Tag: Fine
6. November 2019
On October 30th, 2019, the Berlin Commissioner for Data Protection and Freedom of Information issued a fine of around 14.5 million euros against the real estate company Deutsche Wohnen SE for violations of the General Data Protection Regulation (GDPR).
During on-site inspections in June 2017 and March 2019, the supervisory authority determined that the company used an archive system for the storage of personal data of tenants that did not provide for the possibility of removing data that was no longer required. Personal data of tenants were stored without checking whether storage was permissible or even necessary. In individual cases, private data of the tenants concerned could therefore be viewed, even though some of them were years old and no longer served the purpose of their original survey. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data and bank statements.
After the commissioner had made the urgent recommendation to change the archive system in the first test date of 2017, the company was unable to demonstrate either a cleansing of its database nor legal reasons for the continued storage in March 2019, more than one and a half years after the first test date and nine months after the GDPR came into force. Although the enterprise had made preparations for the removal of the found grievances, nevertheless these measures did not lead to a legal state with the storage of personal data. Therefore the imposition of a fine was compelling because of a violation of article 25 Abs. 1 GDPR as well as article 5 GDPR for the period between May 2018 and March 2019.
The starting point for the calculation of fines is, among other things, the previous year’s worldwide sales of the affected companies. According to its annual report for 2018, the annual turnover of Deutsche Wohnen SE exceeded one billion euros. For this reason, the legally prescribed framework for the assessment of fines for the established data protection violation amounted to approximately 28 million euros.
For the concrete determination of the amount of the fine, the commissioner used the legal criteria, taking into account all burdening and relieving aspects. The fact that Deutsche Wohnen SE had deliberately set up the archive structure in question and that the data concerned had been processed in an inadmissible manner over a long period of time had a particularly negative effect. However, the fact that the company had taken initial measures to remedy the illegal situation and had cooperated well with the supervisory authority in formal terms was taken into account as a mitigating factor. Also with regard to the fact that the company was not able to prove any abusive access to the data stored, a fine in the middle range of the prescribed fine framework was appropriate.
In addition to sanctioning this violation, the commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases.
The decision on the fine has not yet become final. Deutsche Wohnen SE can lodge an appeal against this decision.
24. October 2019
In a press release, the German Conference of Data Protection Authorities (Datenschutzkonferenz, “DSK”) announced that it is currently developing a concept for the setting of fines in the event of breaches of the GDPR by companies. The goal is to guarantee a systematic, transparent and comprehensible fine calculation.
The DSK clarifies that this concept has not yet been adopted, but is still in draft stage and will be further worked on. At present it is practiced accompanying with current fine proceedings in order to test it for its practical suitability and aiming accuracy. However, the concrete decisions are nevertheless based on Art. 83 GDPR.
Art. 70 Para. 1 lit. k of the GDPR demands a harmonization of the fine setting within Europe. Therefore guidelines shall be elaborated. For this reason, the DSK draft will be brought into line with the concepts of other EU member states.
Also, at European level a European concept is currently being negotiated. This concept should then be laid down in a guideline, at least in principle. The DSK has also contributed its considerations on the assessment.
The fine concept will be discussed further on 6th and 7th November. After prior examination, a decision will be taken on whether the concept on the setting of fines shall be published.
23. August 2019
The Swedish Data Protection Authority “datainspektionen” imposed its first fine since the General Data Protection Regulation (GDPR) has entered into force.
Affected is a high school in Skelleftea in the north of Sweden. In the school, 22 pupils were part of a pilot programme to monitor attendance times using facial recognition.
In January 2019, the IT company Tieto announced that it was testing the presence of students at the school with tags, spartphone apps and facial recognition software for automatic registration of students. In Sweden, it is mandatory for teachers to report the presence of all students in each lesson to the supervisors. According to Tieto, teachers at the school in Skelleftea spend around 18,000 hours a year on this registration. Therefore, a class was selected for the pilot project to test the registration for eight weeks using facial recognition. Parents and students were asked to give their consent.
However, the Swedish data protection authority has now said that the way in which consent was obtained violates the GDPR because of the clear imbalance between controller and data subject. Additionally the school failed to conduct an impact assessment including seeking prior consultation with datainspektionen.
Therefore, the DPA imposed a fine of SEK 200.000 (approximately EUR 20.000). In Sweden, public authorities can be fined up to SEK 20.000.000 (approximately EUR 1.000.000).
29. March 2019
The President of the Polish Supervisory Authority (Personal Data Protection Office, UODO) imposed the first fine for the amount of PLN 943,000, which is around € 220,000.
A Warsaw-based company received this fine for not being compliant with GDPR, particularly for failure to meet the information obligation of Article 14. The fined company commercially processes data from more than six million entrepreneurs, which it obtained from publicly available sources, such as the Central Electronic Register and Information on Economic Activity (CEIDG). The company’s database is often used by banks to verify the creditworthiness of the data subjects. According to the Polish Authority, the company did not provide the data subjects with the information requested in Art. 14 para 1-3 GDPR (e.g. the source of their data, the purpose of the data processing, the data subject’s rights under GDPR), hence the data subjects had no possibility to object to further processing of their data or to request their rectification or erasure.
