More than three years have passed since the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 and, throughout that time, we have experienced successes and failures during our respective processes of adaptation to a more intuitive and personalized regulation.
In relation to the mistakes, it is interesting to delve into the Economic sanctions most significant that can affect any organization to know the criteria of the administrative authority, the most common errors of data controllers and, consequently, avoid the circumstances that led to the imposition of said sanctions. Thus, among the sanctions imposed, the following stand out:
Company | Infringement | Economic sanction | sanctioning country |
Amazon Europe Core S.à.rl | Non-compliance with general data processing principles | 746,000,000 € | Luxembourg |
WhatsApp Ireland Ltd. | Insufficient compliance with information obligations (Arts. 5 1.a, 12, 13, 14 GDPR) | 225,000,000 € | Ireland |
Google LLC | Insufficient legal basis for the processing of personal data (Arts. 5, 6, 13 and 14 GDPR) | 50,000,000 € | France |
H&M Hennes & Mauritz Online Shop AB & Co. KG | Insufficient legal basis for the processing of personal data (Arts. 5 and 6 GDPR). | 35,258,708 € | Germany |
TIM (Telecommunication operator) | Insufficient legal basis for the processing of personal data (Articles 5, 6, 17, 21, and 32 GDPR). | 27,800,000 € | Italy |
Most important economic sanctions regarding data protection in the EU 2019-2021
As can be seen, the most significant violations in data protection occur for a misuse of user information. Some data controllers abuse their respective domain positions to carry out unauthorized processing of the information of their clients, and even their workers. This purpose violates the principle of transparency, information and data minimization contained in the RGPD.
In relation to the Spanish case, the most important economic sanctions imposed by the Spanish Data Protection Agency are the following:
Company | Infringement | Economic sanction | Details |
Vodafone Spain, SAU | Insufficient compliance with the rights of interested parties (Art. 21, 24, 28 and 44 RGPD, art. 21 LSSI, Art. 48 (1) b) LGT, Art. 23 LOPDGDD). | 8,150,000 € | Existence of precedents (191 complaints in the last two years) and fines or warnings by the AEPD between January 2018 and February 2020 on more than 50 occasions. Contact and offer to clients previously registered on the Robinson List. Violation of consumer rights. |
Caixabank SA | Insufficient legal basis for the processing of personal data (Art. 6, 13 and 14 GDPR). | 6,000,000 € | Lack of adaptation of the business's personal data processing policy to the GDPR, especially in terms of the information offered to clients and the consent collection procedure. |
Banco Bilbao Vizcaya Argentaria, SA | Insufficient compliance with the duty to inform (Art. 6 and 13 GDPR) | 5,000,000 € | Sending advertising to clients previously registered on the Robinson List. Pre-checked box on data transfer to third parties through the app. |
Caixabank Payments & Consumer EFC, EP, SAU | Insufficient legal basis for the processing of personal data (Art. 6 (1) GDPR). | 3,000,000 € | Improper use of personal data to create a financial solvency profile. |
Mercadona SA | Insufficient legal basis for the processing of personal data (Art. 5 (1) c), 6, 12, 13, 25 (1) and 35 GDPR) | 2,520,000 € | Use of facial recognition technology in stores to detect individuals who have committed crimes against the company, its workers or customers. |
Most important economic sanctions regarding data protection in Spain 2020-2021
The national trend, in relation to the economic sanctions imposed in terms of data protection, is led by the development or management of unwanted advertising, specifically, in the establishment of aggressive commercial tactics that do not stop even when clients, under the due exercise of their rights, request it. As seen in the case that heads this list, there is a violation of the right of opposition of the user who is left unattended despite there being an express will that is contrary to the marketing policy of the telecommunications company.
Another feature that essentially draws attention is related to the illicit use of customer data, or even workers, by sanctioned companies violating the duty to inform and making use of them that is not transparent or fair. Furthermore, as seen in the list, banking entities in their process of implementing the regulations in force have committed important transgressions, such as ignoring clients previously registered in the Robinson List.