On 25 May 2020, two years will elapse since GDPR regulation entered into the force. Although it is not known whether the Office for Personal Data Protection of the Slovak Republic has imposed any significant fines on data controllers for the breach of their GDPR duties in the past two years, the situation in the other EEA countries is different. Below please find an overview of the decisions taken by the Data Protection Authorities within the EEA during the last year. Our goal is not to scare you with heavy fines, but to point out the most serious mistakes in individual cases.
Official statistics show that the amount of fines imposed within the EEA last year reached EUR 5,194,936,030 on the back of 1,973 complaints.
First court decision ever applying the GDPR
The French court TRIBUNAL ADMINISTRATIF DE MARSEILLE, as the first court within the EEA, has issued a decision applying the GDPR regulation. With this decision, the court annulled the decision issued by the French region of Provence-Alpes-Côte d’Azur (PACA) which decided about the introduction of a testing system based on facial recognition at the gates of two secondary schools in Nice and Marseille. The system was intended to focus only on students and employees from this two secondary schools who had given their prior consent to the processing of their personal data in connection with this experimental testing system.
The purpose of the PACA region´s implementation of the facial recognition test system was to provide assistance to school employees who controlled the entry of students and school employees to prevent the misuse or theft of student identity and the unwanted movement of unidentified school visitors.
In its ruling, the Court, the same as the French Data Protection Authority stated that the facial recognition system unduly interferes deeply with privacy and fundamental human rights and freedoms, in particular of minors, student of those two schools. The Court further stated that the intended purpose can be achieved by the measures that less infringe the privacy of individuals, for example by checking the badges/ identifications cards of the persons inspected. Both, the court and the competent supervisory authority have found that face recognition system is in contrary with the principles of proportionality and minimalization, which are two of fundamental principles of GDPR regulation.
Decisions taken by the EEA data protection authorities
Among the large number of decisions issued by supervisory authorities within the EEA, below please find an overview of the most interested ones:
- Insufficient legal basis for processing of personal data – employee fingerprints (fine EUR 725,000)
The Dutch data protection authority imposed a fine on Dutch company for the unlawful processing of the fingerprints of its employees to register their attendance at work. Under the GDPR, the biometric data (for example, fingerprints) processed for the purpose of uniquely identifying a natural person are considered as a special category of personal data. Although the GDPR provides for a general ban on the processing of the special categories of personal data, it also contains a catalogue of exceptions when the special categories of personal data may be processed. The processing of fingerprints, for example, is permissible only if the data subject has given explicit consent or the specific situation is covered by the other exceptions listed in Article 9 (2) of the GDPR regulation. The Dutch authority, in this particular case, stated that the employees of the company had not given their explicit consent (during the audit, a number of employees mentioned that the scanning of fingerprints was presented to them as obligation) and there were no other legal grounds for exception, either under Article 9 (2) of the GDPR or the Dutch data protection legislation. For this reason, the Dutch data protection authority considered the conduct unlawful and contrary to the GDPR regulation.
- Insufficient fulfilment of the data subject´s rights – request for deletion (fine EUR 7,000,000)
The Swedish data protection authority has imposed a fine on Google LLC for failure to comply with the GDPR requirements concerning the right of data subjects to remove search results from the list of results. This right is based not only on the GDPR regulation, but also on the judgment of the Court of Justice of the European Union according to which a data subject may request a search engine operator to remove records from the list of results displayed, containing the name of the individual, if the record is inaccurate, irrelevant or superfluous.
The Swedish authority carried out an inspection in Google LLC in 2017 and ordered the company to remove certain search result listings. Under re-inspection in 2018, the inspection body found that Google LLC had not fully complied with the measures ordered. The authority also pointed out the practise of Google LLC which informed websites owners about which search results were removed from the search engine and who was behind the delisting request. Google LLC had no sufficient legal basis for this practice.
- Insufficient legal basis for the processing of personal data - sending of commercial information (fine EUR 27,800,000)
Between January 2017 and the end of 2019, the Italian data protection authority received repeated complaints from data subjects concerning that telecommunication operator is sending them unsolicited commercial information. Following these complaints, the authority performed an audit of the operator and identified the following irregularities:
(i) information on the processing of personal data was incorrect and non-transparent;
(ii) the consent to personal data processing given by a data subject to the telecom operator for one specific purpose was used as a legal basis for various other purposes;
(iii) personal data were kept longer than actually necessary;
(iv) the operator was sending marketing information also to those data subjects who withdrew their consent to the processing of personal data for marketing purposes;
(v) lack of appropriate security measures to protect personal data.
- Insufficient legal basis for processing of personal data (fine EUR 18,000,000)
The Austrian data protection authority imposed on Austrian Post a fine of EUR 18 million for the extensive breaches of the data processing duties under the GDPR regulation. Austrian Post had created profiles of more than three million Austrians which included information about their name, age, home addresses, personal preferences and political affinity. The Austrian Post subsequently provided this personal data to political parties running for election and also to companies. The data subjects had no knowledge about this Austrian Post practice. Due to lack of any legal basis for such a conduct in the GDPR, Austrian Post was imposed a fine for unlawful practice.
- Insufficient technical and organisational measures to ensure information security – cyber-attack (fine EUR 204,600,000)
British Airways is facing a fine of £183 million (EUR 204.4 million) for breaches of personal data protection. This is the highest fine ever imposed in connection with the breach of GDPR regulation. However, the decision on the fine has not yet entered into force. In September 2018, British Airways notified the British data protection authority (ICO) that the airline websites had been hacked and the attackers stolen the personal data from payment cards of thousands of its customers. The hackers set up a fraudulent web site to which they diverted British Airways customers to harvest their data. The ICO’s investigation found that due to poor security of the company’s systems the attackers got hold of a large quantity of personal data (from 500,000 customers), specifically: names, log-in names, addresses, information on purchased air tickets and payment card information. The fine was imposed on the controller for its failure to adopt appropriate technical and organisational measures aimed at ensuring the protection of personal data of customers.
- Insufficient technical and organisational measures to ensure information security – cyber-attack (fine EUR 110,390,200)
Along similar lines as British Airways, Marriott International Inc. had also failed to adopt appropriate organisational measures to protect the personal data of its customers. A cyber incident in November 2018 exposed a large quantity of personal data of the hotel network’s customers. For this breach of the GDPR regulation, the British data protection authority imposed a heavy fine on the company; the decision is not in force yet.
- Insufficient legal basis for processing of personal data - sending of commercial information (fine EUR 195,407)
According to the findings of the Berlin data protection officer, Delivery Hero Germany had not deleted the personal data of its former customers. Some of the customers ordered the company’s services several years ago; one case involved a customer from 2008. The office performed an audit after eight former customers had complained about receiving unsolicited advertising e-mails from the company. One data subject, who had expressly objected to the processing of his/her personal data for advertising purposes, received further 15 advertising e-mails from the company. The audit performed by the data protection officer concluded that the company had not provided data subjects with the required information under the GDPR.
Viktória Poliaková, Zuzana Krajčovičová
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter the “GDPR”)
 European Economic Area