More than three years have passed since the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 and, throughout that time, we have experienced successes and failures during our respective processes of adaptation to a more intuitive and personalized regulation.

In relation to the mistakes, it is interesting to delve into the Economic sanctions most significant that can affect any organization to know the criteria of the administrative authority, the most common errors of data controllers and, consequently, avoid the circumstances that led to the imposition of said sanctions. Thus, among the sanctions imposed, the following stand out:

Company	Infringement	Economic sanction	sanctioning country
Amazon Europe Core S.à.rl	Non-compliance with general data processing principles	746,000,000 €	Luxembourg
WhatsApp Ireland Ltd.	Insufficient compliance with information obligations (Arts. 5 1.a, 12, 13, 14 GDPR)	225,000,000 €	Ireland
Google LLC	Insufficient legal basis for the processing of personal data (Arts. 5, 6, 13 and 14 GDPR)	50,000,000 €	France
H&M Hennes & Mauritz Online Shop AB & Co. KG	Insufficient legal basis for the processing of personal data (Arts. 5 and 6 GDPR).	35,258,708 €	Germany
TIM (Telecommunication operator)	Insufficient legal basis for the processing of personal data (Articles 5, 6, 17, 21, and 32 GDPR).	27,800,000 €	Italy

Source: self made

Most important economic sanctions regarding data protection in the EU 2019-2021

As can be seen, the most significant violations in data protection occur for a misuse of user information. Some data controllers abuse their respective domain positions to carry out unauthorized processing of the information of their clients, and even their workers. This purpose violates the principle of transparency, information and data minimization contained in the RGPD.

In relation to the Spanish case, the most important economic sanctions imposed by the Spanish Data Protection Agency are the following:

Company	Infringement	Economic sanction	Details
Vodafone Spain, SAU	Insufficient compliance with the rights of interested parties (Art. 21, 24, 28 and 44 RGPD, art. 21 LSSI, Art. 48 (1) b) LGT, Art. 23 LOPDGDD).	8,150,000 €	Existence of precedents (191 complaints in the last two years) and fines or warnings by the AEPD between January 2018 and February 2020 on more than 50 occasions. Contact and offer to clients previously registered on the Robinson List. Violation of consumer rights.
Caixabank SA	Insufficient legal basis for the processing of personal data (Art. 6, 13 and 14 GDPR).	6,000,000 €	Lack of adaptation of the business's personal data processing policy to the GDPR, especially in terms of the information offered to clients and the consent collection procedure.
Banco Bilbao Vizcaya Argentaria, SA	Insufficient compliance with the duty to inform (Art. 6 and 13 GDPR)	5,000,000 €	Sending advertising to clients previously registered on the Robinson List. Pre-checked box on data transfer to third parties through the app.
Caixabank Payments & Consumer EFC, EP, SAU	Insufficient legal basis for the processing of personal data (Art. 6 (1) GDPR).	3,000,000 €	Improper use of personal data to create a financial solvency profile.
Mercadona SA	Insufficient legal basis for the processing of personal data (Art. 5 (1) c), 6, 12, 13, 25 (1) and 35 GDPR)	2,520,000 €	Use of facial recognition technology in stores to detect individuals who have committed crimes against the company, its workers or customers.

Source: self made

Most important economic sanctions regarding data protection in Spain 2020-2021

The national trend, in relation to the economic sanctions imposed in terms of data protection, is led by the development or management of unwanted advertising, specifically, in the establishment of aggressive commercial tactics that do not stop even when clients, under the due exercise of their rights, request it. As seen in the case that heads this list, there is a violation of the right of opposition of the user who is left unattended despite there being an express will that is contrary to the marketing policy of the telecommunications company.

Another feature that essentially draws attention is related to the illicit use of customer data, or even workers, by sanctioned companies violating the duty to inform and making use of them that is not transparent or fair. Furthermore, as seen in the list, banking entities in their process of implementing the regulations in force have committed important transgressions, such as ignoring clients previously registered in the Robinson List.

Subscribe to our newsletter to stay up to date with all the news

Name and surname *

Email *

I give my express consent and accept the Privacy Policy.

EIP International Business School informs you that the data in this form will be processed by Mainjobs Internacional Educativa y Tecnológica, SAU as the party responsible for this website. The purpose of collecting and processing personal data is to manage your subscription to the newsletter as well as to send commercial information about the services of the data controller. The legitimacy is the explicit consent of the interested party. Data will not be transferred to third parties, except under legal obligation. You may exercise your rights of access, rectification, limitation and deletion of data at compliance@grupomainjobs.com, as well as the right to lodge a complaint with the supervisory authority. You can consult additional and detailed information on Data Protection in the Privacy Policy that you will find on our website.