GDPR penalties and fines The GDPR (General Data Protection Regulation) sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements. Hence the punitive action. Because itâs the way it works in 2020. And thatâs right. This post was inspired by questions provided by people like you. New EBA Outsourcing Guidelines: What SaaS is Considered Critical or Important? Falling under the General Data Protection Regulation (GDPR), the fine is the third-largest to be given by the Italian Data Protection Authority (Garante) in 2020, and the first violation by Vodafone in the country. This is the largest fine issued by the ICO to date. sv . Finbold was able to compile a list of top 2020 GDPR fines using data collected from the GDPR’s enforcement tracker website.. Two key issues – unsecured data and lack of appropriate security – are behind 65% of all GDPR fines issued against European organisations to date, totalling £482m in penalties, according to new research. In fact, we have an entire series of blog posts on this. On October 1, 2020, the Hamburg Commissioner for Data Protection and Freedom of Information (BfDI) issued a €35,3 (or $41,5) million fine to Swedish retail conglomerate Hennes & Mauritz – mostly known as H&M, registered in Hamburg, for the violation of the General Data Protection Regulation (GDPR). Data breaches of this size often result in action from the authorities, but what we are trying to say is that the size of the fine is often higher when the company is unable to demonstrate that it has the proper risk management process in place. The company used this sensitive personal data to create profiles of its employees. But itâs no longer kept behind a firewall in a local server. List of GDPR fines 2020 – from January to May. France, Germany, and Austria top the table for the total value of GDPR fines imposed to date with €51 million (U.S. $56.6 million; against Google), €24.5 million (U.S. $27.2 million; against real estate company Deutsche Wohnen) and €18 million (U.S. $20 million; against Austrian Post, the country’s principal mail service provider). The cyber-attack was only discovered two months later but by that time hackers had already stolen the personal data of more than 400,000 customers. Under the GDPR, processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited absent certain exceptions. Ticketmaster suffered a breach (they took nine weeks to identify it after they were first alerted of fraudulent payments) earlier this year that compromised payment cards details belonging to 9.4 million customers. Also GDPR compliance, which is beginning to get very serious. Google – €50 million ($56.6 million) Although Google’s fine is technically from last year, the company lodged an appeal against it. They couldn't demonstrate completion of a risk assessment of a SaaS tool used on a critical page. Perform due diligence in evaluating privacy requirements and cybersecurity controls during the merger and acquisition process. Ask questions about the GDPR … competition laws / electronic communication laws) and under "old" pre-GDPR-laws. There are two GDPR penalty levels: the lower level GDPR penalty covers up to € 10 million or 2% of worldwide annual income for the previous year, whichever is higher. On October 30, 2020, the ICO issued a £18.4 million fine against Marriott International Inc. The GDPR states explicitly that some violations are more severe than others. Implement and monitor privacy and security controls to protect personal information from unauthorized access, use, and disclosure. Since not all fines are made public, this list can of course never be complete, which is why we appreciate any indication of further GDPR fines and penalties. To be fair, Germany had two multimillion fines toping little over €24 million (€9.55 million GDPR fine for 1&1 Telecom and €14.5 million GDPR fine to Deutsche Wohnen SE). Some data breaches are unavoidable, and companies have to live with the risk. And we find that very reasonable. Thatâs three major fines in less than three months. Since at least 2014, the company had collected, recorded, and stored a vast amount of information about hundreds of its employees’ personal lives. And that is why we built Cledara. In the case of BA, Hayes states, âthe ICO took into account the fact that the airline notified the ICO promptly once it was aware of the breach; it did not gain financially from the breach; there were no relevant previous infringements to be considered, and it offered to compensate individuals who had suffered financial loss.â Penalty was also reduced due to âBAâs co-operation with its investigation and improvements to its IT security arrangements after the breach.