GDPR Fines List and News July 2019 - Nov 2019

Updated on 22 Nov 2019

GDPR fines list and News July 2019

More than a year after GDPR was implemented. What have we learned over this past year? What is happening in the privacy compliance industry?

GDPR fines list including UK, Spain, Lithuania, Poland, Denmark, Portugal, Germany.

'2019 is the year of enforcement’: GDPR fines have begun

UK: Marriott to be fined nearly £100m over GDPR breach

"ICO imposes fine after personal data of 339 million guests was stolen by hackers" by The Guardian.

UK: ICO Announces Intention To Fine British Airways £183 Million For Infringements Of GDPR

"British Airways is “surprised and disappointed” that it could be fined £183m by the Information Commissioner’s Office (ICO) for a data breach, according to its chairman and chief executive, Alex Cruz." by The Guardian.

Spain: La Liga, the soccer league fined €250,000

La Liga is accused of listening for piracy through its smartphone application. La Liga turned on user microphones in order to listen for sounds of the soccer game and match to any pirated stream using geolocation. La Liga used the information to sue 600 bars for pirating soccer games.

Lithuania: MisterTango UAB fined €61,500

MisterTango accidentally exposed a website with a list of consumer payments and payment details, including personal information.

Poland: A Data Processor fined €220,000

A data processor was fined because they scraped the internet for public contacts and conducted commercial outreach to over 90,000 people, 12,000 of which objected to the unauthorized use of their data.

Denmark: Taxa 4X35 (Taxi Company) fined 1.2M DKK

The company was found to have over 9M personal records the company had stored but did not need to.

Portugal: Hospital near Lisbon fined €400,000

Staff at the hospital used bogus accounts to access patient records.

Germany: Knuddels.de (social media and chat platform) fined €20,000

Knuddels reported a data breach, and upon investigation, the local data protection agency determined the site had been storing user passwords in plaintext without hashing.

Spain: Vueling Airline fined €30,000

The Spanish Vueling Airline has the typical “by continuing to use this site, you agree to our use of cookies” style cookie banner on its website. The banner only has an option to agree, but no way to decline. Their cookie policy suggests that consent can be revoked by configuring the browser to reject all cookies.

The resolution highlights the lack of a cookie configuration panel or other granular management systems – browser controls are not sufficient here.

The authority issued a fine of EUR 30,000 (which is the maximum possible fine under the LSSI for violation of Art. 22.2 LSSI). This, however, was reduced to a total of EUR 18,000 as the law provides for a reduction in cases in which the fined company accepts/acknowledges that they are responsible for the violation within the term provided to formulate their response (here 20%) as well as an additional reduction if the company pays the set fine before the proceedings resolution (here 20%).

Reference:

• https://www.theguardian.com/business/2019/jul/09/marriott-fined-over-gdpr-breach-ico
• https://www.theguardian.com/business/nils-pratley-on-finance/2019/jul/08/british-airways-fine-shows-gdpr-has-given-watchdogs-teeth
• http://www.enforcementtracker.com/