In the over two years since Europe’s General Data Protection Regulation (GDPR) was implemented on the EU and EEA, a team of financial analysts from Finbold has studied the fines and penalties that data protection authorities have imposed within the European Union by sourcing data from the GDPR Enforcement Tracker fines’ database.
The GDPR, or General Data Protection Regulation, which marked its two year anniversary in May, functions as the means for a “human-centric approach to technology” and the compass for companies in the digital era. Meant to ensure a high level of data protection and compliance responsibility, the European Union’s innovative legal framework has the ability to hold companies accountable by law and impose fines on offenders. In this digital era, the GDPR not only ensures that individuals have better control over their personal data, but also that their data is processed for a legitimate purpose, in a lawful, fair and transparent way.
According to new research conducted by Finbold and released on August 26. they found that EU member states and countries of the EEA area have received a total of €60.1 million in fines for GDPR violations in 2020 alone, with the most prominent reason behind the breaches being an insufficient legal basis for data processing.
The research found that Spain tops the ranking for the most violations, having received the highest number of overall fines across the EU/EEA, with 76 infractions. The data presented in the GDPR Enforcement Tracker showed that the latest case was related to the Socialist Party of Catalonia, which used the personal data provided to it by a professional doctor to send a letter to the complainant’s relative asking for political support. Breaching the original purpose of the data collection, Spain violated the principle of purpose limitation and was told to pay €5,000 in fines.
Another Mediterranean country, Italy, is also at the top of the list, in terms of the overall amount of total of fines at €45.6 million. The company that was the GDPR’s worst offender when it came to data processing is the Italian telecommunications operator, TIM, which was ordered to pay €27 million in fines.
The data protection enforcement tracker found that between January 2017 and 2019, the Italian Data Protection Authority (Garante), received hundreds of notifications, in particular concerning the receipt of unsolicited commercial communications made without the consent of the data subjects or despite their registration in the public register of objections.
Violations were also recorded in connection with competitions, due to a lack of transparency on data processing and invalid methods of consent for various purposes, including marketing, as well as in the storing of data by keeping them longer than necessary. By the rules of the regulation, this is a violation of the deletion periods.
Among those championing data protection are Estonia and Cyprus, with the Baltic country on the hook for a massive fine that was imposed on a housing association for publishing photos showing members of the association without their consent. Similarly, Cyprus has received two fines amounting to €10,000 for allowing police access to personal data and for failing to take adequate measures to secure the data, as well as for sending SMS marketing messages without consent.
Finbold’s study, which covered the period between January 1 to August 17, demonstrated that Europe needs to invest in its data strategy, particularly during the times of the coronavirus, when the world is making a huge shift to digital platforms.
With the European Commission’s priority being the formation of a “Europe fit for the digital age,” it has become clear that the bloc’s data protection watchdog must stay alert.