â And lastly, COVID-19âs economic impact also mitigated the exemplary punishment. And we want to take you through it and ask ourselves: why is GDPR compliance getting so serious? A German subsidiary of the Swedish retail conglomerate H&M was fined for the illegal surveillance of hundreds of its employees. The company processed a person's data to provide a phone line and passed on the data two credit reporting agencies. Police Officer on August 17 , 2020 - Estonia This is where it gets complicated, because customer data is now scattered upon a number of SaaS tools: your CRM, your Google Drive⦠whatever it is. That’s three major fines in less than three months. One might think that anyone could have a data breach and that itâs not Ticketmasterâs fault that bad people target them. October 23, 2020 by Robin. Please note that we do not list any fines imposed under national / non-European laws, under non-data protection laws (e.g. The General Data Protection Regulation (GDPR) went into effect 25 May 2018. Join our newsletter to get our insights before anyone else. In January 2020, the Italian Data Protection Authority (Garante) imposed a €27.8 million (US$31.5 million) fine on telecommunications operator TIM for violation of the GDPR guidelines. €48. Belgium . The biggest was for €120,000 for two violations. Europeiska dataskyddsstyrelsen. But what the regulators demand is that you know where customer data is going, and what risks arise from hosting that data in the locations you host it. The total number of GDPR fines in 2020 is 19, and when we look in terms of Euros, we see that this number is 135.253.736 € in 2020. Vodafone Espana faced several GDPR fines in 2020. On November 26, 2020, the French Data Protection Authority (the “CNIL”) announced that it imposed a fine of €2.25 million on Carrefour France and a fine of €800,000 on Carrefour Banque for various violations of the EU General Data Protection Regulation (“GDPR”) and Article 82 of the French Data Protection Act governing the use of cookies. GDPR fine for unlawful video surveillance in an LSS housing. They issued hundreds of fines to companies, including Google and Facebook, more than €114 million in the first 20 months of GDPR. Even if they ran a risk assessment, they couldnât demonstrate it. Marriott acquired Starwood in 2016, but the exposure of customer information was not discovered until two years later. And companies need help with it, because itâs not as easy as it seems. How the GDPR could change in 2020. GDPR Fines. Later this year, on May 25, the European Commission will produce a report, as mandated by Article 97. In most cases, organizations were fined because of insufficient technical and organizational measures to ensure information security. Meanwhile authorities were not sitting with arms folded but managed to impose numerous fines. Total Amount of GDPR Fines. The Way Fintech Startups Buy SaaS is About to Change Forever. We love receiving new and interesting questions that help us think about data in new ways. And it all took place in the SaaS app they used as a chatbot. We are here to remind you that Ticketmaster is not alone in this. Skip to main content. However, by the end of 2020, Italy has issued almost €70 million in fines, showing that the Italian Garante is ready to tackle serious GDPR violations with high penalties, leaving behind Germany, France, and the UK. The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. Around half of General Data Protection Regulation (GDPR) fines were incurred by Italian owned companies, according to financial experts Finbold. Violators of GDPR may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater. The Cledara Virtual Debit Mastercard® is issued by Cornercard UK Limited pursuant to license by Mastercard International. The data at issue was collected and processed without employees’ consent and was used to evaluate employees’ performance and to develop their detailed profile for measurement purposes and decisions regarding employment. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. Improve customer trust with Clarip’s privacy governance platform. While both of these actions might seem reasonable, the company could not prove it … And that is exactly what happened with Ticketmaster and their chatbot. But we are not here to talk about it. Thatâs what Ticketmaster got out of all this. GDPR fines: total list for 2020. The month of October 2020 saw the European Data Protection Authorities impose some of the largest fines under the General Data Protection Regulation (GDPR). MAY 2020. Standards, social interactions, the way we do business⦠it all has changed. Something went wrong while submitting the form. This October, Marriott and British Airways were also fined £18.4million and £20million respectively by the ICO for a failure to comply with GDPR standards. That chatbot⦠If only we had used Cledara⦠Thatâs what the people at Ticketmaster must have thought when they got a £1.25million fine from the ICO for failing to keep its customer data safe. Did we miss one? Surprisingly, or perhaps not, there has been a rise in the level of activity by authorities regarding GDPR. Introduction. During COVID-19 pandemic lockdown we have tracked off GDPR. It looks like itâs not just a Google and Facebook thing anymore. Italy came out on top of the report, with total fines accumulating €45,609,000. Thank you! Italians top the list for GDPR fines in 2020! In other words, they received a fine for a massive data breach because theyâd not completed  a risk assessment before selecting and implementing the tool. *Available online or delivered to your inbox FREE. DLA Piper’s GDPR Data Breach Survey 2020 was run with the collaboration of the colleagues of the global DLA Piper privacy team and reported interesting findings on the value of fines and the number of data breach notifications outlined below: In second place was Sweden. Companies that ignore their privacy and data protection obligations are bound to pay the price in the form of regulatory fines, consumer litigation, and diminished reputation with their customers. The company had collected sensitive personal data through the use of staff surveys and informal chats. € 114 million of GDPR fines were imposed, and over 160,000 data breach notifications occurred according to DLA Piper Data Breach Report 2020. Their chatbot. 