Very soon, the first year will have passed since the General Data Protection Regulation (GDPR) came into force. Last year, many companies were busy arranging documentation and data processing procedures in line with GDPR requirements.
Preparing for the GDPR was partly driven by the heavy fines, which have been a hot topic of discussion, not least the maximum fine of up to EUR 20 million or up to 4% of turnover in the case of a company. Have concerns about these huge fines been reasonable? Several EU Member States have already reported on the first fines imposed.
Assessment of these fines and related violations can help eliminate remaining deficiencies in data processing procedures. With that in mind, we have collected the main conclusions from these decisions.
Although no data is available about fines applied in Latvia, guidelines of the EU European Data Protection Board on imposing fines state that although national supervisory authorities remain independent, the situation should be avoided where different corrective measures are chosen by supervisory authorities in similar cases. Therefore, in case of similar violations in Latvia, the Data State Inspectorate can be expected to pay increased attention and to impose similar fines.
Excessive video surveillance
Country: Austria
Fine: 4,800 EUR
A fine was imposed on a sports café that kept the public area (pavements, car park, café entrance) under video surveillance. The section of the public area covered by video surveillance was not proportional to the purpose of data processing. The section under video surveillance did not display any notifications about video surveillance. The storage term for keeping video records was not observed in compliance with Austrian national regulatory enactments (the GDPR allows each Member State to determine this term individually).
What can we learn from this situation?
Video cameras. A controller of video surveillance must have clearly defined data processing purposes (for example, monitoring the production process, security, crime prevention, access control, and others). Camera coverage must be proportional to the set purpose.
Signs about video surveillance. The controller must inform data subjects about data processing by providing all the information listed in Article 13 of the GDPR about data processing, its term, data subjects’ rights, and so on. In the case of video surveillance, the information must be provided before anyone enters the area covered by video surveillance. To achieve this target, information signs serve pretty well. In Latvia, the legislator allows controllers to choose whether to use a video surveillance sign for notification or some other means, for example, a poster with all the required information. Under the Personal Data Processing Law, a video surveillance sign must provide at least the controller’s name, contact information, purpose of data processing, and an indication where to find other information listed in Article 13 of the GDPR (eg, a home page to access or a phone number to call).
Term for keeping video records. Latvian rules do not set a particular term for storing video records. The controller must choose a reasonable term depending on the selected data processing purpose. Guidelines of the Data State Inspectorate on data processing in the field of data surveillance serve as a source of advice for controllers to assess risks and select an appropriate storage term for video surveillance materials.
“Dead souls” in the data processing system
Country: Portugal
Fine: 200,000 EUR
A fine has been imposed on a hospital for non-compliance with the fundamental principles of data processing, failure to apply appropriate technical and organisational measures and inability to ensure observance of the principles of information security. The hospital did not have documentation on granting user rights to the users of its data processing system. The system had recorded 985 active doctor profiles, although the actual number of doctors employed was as small as 296. Nine technical employees were granted as broad access rights to patient data as were medical personnel. In this case, imposition of a heavy fine was also affected by the fact that the controller processed medical data that are considered as an increased risk data category.
What can we learn from this situation?
Recording. Accountability is one of the fundamental principles of the GDPR. This principle means that the controller must ensure the option to verify how the information system works, how access rights are granted and denied, and how GDPR principles are ensured.
Deactivation of user profiles. Controllers sometimes violate the rules by failing to deactivate profiles of ex-employees. So, when ending employment, employers must always remember to deactivate former users’ accounts immediately afterwards.
Minimising. Another significant principle of the GDPR is data minimisation, namely, processing is “limited to what is necessary”. So, upon configuring rights to access the data base, it is important that extensive rights to access, enter, correct, and delete information are granted only to employees whose working duties include these operations.
Poor data protection solutions
Country: Germany
Fine: 20,000 EUR
Social network Knuddels.de stored users’ data (including profile user names and passwords) in non-encrypted form; this was why wrongdoers, having hacked the system, could freely access 808,000 users’ personal data. The supervising authority detected major deficiencies in technical and organisational protection and required the controller to improve data protection solutions. The company complied with the duty imposed by the supervising authority. So, despite the large number of affected data subjects, the supervising authority did not apply an excessively heavy fine on the company.
What can we learn from this situation?
Security solutions used in IT systems are of major importance for data protection. If the company had initially chosen appropriate data protection solutions, then wrongdoers ‒ even if they laid their hands on files with personal data ‒ would not have actually been able to access these data.
Cooperation with the supervising authority. Not every data protection violation ends up in imposition of a maximum fine. Eliminating deficiencies within the set term and actively cooperating with the supervising authority are some of the criteria taken into account by the authority before it decides on imposing a fine. In particular, active cooperation can significantly decrease the risk of suffering the heaviest fine.
Failure to observe data subject’s rights
Country: Hungary
Fine: 3,135 EUR
A data subject asked a company for a video surveillance recording of him which he needed for a court case. The company refused, stating that the recording would not help strengthen the subject’s position but would merely prove that they were at that particular place at the particular time. The company’s attitude violated the subject’s rights to access their data.
What can we learn from this situation?
Controller’s obligation to provide information. The GDPR sets a data subject’s rights to receive copies of their data. In such cases, the controller is not entitled to require an explanation as to why the data subject would need the requested data, nor has it either the obligation or the right to assess whether the data would be useful for litigation.
Information must be given to data subjects free of charge. However, a controller who receives clearly unreasonable or excessive demands from a data subject can either refuse to fulfil the demand or may charge a reasonable payment, taking into account the administrative costs related to ensuring the information or communication or to performing the action demanded. In this case, the controller must give a well-argued response explaining why the demand was clearly unreasonable or excessive.
Lack of transparency and sending commercial notification without legal justification
Country: France
Fine: 50,000,000 EUR
Before data processing, each user is entitled to information on how their data would be processed. To obtain information about the purpose of data processing, the data storage term and personalisation of commercial notifications, Google product users had to perform 5-6 operations. As a result, accessing the information was difficult. Moreover, the available information was too general and unclear.
By clicking “I agree” in the Google application, users agreed to all processing operations performed by Google. However, under the GDPR consent must be obtained for each data processing purpose separately. Consent for all processing is too broad and non-specific, so is considered invalid.
What can we learn from this situation?
Simpler is better. Information addressed to users must be in a concise, easy-to-access and understandable manner in clear and simple language. The user should have easy access to the information, which should not be hidden behind multiple clicks.
Specific consent. Not all consent with the words “I agree” is valid. Consent must be intentional, freely given, specific, and evident. This means that before giving consent the user must understand what information will be used and for what exact purpose.
You can find a detailed overview of the decision by the French data protection supervision authority CNIL on the DSI home page.
Establishing a data protection system is a long-term process to be adapted to constantly changing risk circumstances. We hope that this advice will help you eliminate the last remaining deficiencies in data protection.