The first two years of the General Data Protection Regulation1 are almost behind us and we are getting used to daily news of imposed fines. Although the UK and France may be the "top enforcers", it isn't just the Western EU Member States that are taking this rather new regulation seriously. Leaving aside the "BA / Google" cases2,3, CEE countries have even "pioneered" GDPR enforcement. It is time to analyse if there are common incompliances which lead to significant fines or if the degree of harmonisation lags when it comes to GDPR enforcement. Let's have a look at the "top five" fines (until the end of September 2019) imposed in CEE countries where Schoenherr has offices:
- In mid-2019, Bulgaria imposed two major fines in a row. The first one (EUR 2.6m) was imposed on the National Revenue Agency4 following an investigation of a data breach at the agency by the Bulgarian Commission for Personal Data Protection. The data breach – in fact an attack by anonymous hackers – affected about six million people and led to unauthorised online disclosures. You might assume that the GDPR violation identified by the authority was the National Revenue Agency's failure to report the data breach. In fact, the authority found that the technical and organisational measures in place were insufficient. It was the violation of Art. 32 GDPR that resulted in the massive fine.
- The second fine was imposed by the Bulgarian Commission for Personal Data Protection, again for inadequate technical and organisational measures according to Art. 32 GDPR, which came to light after a data breach.5 This time the recipient of the fine was the Bulgarian DSK Bank EAD. In this case, third parties had access to more than 23,000 credit records, including personal data like names, citizenships, identification numbers, addresses, copies of identity cards and biometric data. The authority imposed a fine of BGN 1m (approx. EUR 510,000).
- The Polish National Personal Data Protection Office started its enforcement measures even earlier. In March 2019 it imposed a fine of approximately EUR 220,000 on a data controller. The controller, a private company in Poland, was gathering data from publicly available sources like the Central Electronic Register and Information on Economic Activity or the Court Register and processed the data for its own commercial purposes. The authority identified a violation of the GDPR's information obligations, since the controller did not inform all data subjects according to Art. 14 GDPR but only those whose email addresses the controller had at its disposal. Since that controller had postal addresses and telephone numbers, the authority held that it could have complied with the information obligations under the GDPR and decided that the presentation of the information only on the website was not enough.
- UniCredit Bank S.A. was fined for GDPR violations in June 2019 in Romania6. The Romanian Data Protection Authority found that UniCredit Bank S.A. breached Art. 25.1 of the GDPR. In other words, the authority imposed the fine due to the failure to implement appropriate technical and organisational measures in the context of the Privacy by Design principle. Due to the shortcomings within the designed determination of the processing means and processing operations, the implementation of the general data protection principles (e.g. data minimisation) were not ensured. This led to the unauthorised disclosure of personal data of persons who performed payments (i.e. personal identification numbers and addresses) to the beneficiaries of the payments. The data breach affected around 340,000 data subjects and the fine amounted to approximately EUR 130,000.
- In terms of timing, the first significant fine issued by the Hungarian National Authority for Data Protection and the Freedom of Information could be seen as a "birthday tribute to the GDPR", as it was issued on 23 May 2019. In this case, the authority identified that the biggest Hungarian festival organiser7 failed to have a GDPR-compliant check-in system (which included the processing of scans of festival visitors' ID). The festival organiser claimed two legitimate interests for its data processing: (i) security (in light of the terrorist attacks in Paris in 2015), and (ii) preventing misuse of the entry armband (by passing it to other persons or selling it for higher prices). The authority decided that the legal basis ("legitimate interest") for data processing was inappropriate and the balance of interest which must be conducted when relying on legitimate interests would not lead to overriding interests of the festival organiser. Thus, the controller did not comply with the principle of purpose limitation. Besides that, the festival organiser violated the principle of data minimisation by collecting unnecessary personal data from the festival goers. The data protection authority imposed a fine of approximately EUR 90,000 in respect of the data processing activity of the festival organiser after the entry into force of the GDPR.
Lessons learned:
What can we take away from those first major fines in CEE? These sample cases definitely show that the authorities are taking a closer look at data breaches. Irrespective of the data breach notification, which was not in dispute in the above-mentioned cases, the authorities will analyse the technical and organisational infrastructure of a data controller if a data breach with significant impact has occurred. This means that even if your company is subject to cybercrime, you should not forget about your own duties. Besides, those multiple transparency obligations (providing appropriate and readable information upfront) should be taken seriously. Just because the data are easily available online or because data protection is likely not the prime focus of the data subjects (as can be assumed in the case of festivalgoers) does not mean the data controller's obligation to act transparently is lifted. Companies should proactively and repeatedly evaluate their GDPR compliance structure. As often mentioned during the GDPR preparation phase, GDPR compliance is not a one-off task but requires steadfast attention.
Co-Author: Costin Sandu
1Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive), Journal L119, 4 May 2016, p. 1–88.
2Intention to fine British Airways GBP 183.39m under the GDPR for data breach; ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/
3Deliberation of the Restricted Committee SAN-2019-001 of 21 January 2019 pronouncing a financial sanction against GOOGLE LLC, available under: www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc.
4https://www.cpdp.bg/en/index.php?p=news_view&aid=1519
5https://www.cpdp.bg/en/index.php?p=news_view&aid=1514
6https://www.dataprotection.ro/index.jsp?page=Comunicat_Amenda_Unicredit&lang=en
7Responsible for the SZIGET, the VOLT and the Balaton Sound Festival.