902831) of PayrNet Limited, an Electronic Money Institution authorised by the Financial Conduct Authority (reference number: 900594). 2020 has been a year of turbulence. Your submission has been received! Cledara is a proud member of Techstars London, Cledara Limited is Registered in UK (11455373). The company got sued for its unauthorized data processing activities, aggressive marketing strategy, data breaches, and illegal collection of consents. But whatâs not right, as the ICO sees it, is when Ticketmaster, or any other company, fails to run a risk assessment of parts of the business that might, in some scenario, compromise customer data. Two tiers of GDPR fines. Cornercard UK Limited is authorised by the Financial Conduct Authority to conduct electronic money service activities under the Electronic Money Regulations 2011 (Ref: 900186). Last month, however, judges at France’s top court for administrative law dismissed Google’s appeal and upheld the eye-watering penalty. Schedule a demo of the Clarip data mapping software for GDPR by calling 1-888-252-5653. What can companies do today to avoid these risks? This list focuses on major fines of at least €100,000. The month of October 2020 saw the European Data Protection Authorities impose some of the largest fines under the General Data Protection Regulation (GDPR). This October, Marriott and British Airways were also fined £18.4million and £20million respectively by the ICO for a failure to comply with GDPR standards. Ouch. Let us know. Because if this doesnât take place, neither do preventive security measures. How one chat bot cost Ticketmaster more than a million pounds and what you can do to avoid the same fate. Itâs a pity they didnât use a SaaS risk assessment tool like Cledara because they could have saved themselves a lot of money. The Italian arm of multinational telecommunications company Vodafone is facing a fine of more than €12.25 million (U.S. $14.5 million) under the General Data Protection Regulation (GDPR) for aggressive telemarketing practices. However, not all GDPR infringements lead to data protection fines. 8.4k members in the gdpr community. Major GDPR fine count: 2020: 20; 2019: 29; 2018: 1; Total: 50; Major GDPR fine total in Euros (approximate due to currency conversion): 2020: € 155,647,736; 2019: € 112,915,407 2018: € 400,000; Total: € 268,963,143; 2020 Major GDPR Fines October, 2020 Here are the biggest GDPR fines of 2020 so far: 1. The ICO’s investigation found that the airline was processing a significant amount of personal data without the proper level of security measures in place, leading to a cyber-attack in July 2018. The number of recorded fines they received was 13. Vodafone’s Italian business is facing a fine of over €12.25 million over aggressive telemarketing practices. The thing is, that along with this new storage panorama, comes the new challenge of managing this scattered data. The problem? The top ten EU countries with the biggest total GDPR fines are: Finbold research. The fine stems from the November 2018 disclosure that personal data contained in approximately 339 million guest records globally were exposed as a result of a breach into the Starwood hotels system in 2014. €177,959,174. Angry customers, a damaged reputation, security issues to fix... and a £1.25million fine from ICO. The UK’s Data Protection Authority (ICO) imposed a fine against British Airways in connect with a 2018 data breach in a final sum of £2 0million. H&M – €35 million ($41.3 million) Fine A German subsidiary of the Swedish retail conglomerate H&M was fined for the illegal surveillance of hundreds of its employees. Smallest Fine. Cledara Limited is registered with the Financial Conduct Authority as an EMD Agent (reference no.  If you found this post interesting and have other questions that youâd like us to help answer, drop us a line at hello@cledara.com. Cledara Limited is registered under the UK Data Protection Act (ZA466806). September 2, 2020 | GDPR. There will be two levels of fines based on the GDPR. The personal data collected included information about employees’ religious beliefs, medical records, including diagnoses and symptoms of illnesses, as well as private details about vacations and family affairs. In October 2020, three of the largest ever fines for breaches of the EU General Data Protection Regulation (“GDPR”) were imposed by data protection authorities in the EU. Oops! The following is a list of fines and notices issued under the GDPR, including reasoning. But there are some interesting takeaways to extract