Top 5 Biggest Fines for GDPR Breaches
The General Data Protection Regulation (GDPR) came into force on May 25, 2018, and was designed to modernize laws that protect the personal information of individuals. As we approach 2 years since that dreaded deadline, we take a look at the biggest fines so far and the GDPR breaches responsible.
A personal data breach is defined as a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The size of the fines can vary depending on severity, but one could expect to be fined up to €10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. In more severe cases, infringements could be subject to administrative fines up to €20,000,000 or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Download the GDPR Checklist for Images to help ensure that your organization's use of photographs doesn't breach the regulations!
Although GDPR is still in its infancy, companies breaching the GDPR have already received hefty fines, with a total of €460,000,000 to date. Currently, there have been up to 160,000 notifications of breaches that have been reported.
Top 5 Biggest Fines for GDPR Breaches
1. British Airways was hit with a proposed fine of €204,000,000 for a breach of customer data that affected more than 500,000 users of BA’s website. The incident, which saw users diverted to a fraudulent site by hackers, was disclosed on 6 September 2018. It was the first to be made public by the ICO and was a record fine for a GDPR breach since the regulations were brought in. *
2. Marriott was also given a proposed fine of €107,000,000 for a breach in 2018 that saw 383 million guest records and 18.5 million encrypted passport numbers obtained through a cyber attack. The breach, which impacted 30 million EU residents', is thought to have begun after Starwood hotels group’s systems were compromised in 2014, before being acquired by Marriott in 2016, though it was not discovered until 2018. *
3. Google Inc. in France was fined €50,000,000 last year for breaching GDPR within the principle of transparency (Article 5), the sufficiency of information (Article 13 & 14), and the presence of legal basis (Article 6) for creating Google accounts when configuring the Android system on a mobile phone.
4. TIM, a Telecom Provider in Italy, was fined €27,802,946 this year because The Italian Data Protection Authority (Garante) revealed that TIM was fined due to numerous unlawful data processing activities related to marketing and advertising, which included unsolicited promotional calls and prize competitions in which data subjects were entered without consent. One of the reasons for the large fine was the fact that the unlawful data processing activities involved several million individuals.
5. Austrian Post was fined €18,000,000 last year for selling detailed personal profiles of approximately three million Austrians to various companies and political parties.
At the other end of the scale, the smallest GDPR breach fine was issued to a hospital in Hungary. The fee of €90 was issued due to the hospital unlawfully charging a copying fee from the patient, and violating the patient's right to access their personal data. Read about the Top 6 Biggest GDPR fines in Scandinavia.
*Both the fines for British Airways and Marriott are not final at the time of writing, but have been proposed by the Information Commissioner’s Office (ICO).
Is your organization GDPR compliant?
Although the majority of GDPR fines relate to breaches of customer personal data, did you know the regulations also applies to employee data? Many organizations use photographs of their employees, which can cause serious challenges when it comes to complying with the GDPR. Our article Is your use of employee photos GDPR compliant? can help you to determine whether your organization is at risk of breaching the GDPR and a potentially costly fine.