It has been over three years since the introduction of the General Data Protection Regulation (“GDPR”) on 25 May 2018. Since coming into force, it has been reported that over EUR 292m of fines have been issued for wide-ranging infringements of the GDPR. The GDPR provides a range of investigation and enforcement powers to Data Protection Authorities (“DPAs”) and although slow to impose large fines at first, the DPAs are now increasing both the frequency and severity of their fines and penalties to ensure compliance. In particular, the Spanish DPA (“AEPD”) is setting a new standard this year by moving away from cautious enforcement to setting record level fines.
Until 2020, the Spanish regulator imposed small fines with an average amount of around €55,000. However, in 2021, the Spanish DPA has already issued 212 fines, which have exceeded roughly 500% of all the fines previously imposed between 2018 and 2020. Notably, a single fine imposed in 2021 to Vodafone Spain for €8,150,000, exceeded the total amount collected by the AEPD throughout 2020 (€6,054,000). Two further large GDPR fines were issued to Spanish banks, Caixa Bank (€5,000,000) and BBVA (€6,000,000), for their failures in processing data without a correct legal basis and for failing to provide the necessary information to data subjects. Both Caixa Bank and BBVA are contesting the fine and we will await the outcome of the appeals with interest as they are the first GDPR challenges the AEPD has faced to date.
Why is the AEPD imposing such high fines?
After carrying out an analysis of the sanctions imposed this year, it should be noted that the vast majority of the fines are based on non-compliance with Article 5.1 (principles relating to processing) and Article 6.1 (lawful basis for processing) of the GDPR. In other words, for failing to adhere to the seven key principles of processing and for not having a valid lawful in order to process personal data.
Among the highest of the fines imposed, the Spanish regulator has also paid close attention to several violations of Articles 13 and 14 of the GDPR which concern the provision of information when personal data is collected from a data subject (Article 13) and where personal data has not been obtained direct from the data subject (Article 14). It follows that there will be potentially serious consequences if an individual files a complaint with the AEPD for a violation of these Articles and we note in particular the recent fine against Edp Energía, for €1,500,000 for violating Article 13 and 25 GDPR (the latter concerning data protection by design and default).
Although only 81 cyber security breaches were notified to the AEPD in 2020, this represents a 3% increase compared to the previous year. Although there have not been many fines imposed so far as a result of a cyber-attack, a noteworthy fine of €600,000 was issued in March 2021 to the airline Air Europa for, among other reasons, failure to comply with the obligation to notify a security breach within 72 hours. The airline finally notified the Spanish regulator of the security breach 41 days later. Further, it was shown that Air Europa did not have the necessary technical and organisational security measures in place. This fine is a useful reminder to pay special attention to the obligation on data controllers to notify supervisory authorities of personal data breaches, under Article 33 of the GDPR.
Our team in Madrid has noticed that there is a common trend emerging with the AEPD as to which sectors are subject to the heaviest penalties. In this regard, the most common targets for fines are companies within the financial sector (for the inclusion of personal data in debt collection files) and within the telecommunications sector (for fraudulent contracts with their customers and bad marketing practices). However, on several occasions (especially in the communications sector), fines are increasingly high due to the repeat misconduct of the data controller. The Spanish regulator’s patience appears to be running thin for repeat offenders.
We remind readers as to the importance of paying special attention to the GDPR as a whole, especially where large amounts of data of varying types is processed, including special category data (such as medical data), which could make them prime targets for regulatory investigation by the AEPD. Additional consideration should be given where an organisation has a large number of clients (especially private individuals) with whom they maintain contractual relations and send frequent marketing communications as such practices are closely monitored by the AEPD.
The Spanish DPA’s increased activity shows that it is finally getting to grips with the new regime. With three of Spain’s largest fines issued in the first half of this year, we have seen that the Spanish regulator is taking a tougher approach to companies that struggle with GDPR compliance, particularly large corporations.