Days after European Data Protection Supervisor Giovanni Buttarelli told Reuters: “I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum”, Judgement Day has come with the first victim of GDPR. And considering all the talks of fines in the millions you’d be expecting this to be some major corporation, but no. The Austrian Data Protection Authority (DSB) has issued the first fine for non-compliance with the GDPR against an entrepreneur.
This decision by the regulator is very interesting as the Austrian Data Protection Act states that the DSB will at first exercise only remedial powers (like issuing reprimands) for first-time infringers.
So, what’s the violation you may ask? The entrepreneur had installed a CCTV camera in front of his business establishment, but the camera also recorded a good part of the sidewalk. The DSB considers this as large-scale monitoring of public spaces, which is not permitted according to the GDPR. The camera was also not properly marked as conducting video surveillance which in turn means that the transparency obligations imposed by the Regulations weren’t fulfilled.
The amount of the fine, however, was quite reasonable – 4,800 EUR. The reason for this is the aim of the DSB to keep fines proportionate, saying that, for example, a controller with an annual income of 40,000 EUR is unlikely to receive a 20 million EUR fine.
While this is the first and rather anticlimactic instance of a company being in the news in violation of GDPR it will definitely not be the last.
So stay informed and be compliant!