Out of the six million data subjects only 90 000 were informed by the company via e-mail (more than 12 000 of them objected to the processing of their data). For the remaining subjects (whose e-mails were unknown) the company only presented the information clause on its website and therefore failed to comply with Art. 14 GDPR.
“The controller was aware of its obligation to provide information. Hence the decision to impose a fine of this amount on this entity”, said Dr Edyta Bielak-Jomaa, President of UODO. The company claimed that information by registered mail would be associated with disproportionate costs and thus relies on the vaguely worded exception of Art. 14 (5) GDPR, which states that the provision of such information proves impossible or would involve a disproportionate effort. The supervisory authority however, finds this explanation insufficient as they could have called the data subjects or inform them by regular mail.
7. January 2019
The French Data Protection Authority CNIL imposed a fine of €250.000,00 on telecom operator BOUYGUES TELECOM for not taking required security measures to protect the personal data of its clients.
BOUYGUES TELECOM offered their clients an option to create a profile on their webpage to have easier access to their contract details and telephone bills.
In March 2018, CNIL was informed that a lack of security measures gave free access to personal data of clients of B&You, a subsidiary company of BOUYGUES TELECOM. Each profile had its own URL address, which involved the first and last name of the client. Just by exchanging the name in the URL address, one gained free access to first and last name, date of birth, e-mail address, address and phone number as well as contracts and bills. The violation of data security went on for two years and had an impact on over two million clients.
Shortly after CNIL was informed, BOUYGUES TELECOM notified the data breach to CNIL. The company explained that the incident occurred after the computer code, which depends on user authentication, was deactivated for a test phase, but was forgotten to be re-activated after completion of the test phase. After noticing the data breach, the company quickly blocked the access to the personal data.
Nevertheless, CNIL stated that the company failed to protect the personal data of its clients and violated its obligation to take all required security measures, especially as appropriate measures would have revealed the data breach earlier.
As the incident occurred before the legal validity of GDPR, CNIL decided to impose a fine of €250.000,00 on BOUYGUES TELECOM.
24. October 2018
The Portuguese data protection supervisory authority CNPD (Comissão Nacional de Protecção de Dados) recently announced that the hospital Barreiro Montijo is to pay a fine of 400,000€ for incompliancy with the EU General Data Protection Regulation (GDPR). This is the first time that a high fine has been imposed in Europe based on the new GDPR framework of fines.
According to Portuguese newspaper Público, the hospital has violated the GDPR by allowing too many users to have access to patient data in the hospital’s patient management system, even though they should only have been visible to medical doctors. In addition, too many profiles of physicians have been created in the hospital system. The CNPD discovered that 985 users with the access rights of a medical doctor were registered, although only 296 physicians were employed in 2018.
The hospital now wants to take legal action against the fine.
23. May 2017
According to an European Commission Press release from the 18 May 2017, Facebook was fined €110 million by the Commission for providing misleading information about the takeover of WhatsApp.
Facebook acquired WhatsApp in 2014. Back then Facebook informed the European Commission that it would not be able to establish reliable automated matching between the users of Facebook and WhatsApp. Two years later, in August 2016, Facebook announced an update to its terms of service and privacy policy. The update included the possibility to link phone numbers of WhatsApp users with their respective Facebook accounts.
According to the Press release and contrary to the statement given by Facebook during the merger process 2014, the Commission has found that the possibility of automated linking of Facebook and WhatsApp users already existed in 2014.
Commissioner Margrethe Vestager, who is in charge of the competition policy, said: “Today’s decision sends a clear signal to companies that they must comply with all aspects of EU merger rules, including the obligation to provide correct information.”
It is the first time that the European Commission has imposed a fine on a company for the provision of misleading information since the Merger Regulation came into force in 2004.
7. June 2016
The Data Protection Authority of Hamburg just announced in a press statement that it checked the data transfers of 35 international organizations that are based in Hamburg.
After the judgment declaring the former Safe Harbor Framework by the European Commission invalid in October 2015 by the European Court of Justice, the DPA contacted organizations in Hamburg operating also in the U.S. and reviewed the transfer of personal data to the U.S. in order to determine whether other instruments are used than the Safe Harbor Framework. According to the mentioned press statement, the review has revelied that the majority of the companies had changed the legal basis of their transfers of data by implementing standard contractual clauses (SCC).
However, according to a report by Spiegel Online, there were three companies that did not change their legal basis for data transfer. Therefore, the three companies were fined:
Adobe (8.000 Euros), Punica (9.000 Euros) and Unilever (11.000 Euros)
As all three companies have changed the legal basis for data transfering during the proceeding, the DPA imposed a fine that was significantly smaller than the maximum of 300.000 Euros.
