28 January. European Privacy Day. The protection of personal data in Europe

28 January 2021

An overview of the main penalties for breaches of data protection regulations.

28 January 2021

Today, 28 January 2021, is the European Privacy and Data Protection Day. This date, marked by the European Commission, the European Council, and the national data protection authorities of the different member countries, was proclaimed by the European Council in 2006 with the aim of creating an awareness and information campaign for the proper use of personal data on the Internet.

This date began to have special relevance with the entry into force of the General Data Protection Regulation (GDRP) in 2018, where the obligations and mandates of data subjects and data controllers, were well defined and protected. Thus, on the occasion of the celebration of this day, which takes place in the first month of the year 2021, in which we must remember the importance of safeguarding the fundamental right to privacy, we take the opportunity to look back and analyse the main sanctions imposed in the European Union for infringement of data protection regulations. And, unsurprisingly, many of these sanctions are due to a lack of correct application of data protection rules.

On the European scene, we find very heavy penalties in the application of the GDRP. At the beginning of this year 2021, the German national data protection authority fined the electronics retailer notebooksbilliger.de AG €10.4 million. In this case, the problem concerned the company’s video surveillance system, lack of legitimacy and excessive retention periods. In 2020, the German national authority again broke a record by fining the fashion company H&M more than 35 million euros, in this case for improper handling of sensitive employee data.

So far, the highest fine ever imposed by a national authority in Europe, was the one decreed by the French national authority, the Commission Nationale de l’Informatique et des Libertés (CNIL) to Google Inc. in 2019, amounting to 50 million euros, based on articles 5, 6, 13 and 14 of the GDPR. The infringement occurred in the processes of creating Google accounts for Android, in which the data collection and processing did not provide clear and accessible information (the user had to access different links to obtain all the information, which in turn was not entirely clear and precise), and furthermore, the data subject did not give express consent, but the boxes were already pre-checked.

In Spain, we have left 2020 and started 2021 with two of the largest sanctions ever imposed in the history of our country, both of which have been imposed on banking companies.

The first, to Banco Bilbao Vizcaya Argentina (BBVA) for a total of €5 million. The Spanish Data Protection Agency issued a decision on the sanctioning procedure in December last year, in which it was established that BBVA had infringed the provisions of articles 13 and 14 of the GDPR, relating to the minimum information that must be provided to data subjects, including the type of data and the purpose of the processing, among others. This infringement carries a fine of 2 million euros for the bank. On the other hand, the AEPD (Spanish national authority on data protection) also considered that it had infringed the provisions of article 6 of the RGPD, a precept that deals with questions of the data subject’s consent to authorise the processing of data. For this infringement, a fine of 3 million euros was imposed.

The second, to another bank, CaixaBank, took place at the beginning of this year 2021, for an amount of 6 million euros. This is undoubtedly the record fine imposed by the AEPD, the reasons being the same as in the previous case. In this case, the Agency again cites articles 13 and 14 of the GDPR, for lack of clear and precise information on the purposes of the processing, specifically the bank’s privacy policy, as well as article 6 of the GDPR, for lack of valid consent, understood as that which must be express and manifest.

Nevertheless, it seems that national data protection authorities are increasingly willing to monitor and punish breaches of the respective data protection regulations. Targeting large corporations and entities, we find very high penalties, which, on the other hand, also serve as an awareness-raising and prevention measure for all data controllers.

5/5 - (4 votes)

Lucía Martín-Sanz

Abogada. Departamento de Derecho Digital.


Leave a Reply

Your email address will not be published. Required fields are marked *

Responsable del tratamiento: HERRERO & ASOCIADOS, S.L.

Finalidad del tratamiento: Publicar su comentario sobre la noticia indicada.

Derechos de los interesados: Puede ejercer los derechos de acceso, rectificación, supresión, oposición, portabilidad y limitación del tratamiento, mediante un escrito, acompañado de copia de documento que le identifique dirigiéndose al correo dpo@herrero.es.

Para más información visita nuestra Política de Privacidad.

*Los campos marcados con el asterisco son obligatorios. En caso de no cumplimentarlos no podremos contestar tu consulta.

No Comments