The supervisory authorities in Europe controlling compliance with the GDPR have not sat on their hands in the last couple of months. In this short article we collected five interesting cases from the recent past. The wide discretionary powers of the data protection authority is well illustrated by the fact that sometimes the GDPR fine was only EUR 2000, but in another case a company has been fined for EUR 11,5 Million! Continue reading if you would like to avoid the same or similar expensive errors.
1. Scoring employee sick leaves in Cyprus
The Cyprus-based Louis Group decided to use an automated system to score the sick leaves of its employees. The reasoning behind the scoring was that short, frequent and unplanned absences lead to a higher disorganizing of the company rather than longer sick leaves. Louis Group claimed that the legal basis of the data processing related to the scoring system was his legitimate interest.
Sadly for Louis Group, the Cypriot supervisory authority was not on the same opinion. In fact, it established that Louis Group did not have a legal basis to process the health data of this employees for the scoring purpose. Neither could Louis Group prove that his legitimate interest would override the data protection related rights and interest of the employees, nor was he entitled to process the health data based on other provisions. The ‘prize’ of Luis Group for his innovative idea was a fine of EUR 82.000 and the ban of the scoring system.
My piece of advice to you: always act extra prudently when processing health data, especially for ‘unusual’ purposes. Further, using legitimate interest as a legal basis may be the ace of trumps but it is certainly not all-powerful.
2. Obstructing the withdrawal of consent in Poland
The company ClickQuickNow got into trouble with the Polish supervisory authority because of his consent withdrawal practices. In short, to withdraw consent one had to click on a link and declare the reason of the withdrawal. If the data subject failed to indicate the reason the withdrawal mechanism has stopped letting ClickQuickNow to further process the data.
Obviously, the Polish authority was not very happy with this situation. It established that ClickQuickNow infringed the provision of the GDPR which sets forth that data subject shall be able to withdraw consent at any time and the it shall be as easy to withdraw as to give consent. The practice of ClickQuickNow, making difficult or even impossible to withdraw consent, was rewarded with a fine of PLN 201.000 (ca. EUR 47.000).
To avoid such sanctions when relying on consent as a legal basis of processing, always educate the data subjects about the possibility of withdrawal and make it easy for them. For example, if your customer can give his consent on your webpage by ticking a checkbox, withdrawal should also be possible by a simple click.
3. Not dealing with data subjects’ request in Romania
BNP Paribas Personal Finance SA’s fault, according to the Romanian supervisory authority, was that it failed to respond on time to data subjects’ request.
The authority started its investigation based on the complaints of BNP Paribas’ clients and came to the conclusion that BNP Paribas failed to respond to its clients’ request within one month as set forth by the GDPR. It was a costly delay for BNP Paribas, it has to pay a fine of ca. 2000 EUR.
It is essential to deal with your clients’ GDPR-related requests on time. Experience shows that the majority of the data protection authorities’ investigations is the result of the complaints of data subjects. By dealing properly with the requests, in many cases the involvement of the authority can be avoided.
4. Unsolicited telemarketing in Italy
The case of the Italian company Eni Gas and Luce confirms my above statement. The supervisory authority started an investigation based on dozens of complaints filed after the entering into force of the GDPR.
The Italian authority established that, among others, Eni Gas made advertising calls without the consent or which is even worse, despite the explicit objection of the contacted persons. Further, the company acquired lists of prospective clients from database providers who have not obtained consent to such disclosure. Together with other GDPR-breaches this amounted in a ‘nice’ fine of EUR 11,5 Million.
When it comes to direct marketing activities I propose to act with the utmost caution. This is an activity which annoys a lot of people and the anger often leads to complaints. Make sure that you have a valid legal basis before you start to make the calls.
5. Inappropriate technical and organizational measures in Germany
Last but not least, here comes the not very pleasant adventure of 1&1 Telecom GmbH before the German data protection authority. The company operated a customer service hotline which only required to provide the customer’s name and birth date to be able to obtain extensive information about the customer.
According to the authority, this authentication system was too simple and a hotbed of personal data misuse and data breaches infringing the obligation of the controller to take appropriate technical and organizational measures to protect personal data. 1&1 Telecom realized the problem and started to work on the solution even during the investigation. Unfortunately, that did not stop the authority to impose a fine of ca. EUR 9,5 Million. However, this was in the lower range as the authority considered the cooperation of 1&1 Telecom.
What you can learn from 1&1 Telecom’s mistake is that when operating customer service hotline use rather strong authentication methods (including for example a password or code word). I hope that the supervisory authority will never investigate your company but if it does, always try to cooperate as it might mitigate the fine like in the above case.