PrivacyAffairs.com, a website specialising in advice on privacy and data protection, has brought together the fines issued by regulators in various European countries under the General Data Protection Regulation (GDPR). It reveals that 340 fines have been issued in total with a combined value of €158,135,806 (£142,490,797).
All the 28 EU member countries have now issued at least one fine under the GDPR, as has the United Kingdom. All EU member countries—as well as the UK under its transition agreement and Norway, Iceland, and Liechtenstein as members of the European Economic Area—are obliged to enforce the GDPR, although there is some leeway in how they interpret it.
France imposed the highest total fines of €51,100,000, although the vast majority of this relates to a €50m fine imposed on Google over concerns about transparency and how the company was processing data. Italy came second with a total of €39,452,000 in fines, followed by Germany with €26,492,925. In terms of the number of distinct fines, Spain is far ahead of the pack with 99 fines, followed by Hungary and Romania, with 32 and 29 fines respectively.
The UK Information Commissioner’s Office (ICO) has only issued seven fines so far worth a total of €640,000, putting it outside the top 10 in both categories. This may seem odd given that the UK is one of the largest countries implementing the GDPR. It should be noted, though, that this excludes the eye-watering penalties of £183m and £99m that were announced for British Airways and the Marriott hotel group, respectively. These cases have been pushed back for now, and they may well be revised given that both firms have been severely impacted by the coronavirus pandemic.
The range of fines indicates the willingness of regulators to pursue organisations of various sizes. Hungary, for example, fined an ISP €288,000 for improperly and insecurely storing the personal data of its customers. Some individuals have also been issued substantial fines. For example, an Austrian football coach was fined €11,000 for secretly filming female players as they showered. In Spain, meanwhile, two individuals were given fines of €20,000 and €9,000 for subjecting their employees to illegal video surveillance. Another case in Austria highlights the importance of respecting people’s privacy when using CCTV systems, with someone being fined €2,200 for filming public areas around his or her home.
While the GDPR may initially seem like a bureaucratic burden, many businesses have come to appreciate the principles it embodies. For example, by ensuring that you are GDPR compliant, you can assure your customers and partners that you are treating their data with the respect it deserves. This in turn generates customer loyalty, which will be easier to maintain once you’ve installed a culture of best practices in your organisation. With our managed IT support services at Pro-Networks, we can help you comply with the GDPR and standards like Cyber Essentials and ISO 27001 by introducing your staff to them in an educated and regulated manner.