Summary: This article examines the most significant financial fines imposed in the field of data protection, highlighting the most relevant cases and lessons learned from them. In this regard, the implementation of the General Data Protection Regulation (GDPR) has had a significant impact on the way organizations handle the personal data of others. By studying these sanctions, we can identify common patterns of non-compliance and effective strategies to improve the proper application of this regulation.
Introduction:
Personal data protection has become a critical issue in the digital age. With the implementation of the GDPR, a robust and exemplary legal framework was established in the European Union. This article reviews the most significant fines imposed since the implementation of the GDPR and analyzes the lessons learned from these cases to improve compliance in the future.
- Revision
This study is based on an analysis of documented cases of significant sanctions imposed by data protection authorities in different EU countries. Official reports, press releases, and legal documents related to each case were reviewed to gain a deeper understanding of the reasons behind the sanctions and the corrective measures subsequently implemented.
- II. Financial fines for data protection in large companies
Economic fines in the European Union
1. Amazon: 746 million euros
Case summary: In July 2021, the Luxembourg National Data Protection Commission fined Amazon €746 million for collecting customer and partner data without proper consent under the GDPR. Amazon appealed the fine, citing strong disagreement with the findings.
Lessons Learned:
– The importance of obtaining clear and explicit consent for data collection.
– The need to rigorously comply with data protection regulations in all jurisdictions where we operate.
2. WhatsApp: 225 million euros
Case summary: In August 2021, the Irish Data Protection Commission fined WhatsApp €225 million for violations related to transparency and the information provided to users about the processing of their personal data. Because clear and simple language was not used, WhatsApp failed to provide information about the purposes of the processing and its legal basis.
Lessons Learned:
– The obligation to provide information in a concise, transparent and intelligible manner.
– The importance of clearly communicating the purposes and legal basis of data processing to data subjects.
3. Austrian Post: 9.5 million euros
Case summary: In September 2021, the Austrian Data Protection Authority fined the national postal service €9.5 million for not allowing citizens to inquire about their stored personal data via email.
Lessons Learned:
– The importance of providing multiple channels for citizens to exercise their rights over their personal data.
– The obligation to facilitate access to and modification of personal data through any means desired by the interested parties, including email.
Economic fines in Spain
1. Google: 10 million euros
Case summary: In May 2022, the Spanish Data Protection Agency (AEPD) fined Google €10 million for sharing data with third parties without proper legal authority and for obstructing the right to erasure. The fine arose from a September 2018 complaint about the use of personal data in the Lumen Project, which collects and publishes takedown requests for content containing personal data.
Lessons Learned:
– The importance of having a solid legal basis for sharing data with third parties.
– Users’ right to deletion must be facilitated and not hindered.
2. Vodafone Spain: 8.1 million euros
Case summary: On March 11, 2021, the Spanish Data Protection Agency (AEPD) imposed a fine of €8.1 million on Vodafone Spain, consisting of four separate fines. These violations included marketing and telephone prospecting activities without prior authorization, international data transfers without adequate measures, and the processing of data of individuals who had objected.
Lessons Learned:
– The need to obtain prior written authorization for marketing activities.
– The importance of implementing appropriate measures for international data transfers.
– Respect for the objections of those interested in the processing of their data.
3. CaixaBank – 6 million euros
Case summary: CaixaBank was fined €6 million for lacking a legitimate basis for processing user data and for transferring data to other entities within the group without adequate legal grounds. Additionally, the company was fined an additional €2.1 million for inheriting Bankia's activities that involved the unauthorized use of data for purposes other than those covered by the original contract.
Lessons learned:
– The need to have a solid legal basis for the processing and transfer of data.
– The obligation to use personal data only for the purposes specified in the contract and to obtain appropriate consent for any other use.
Conclusions
Analysis of these fines highlights several key lessons:
- Legitimacy and consent are essential in the processing and transfer of personal data.
- Security and compliance measures for international data transfers must be robust.
- Marketing practices must be explicitly authorized and respect the objections of interested parties.
These sanctions reinforce the need to comply with data protection regulations to avoid severe penalties and protect individual rights.