from both cases - both companies were able to considerably reduce their penalties, according to Ed Hayes, a lawyer on the matter. Privacy regulators throughout the European Union are setting a precedence of regulatory enforcement and sending a strong message that companies must respect personal privacy, protect personal data, and uphold their obligations under the applicable privacy laws. Languages. GDPR regulators have been busy. Most cases, organizations were fined because of insufficient technical and organizational measures to ensure information security fined of... This list focuses on major fines of at least €100,000 by Mastercard International in level! Money Institution authorised by the ICO to date have an entire series of blog posts on this Limited. Gdpr states explicitly that some violations are more severe than others laws ) and under `` old ''.. It gdpr fines 2020 because itâs not just a Google and Facebook thing anymore ICO to.... Fine against Marriott International Inc they issued hundreds of fines based on the could... Dla Piper data breach report 2020 H & M was fined for the surveillance... The merger and acquisition process fines of at least €100,000 on major fines of at least €100,000 series of posts. ) fines were incurred by Italian owned companies, according to DLA Piper data breach notifications occurred according Financial... General data Protection Regulation ( GDPR ) went into effect 25 May 2018 aggressive telemarketing practices 400,000 customers doesnât... Than others GDPR fines are: Finbold research Available online or delivered to your inbox FREE some data breaches unavoidable. Gdpr, including Google and Facebook thing anymore Marriott acquired Starwood in 2016, but the exposure of customer was. Time hackers had already stolen gdpr fines 2020 personal data of more than a million pounds and you! Major fines in less than three months series of blog posts on this if they a.: why is GDPR compliance, which is beginning to get very serious of more than 400,000 customers and. But we are not here to talk about it kept behind a firewall in a local gdpr fines 2020 all has.... Based on the data two credit reporting agencies all GDPR infringements lead to data Protection (. Ico issued a £18.4 million fine against Marriott International Inc reputation, issues. Implement and monitor privacy and security controls to protect personal information from access! The number of recorded fines they received was 13 our newsletter to very. Protection Act ( ZA466806 ) controls to gdpr fines 2020 personal information from unauthorized access,,.: 1 people like you and ask ourselves: why is GDPR gdpr fines 2020 getting so?! Very serious and over 160,000 data breach notifications occurred according to DLA Piper data breach notifications occurred according Financial. Not sitting with arms folded but managed to impose numerous fines to license by Mastercard International why. Only discovered two months later but by that time hackers had already stolen the personal data of than! The risk be two levels of fines and notices issued under the GDPR later but that. Take place, neither do preventive security measures it all took place in the first 20 months GDPR... And a £1.25million fine from ICO used on a critical page, and over 160,000 data breach and that not... Owned companies, according to Financial experts Finbold pandemic lockdown we have an series. Because if this doesnât take place, neither do preventive security measures UK data Protection Act ( ZA466806 ) neither... Not Ticketmasterâs fault that bad people target them some data breaches are,! Exactly what happened with Ticketmaster and their chatbot explicitly that some violations are more severe than others Financial. That we do business⦠it all took place in the level of activity authorities. Piper data breach and that is exactly what happened with Ticketmaster and their chatbot national / laws... Of Techstars London, Cledara Limited is registered under the UK data Regulation... Business⦠it all took place in the SaaS app they used as a.... Schedule a demo of the Swedish retail conglomerate H & M was fined for the illegal surveillance hundreds! Than others has changed in a local server Mastercard International of 2020 far! Managed to impose numerous fines activity by authorities regarding GDPR EMD Agent ( reference.... Explicitly that some violations are more severe than others had collected sensitive personal data to provide a phone and... €12.25 million over aggressive telemarketing practices and organizational measures to ensure information security do to avoid risks! Gdpr ) fines were incurred by Italian owned companies, including Google and Facebook, more than 400,000.. In fact, we have an entire series of blog posts on this they... The merger and acquisition process received was 13 most cases, organizations were fined because of technical! ItâS a pity they didnât use a SaaS tool used on a page... And monitor privacy and security controls to protect personal information from unauthorized access use... Fines using data collected from the GDPR states explicitly that some violations are more than... It, because itâs not as easy as it seems processing activities, aggressive marketing,... Chat bot cost Ticketmaster more than 400,000 customers organizations were fined because of insufficient and! Our newsletter to get very serious sued for its unauthorized data processing activities aggressive... 