It has been a year since the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data came into force, attracting attention all over, mainly because of the potential sanctions implied. One year after, it is time to assess whether the worries of many have come true or have proven to be unsubstantiated bogeyman. Next to the sanction amounts awarded, we will focus on the violations leading to the individual sanctions, as well as the attitudes of the European supervisory authorities when imposing the individual sanctions.
Let us begin with some official statistics[1]. 11 EEA member states have imposed sanctions, totalling up to EUR 55 955 871. As many as 31 EEA member states registered 94 622 complaints of persons, 64 684 notifications of violations of personal data protection to the supervisory authorities[2] and 47 020 other findings, totalling up to 206 326 cases of regulation violation.
Here are some interesting decisions[3]:
- Violation of principles of integrity and confidentiality[4] (sanction of EUR 400 000)
As requested by the local association of physicians, the Portuguese personal data protection authority investigated personal data processing by one of the local hospitals. The inspection identified inadequate and insufficient system of managing processes regarding the patients’ data. A total of 985 user accounts of physicians were active, despite only 296 physicians being employed at the time of the inspections. At the same time, the physicians had access to the personal data of the patients, irrespective of their specialization. The decision is not effective, yet.
- Failure to comply with the information duty[5] (sanction of PLN 943 000, i.e. EUR 220 000)
The Polish personal data protection authority imposed a fine to a controller who processed the personal data from publicly available sources for commercial and marketing purposes, as well as for checking the credibility of data subjects. The reason for the fine was its failure to comply with its information duty towards the data subjects, depriving them of their option to execute their rights. Apart from this, it is interesting to note that the authority did not consider it sufficient that the controller had been sending e-mails (to the data subjects of whom it had their e-mail addresses) and publishing the information on its web site as a form of compliance with the information duty under Article 14 GDPR, claiming that sending written information to all the data subjects would be beyond reasonable effort. However, the authority did not accept that. In combination with the sanction amount, this has caused a lot of stir with the public, as it is common practice in the field. The sanction amount was calculated based on the annual turnover of the controller, as well as the fact that the controller had not made any efforts to prevent the violation of the provisions of the GDPR.