Top 6 Biggest GDPR Fines in Scandinavia
In almost 2 years since the General Data Protection Regulation (GDPR) came into force, there have been over 160,000 reported notifications of GDPR breaches, with more than 150 fines accumulating almost €460,000,000. In this article, we take a look at the biggest fines so far for companies in Scandinavia and the GDPR breaches responsible.
1. Municipality education department
Reason: Insufficient technical and organizational measures to ensure information security - Article 32
Summary: The education department of a municipality in Norway was fined due to security vulnerabilities in a mobile messaging app which had been developed for use in a school by parents, students, and staff. However, the personal data of students, legal representatives, and employees could be accessed by unauthorized users who were able to log in to the app as an authorized user. The Norwegian Supervisory Authority (Datatilsynet) deemed the department to have not complied with Article 32 GDPR, and they were handed a fine of €203,000 - the highest in the Nordics to date.
2. Furniture company
Reason: Non-compliance with general data processing principles - Article 5 (1) e), Article 5 (2)
Summary: After an inspection carried out in the autumn of 2018, it was discovered that the company had processed personal data of almost 385,000 customers for longer than was necessary. Deadlines for the deletion of personal data in their new CRM systems had not been established or documented, and personal data in the old system had also not been deleted after the deadline. The procedures for personal data deletion had also not been documented.
Reason: Insufficient technical and organizational measures to ensure information security - Article 5 (1) f), Article 32
Summary: Due to inadequate security measures, it was possible for unauthorized persons to log in and access information relating to 35,000 usernames and passwords of pupils and employees at primary schools in the municipality. This meant a variety of categories of their personal data could be accessed, and the fact that many of these 35,000 were children heightened the severity of the breach.
4. Taxi company
Reason: Non-compliance with general data processing principles - Article 5(1) e)
Summary: The company was reported to the police by the Danish Data Protection Authority (Datatilsynet) who recommended a fine of 1,200,000 DKK for not adhering to the data-minimization principle as the company kept hold of personal data, including phone numbers, from almost 9,000,000 taxi rides.
5. Website operator
Reason: Insufficient legal basis for data processing - Article 6
Summary: The organization behind a website which publishes personal data of all Swedes above the age of 16 was fined due to publishing data about non-payment records and criminal convictions - both of which are regulated by the GDPR and required prior authorization from the Swedish Data Protection Authority.
6. High School
Reason: Insufficient legal basis for data processing - Article 5 (1) c), Article 9, Article 35, Article 36
Summary: The school was fined after introducing a trial to use face recognition technology to monitor the attendance of its students. However, it was deemed that using facial recognition for this purpose was disproportionate to the goal of monitoring attendance, and that students or guardians could not freely apply consent for this. There was also considered to be high risks to the children by processing such sensitive personal data in this way. Read about the Top 5 GDPR fines in the rest of Europe.
As the range of organizations and types of breaches show, GDPR compliance is a serious issue whether you’re a local business, SMB, corporate, or enterprise company. The GDPR has brought many new challenges for businesses all over the world, and many are still struggling to be compliant. While many of the claims relate to the personal data of customers, it is also extremely important not to forget about the personal data of your employees.
If you work with images in your organization, take a look at the GDPR checklist for images to help ensure that your use of photographs doesn’t breach the regulations.
Header Photo by Gadiel Lazcano on Unsplash