GDPR Fines So Far

The GDPR fines are fact now. Even that the Data Protection Authorities were very generously with the “probation period” over the implementation of the GDPR requirements and waited for far too long before starting to impose fines, the time finally come.

In this short article we are going to take a look at the fines imposed across Europe so far.

  1. British Airways (£183.39m)

The UK ICO announced that the company British Airways will be fined the biggest so far fine of the amount of £183.39m at the start of July for a 2018 breach impacting around 500,000 customers, including the payment details of the customers. The fine, which represented 1.5% of the company’s global annual revenue, was the first issued under GDPR in the country. Still, 1.5% of the global turnover is far from the 4%.

  1. Marriott International (£99.2m)

Just a week after the fine issued for the British Airways, the UK ICO issued a £99.2m fine to Marriott International for a data breach impacting around 330 million hotel guests of its subsidiary Starwood.  The fine also represented 1.5% of its global annual revenue.

  1. Google (£44m)

Google has been probed in many European countries for poor data protection practices; however the first to issue a fine against the internet giant was the French Data Protection Authority. In January the French National Data Protection Commission (CNIL) issued Google a fine of €50m (£44m) for failing to provide adequate transparency or acquire valid consent for its ad personalisation. Despite being relatively low compared to the search engine giant’s revenue, it represented the first major fine by a GDPR regulator.

  1. Haga Hospital (£423,000)

The Dutch Data Protection Authority imposed its first GDPR fine of EUR 460,000 on Haga Hospital in The Hague on 18 June 2019. The hospital was found in breach of GDPR by not sufficiently securing its medical log files. Approximately 85 hospital employees had unnecessary access to a specific medical file belonging to a famous Dutch reality star whose hospital admittance received a lot of media attention in the Netherlands in 2018.

  1. Centro Hospitalar Barreiro Montijo (£364,000)

In April the Portuguese Data Protection Authority issue a €400,000 (£364,000) fine to the Centro Hospitalar Barreiro Montijo, a hospital in the country, for poor data handling practices, including allowing unreasonable numbers of users indiscriminate access to patients’ personal data and failing to follow basic data processing practices.

  1. Bisnode (£200,000)

The Polish data protection authority, the Personal Data Protection Office (UODO) issued its first fine again in April to digital marketing company Bisnode. The company was slapped with a €220,000 (£200,000) fine for failing to contact close to six million