Data Protection: 2021 is the Year with the Highest Fines to Date
The data protection authorities issued fines of almost 1 billion euro in the third quarter (July to September) 2021 alone - three times more than in all of 2020! In this article, we have summarised for you which breaches of the General Data Protection Regulation (GDPR) occured this year, who collected the highest fines and how companies can protect themselves against GDPR violations.
Legal Uncertainty Regarding Third Country Transfers
In July 2020, the European Court of Justice already declared the US Privacy Shield, which until then governed the transfer of data between the US and the European Union, to be null and void. This created a legal loophole that led to great uncertainty among companies - especially since the supervisory authorities increasingly put third-country transfers to the test in 2021.
One reason why the amounts of the fines went up so sharply in 2021 is certainly that the regulators increasingly targeted the big tech companies: Meta, for example, received two fines - for its social media platform Facebook and for the WhatsApp messenger service. TikTok also received a data protection fine, as did Amazon. In addition to the large corporations, smaller companies also received relatively high fines. We take a closer look at some of the most interesting cases here.
65.500 Euro GDPR Fine for Outdated Software
This case definitely represents one of the avoidable mistakes: A German company was ordered to pay a data protection fine of 65.500 euros in August 2021. The reason for it was the use of outdated software for the operation of the company website. According to media reports, the responsible data protection authority in the German federal state "Niedersachsen" received a report regarding a data protection incident. Upon closer inspection of the website, it turned out that the software had been out of date since 2014 and that the passwords were not adequately protected.
475.000 euro Fine for Booking.com for Late Reporting
In April 2021, the Dutch data protection authority fined Booking.com in the amount of 475,000 euro. The reason was that the travel platform only reported a data protection incident to the authorities after 22 days, instead of the legally required 72 hours. The incident happened back in December 2018 when several hotels accidentally disclosed account information to online fraudsters. The platform itself found out about this on January 13th 2019, but only reported the incident to the competent authority on February 7th 2019. This example shows well that even relatively "small" omissions, such as a delayed notification of a data protection incident, are punished with high penalties by the data protection authorities.
Data Protection Penalty Imposed on TikTok
Since 2020 TikTok has become an indispensable part of the social media world, and the video portal continues to enjoy increasing popularity, especially among the young target group of 14 to 20-year-olds. Unfortunately, the video portal seems to be sloppy when it comes to protecting the privacy of underage users. After an in-depth investigation, the Dutch data protection authority therefore imposed a fine of 750.000 euro. You can read the whole story in this article: Regulatory authorities are investigating possible infringements of data protection laws by TikTok.
7 Million Euro GDPR Fine for Facebook for Non-transparent Data Protection Regulations
Facebook receives a heavy GDPR penalty for the second time. The reason was that it is still not clear from the data protection provisions of the platform which personal data the company processes. Although Facebook adjusted its data protection provisions after the first penalty in 2018, the Italian data protection authority does not believe that this is sufficient. The result was another fine of 7 million euro. Facebook has already announced that it will contest the verdict.
A Total of 9.5 Million Euro from 28 Data Protection Fines for Vodafone
The telecommunications company Vodafone has been “collecting” data protection penalties across Europe in 2021. In Spain alone, the group was fined 8 million euro in February 2021. In Romania, Vodafone was required to pay 2.915 euro because of unauthorised access to customer data by employees. There have also been further fines from Germany, Ireland and Italy - a total of 28 fines against the mobile operator can be found in the German fines database dsgvo-portal.de for 2021.
The reason for the fines is mostly unauthorised access or the disclosure of customer data to sales partners, as well as inadmissible advertising calls, SMS and emails to customers, although these have been explicitly prohibited. The rights of customers have also been violated because their request to delete or correct data was not complied with.
9.5 Million Euro GDPR Fine against Österreichische Post AG
The Austrian post-office - Österreichische Post AG - received a hefty fine of 9.5 million euro in September 2021. The reason is a violation of Art 12 GDPR and Art 15 GDPR because the company did not allow any data protection inquiries by email. Inquiries could only be made by post, customer service and the contact form. Österreichische Post AG announced that it would initiate legal remedies against the decision of the data protection authority.
Inadmissible Video Surveillance? Notebooksbilliger Was Fined 10.4 Million Euro
The German company Notebooksbilliger is said to have monitored its employees by video for a period of at least two years without there being any legal basis for this. At least that is what the State Commissioner for Data Protection (LfD) Niedersachsen, Barbara Thiel, claimed and imposed a fine of a hefty 10.4 million euro in January 2021. Notebooksbilliger denies the allegations and has appealed against the fine. There are strict rules on the video surveillance of employees. It must always be checked whether a video recording is really necessary for the intended purpose or whether there are other options.
Lack of Transparency in Data Processing: 225 Million Euro Fine for WhatsApp
After Facebook, the Meta-subsidiary WhatsApp also got hit in 2021: The company was required to pay a fine of 225 million euro for a lack of transparency in the processing and disclosure of users’ personal data. As early as 2018, the Irish data protection authority had launched an investigation against WhatsApp, because here - as with the Facebook platform - the use of data is opaque. WhatsApp announced that it would appeal the verdict.
746 Million Euro - Record Fine for Amazon
A record that Amazon probably isn't happy about: In July 2021, the Luxembourg data protection authority CNPD (Commission Nationale pour la Protection des Données) imposed the highest fine in the history of the GDPR. Amazon is required to pay 746 million euro. The reason for this is said to be the online targeting used by Amazon. The company collects data on a large scale - both on its own pages and on third-party sites - and uses this for personalised advertising. Amazon does not want to accept the judgment and is appealing against the decision.
GDPR Penalties: A Risk for Every Company
These examples show very clearly that GDPR fines can impact any business - regardless of whether it’s a one-man/woman show or a large corporation - for a wide variety of reasons. The data protection authorities of the individual countries also continue to take violations of the General Data Protection Regulation very seriously. Regardless of whether you’re a freelancer or run a company: You should either have an (external or internal) employee who is always up to date on data protection regulations or you should regularly check the legal situation and your channels yourself.
Protected against GDPR Penalties as Well with Professional indemnity Insurance through exali:
There are always new legal decisions in the area of the General Data Protection Regulation (see the Privacy Shield decision mentioned above). So it is often difficult to keep track of things. With Professional Indemnity Insurance through exali, you are protected even in the event of data protection breaches, but also if a customer receives a GDPR fine or an official fine due to you and demands compensation from you for this. The insurer can even cover a fine imposed directly on you, provided this is permissible under the applicable national law.
Our customer advisors are happy to explain further details about Professional Indemnity Insurance and which insurance is the most suitable for your business. You can reach our customer service team by phone on +49 (0) 821 / 80 99 46 - 0 (Monday to Friday from 9:00 a.m. to 6:00 p.m.) or request a call-back through our contact form.