Following the entry into force of the General Data Protection Regulation (GDPR) in May of last year, penalties increased for failure to comply. Slowly but surely, instances of fines and other forms of penalties being imposed for violation of this regulation and related national laws have begun emerging.
A large fine was issued in Portugal by the Portugese National Commission Data Protection (NCDP) in 2018 to a hospital for giving unauthorized staff unnecessary access to confidential patient data. Here, penalties amounting to a sizable EUR 400,000 were imposed on the grounds that the data breach represented a clear and serious violation of the requirements of data protection laws.
In the same month, the Data Protection Authority in Baden-Württemberg, Germany, imposed a fine of EUR 20,000 on the social networking platform Knuddels.de after a hacker gained access to the personal information of hundreds of thousands users of the website. Here, the authorities considered the platform liable as the personal information, including passwords, had been stored in plain text. This was considered to be a violation of Article 32 of the GDPR which requires that organisations which control or process data must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. Whilst the breach was considered large, the fact that the platform’s response was deemed particularly cooperative and transparent by the authorities and that the platform proceeded to quickly implement suitably stronger security measures meant that a more moderate fine was imposed.
However, it is also notable that fines are not being issued only for instances of unauthorized data access. The first data protection law violation fine issued by the Austrian Data Protection Authority went to a small business in relation to its video surveillance activities. Here, a video surveillance camera was installed in front of the business establishment that also captured a large portion of public sidewalk, thus violating the rules against unjustified monitoring of a public space. In this instance, the fine came to EUR 4,800, with the Austrian Data Protection Agency citing the small size of the company and the need for proportionality in awarding fines, despite that under the GDPR fines can be up to EUR 20 million or 4% of the organisation’s annual global turnover
These examples demonstrate that enhanced data protection laws have wide relevance to organisations, requiring reflection on a wide range of issues including employee permissions and activities, external interactions with customers, technical security of data and decisions on the collection and use of information. Furthermore, a range of factors are considered by the authorities when investigating a complaint, and evidence of attempts to comply with data protection requirements and principles, alongside a cooperative attitude and remedial actions, can have a large and positive impact.
Organisations and companies are thus strongly advised to ensure that they have an effective data protection strategy and system in place so as to minimize the risk of data breaches. At MKLaw, we have experience in implementing data protection packages as well as advising on specific instances regarding data protection law. If we can assist your organization in this area, please get in contact with us.