The first GDPR fines are here: millions of euros for inadequate explanation


At the end of May, already a year passes from the entry into force of the General Data Protection Regulation (GDPR) and although the Estonian Data Protection Inspectorate has been rather modest, over 90 fines have been imposed across Europe. Among them, Great Britain, France, and Germany stand out most actively.

Therefore, Estonian businesses reaching out to Europe should pay close attention.

The fines reach up to hundreds of thousands of euros. A considerable part of the fines have been imposed due to insufficient security, illegal direct marketing or leaving the data subjects unnotified. Here are some examples of the practices of different countries:

• A Portuguese hospital was fined with 400 000 EUR since the staff got unauthorized access to patients data using false accounts.

• An Austrian company was fined with 4800 EUR for filming public space without a notification.

• A German social media service was fined with 20 000 EUR since the passwords of their users were kept in plain text. The fine is rather small since the company notified the data protection agency and the customers fast and were very co-operative.

• In France, Google was fined 50 million euros. It is the biggest GDPR fine today. The fine was imposed since the company’s data consent policies are not easily accessible or transparent.

• A Norwegian school was warned about a fine of 1,6 million Norwegian kroner since the usernames and passwords of more than 35 000 pupils and teachers were not secured enough.

• In Poland, a digital marketing company Bisnode was fined with 220 000 EUR since they did not provide information on personal data processing.

• In Denmark, a fine of 160 000 EUR was imposed on a taxi company, since they did not erase the phone numbers of their clients. Even though the names were deleted after two years, it was not enough. The phone number separately is also considered personal data that needs to be erased if needed.

Taking into account that many fines were imposed due to insufficient security, we advise to pseudonymize or encrypt personal data together with the application of general information security standards. This is also foreseen in GDPR but the necessary technical level is up to the companies to assess considering the personal data they process.

In general, fines are calculated taking into account the number of persons affected by the infringement, the purpose of the processing, the damage caused to the persons involved and the duration of the infringement. Based on current practice, the amount of fine is also determined by the company’s willingness to cooperate and the initiative to repair the damage.