The biggest GDPR fines of 2020 (and how to avoid them)

Breaching the GDPR can cost you up to €20 million, or 4% of annual global turnover, whichever is highest. This means you want to avoid fines wherever possible.

We have compiled the three biggest GPDR related fines of 2020 to show you what went wrong, and how you can avoid making these costly errors.

3. Google LLC – Fined €7m

  • The Data Protection Authority of Sweden fined Google LLC €7m due to insufficient fulfilment of the rights of data subjects.
  • Google had not properly removed search results that it had been ordered to delete in 2017. Google was also criticised for informing the website owners that their site was to be removed. This allowed them to create a new URL and be found through Google searches.

GDPR Breaches: GDPR article 5, 6 and 17 other breaches

2. Eni Gas e Luce (Gel) – Fined €11.5m

  • In Italy, Eni Gas e Luce (Egl) was fined twice for illegal processing of personal data and activating unsolicited contracts.
  • The first fine, €8.5m, was for unlawful processing of personal data for telemarketing and telesales purposes. This included a lack of consent and data subjects being unable to opt-out, as well as storing the data for much longer than necessary.
  • The second fine, €3m, was for not telling existing customers about a new contract, and these customers also accused Egl of forging their signatures and false information.

GDPR Breaches: GDPR article 5, 6, 7, 21 and 32 other breaches

1. TIM – Fined €27.8m

  • Telecoms provider TIM sent thousands of unsolicited online communications without the consent of its data subjects. Many of these data subjects had chosen to opt-out of these communications, but still received them. One individual reported they had been contacted over 150 times in one month.
  • TIM also retained data from their subjects for over ten years, which breaks both GDPR and their own company policy!
  • Data subjects were unable to properly consent as they were left unsure about how their data would actually be used.
  • Lastly, TIM did alert the DPA about data breaches, however it failed to meet the 72-hour deadline.

GDPR Breaches: GDPR article 5, 6, 7, 17, 21 and 32 other breaches

So how could these companies have avoided these fines?

Quite simply, by following the six key data protection principles;

  1. Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality

Each of these companies stored data for far too long, did not provide clear means of obtaining consent, or did not listen to the instructions of the relevant countries Data Protection Acts. These are easy mistakes to avoid when acting in accordance with GDPR, yet they still carry hefty penalties, even for small businesses.

Here at GDPRlocal, we’re here to help you avoid common mistakes like these. With our expert advice, we’ll work with you to ensure your business is on track for full GDPR compliancy. To get started, simply register for an account at GDPRlocal.com and receive our “Get Started With GDPR” project planning white paper.

To learn more about our bespoke GDPR compliancy services, or if you have any further question, do not hesitate to contact us at: [email protected] or call anytime on 01772 217800