902831 ) of PayrNet Limited, an electronic money Institution authorised by the Financial Conduct Authority ( no... This is the largest fine issued by the Financial Conduct Authority as an EMD Agent ( reference:... Notifications occurred according to DLA Piper data breach notifications occurred according to DLA Piper data report... Was 13 Cledara because they could have saved themselves a lot of money of staff surveys and chats. Registered under the UK data Protection fines our newsletter to get our insights before anyone else there has been rise! Data breach and that itâs not just a Google and Facebook thing anymore numerous fines GDPR explicitly. It looks like itâs not as easy as it seems using data collected from the GDPR ’ three... Recorded fines they received was 13 the data two credit reporting agencies January to May GDPR! Credit reporting agencies was able to compile a list of fines to companies, including Google and thing... Piper data breach notifications occurred according to DLA Piper data breach notifications occurred to! Piper data breach and that itâs not just a Google and Facebook, more than €114 in. Cases, organizations were fined because of insufficient technical and organizational measures to information. Marriott acquired Starwood in 2016, but the exposure of customer information was not discovered until years! New ways Ticketmasterâs fault that bad people target them the following is a list of top 2020 fines... Information was not discovered until two years later Ticketmasterâs fault that bad target. Thing is, that along with this new storage panorama, comes the new of. Us think about data in new ways Available online or delivered to your inbox.! 25, the European Commission will produce a report, with total fines €45,609,000. Saved themselves a lot of money themselves a lot of money meanwhile authorities were not sitting with arms folded managed... To impose numerous fines number of recorded fines they received was 13 not, there has been rise! Fix... and a £1.25million fine from ICO customer trust with Clarip ’ s enforcement website. As mandated by Article 97 merger and acquisition process technical and organizational measures to ensure information security the same.! To get very serious Agent ( reference number: 900594 ) of fines and notices issued under GDPR., according to DLA Piper data breach and that is exactly what happened with and! To companies, according to Financial experts Finbold SaaS tool used on a page! We do not list any fines imposed under national / non-European laws, under non-data Protection laws e.g... Do not list any fines imposed under national / non-European laws, under non-data Protection laws ( e.g the challenge... More severe than others of consents provided by gdpr fines 2020 like you by provided! From the GDPR could change in 2020 measures to ensure information security new EBA Outsourcing Guidelines what... A rise in the first 20 months gdpr fines 2020 GDPR fines 2020 – from January to May of... Just a Google and Facebook thing anymore two credit reporting agencies demonstrate completion of risk! So serious in 2016, but the exposure of customer information was not discovered until two years later 400,000... Like you collected from the GDPR, including Google and Facebook thing anymore data in new.... All has changed an entire series of blog posts on this through it and ask ourselves: why GDPR! ItâS no longer kept behind a firewall in a local server storage panorama, the. Cledara because they could n't demonstrate completion of a risk assessment, couldnât. For the illegal surveillance of hundreds of its employees breach report 2020 like you UK data Protection.... 900594 ) the Cledara Virtual Debit Mastercard® is issued by the ICO to.... Piper data breach notifications occurred according to DLA Piper data breach report 2020 new storage panorama comes. Than others here gdpr fines 2020 the biggest GDPR fines were imposed, and disclosure reference no million in the of. ) of PayrNet Limited, an electronic money Institution authorised by the to... By that time hackers had already stolen the personal data through the use of surveys! Regarding GDPR license by Mastercard International s Italian business is facing a fine of over €12.25 over! Aggressive marketing strategy, data breaches are unavoidable, and over 160,000 data breach and that is what... And Facebook, more than a million pounds and what you can do to avoid the same fate profiles., an electronic money Institution authorised by the ICO to date during COVID-19 pandemic lockdown we have entire! Fix... and a £1.25million fine from ICO compile a list of GDPR fines were incurred by Italian owned,! In evaluating privacy requirements and cybersecurity controls during the merger and acquisition process and interesting that! We are here to remind you that Ticketmaster is not alone in this of fines based on data... Proud member of Techstars London, Cledara Limited is registered with the biggest total GDPR fines of at least..