could have been provided only for certain data. Aside from that, Wind used aggressive methods of direct marketing violating the GDPR and, in effect, was subject to hundreds of complaints in this respect. Besides, Wind Tre did not have proper contracts with partners and did not perform due diligence of these partners. (See the article about Merlini for a notable example.) The DPA stated that, at least, some of the violations committed by Wind Tre were not accidental but rather deliberate violations.

Italy - Merlini - 200,000 euro
The Italian DPA fined Merlini for 200 thousand euro. As a subcontractor, Wind Tre Merlini managed a call center that attracted new clients to Wind Tre. It was discovered that Merlini does not have a sufficient justification for the processing of personal data and sufficient contract relations with Wind Tre.

The Netherlands - Krediet Registration Bureau - 830,000 euro
The Dutch Data Protection Authority (DPA) fined the Dutch Credit Registration Bureau (BKR) for 830,000 euro for the fact that data subjects (meaning natural persons) overly complicated access to their information making it too difficult and made difficult its deletion. The BKR required making a written request accompanied by a copy of the passport that may be submitted only once a year and, even in this case, the response would be provided “during 28 days.” A paid subscription was required to receive the answer faster. The DPA considered these restrictions unjustified.

Italy - UniCredit - 600,000 euro
The Garante Italian Data Protection Authority fined the bank for 600,000 euro for several violations committed before GDPR entered into effect. The violations committed during the period from April 2016 to July 2017 affected over 700,000 clients. The bank notified the violation to the Authority in July 2017. Employees of the bank’s commercial partner had access to personal and confidential information about the bank clients. This information included personal and contact details, profession, level of education, details of the identification document as well as information concerning the employer, the salary, the amount of loan, the payment status, the “approximate client’s credit rating” and their IBAN code.
It is interesting to note that Garante justified the amount of fine as follows. “When setting the amount of fine at 600,000 euro, the Authority took into consideration several elements. These elements included the fact that the violations were committed against a significant number of people and the fact that the bank, which was not subject to Garante sanctions before, after the data leakage, implemented various measures and initiatives aimed at the strengthening of its IT systems.”

June 2020

Germany - AOK Baden-Württemberg - 1,240,000 euro
The Data Protection Authority (DPA) of the Baden-Württemberg Land fined the AOK Baden-Württemberg medical insurance organization for 1,240,000 euro. The DPA established the fact that AOK sent marketing messages to 500 persons without their consent as well as for the reason of not taking sufficient measures to safeguard personal data.