Two recent GDPR fines emphasise the need to get the basics right

The ICO’s increased work enforcing GDPR breaches is well known. Preparing for GDPR was a lengthy process for many organisations. The increased level of potential fines focussed organisations on ensuring they were equipped for the changes. 

Two recent fines issued by other supervisory authorities in Europe reemphasise the need to get the basics right.

What is the fine for failure to delete data that is no longer required?

Personal data must be adequate, relevant and limited to what is necessary for the purposes it was processed (“data minimisation principle”). Data must also not be stored for longer than is necessary for those purposes (“storage limitation principle”). These are two key personal data principles within the GDPR.

Berlin’s data supervisory authority (the Federal Commissioner in Berlin) recently imposed a €14.5 million fine against a real estate company, Deutsche Wohen SE (“DWSE”). DWSE stored tenants’ personal data on an archiving system that did not enable data to be erased when it was no longer necessary.

The Federal Commissioner considered this a breach of the GDPR and imposed a €14.5 million fine. Unlike the ICO, the German authorities have created a fining model for GDPR breaches. These guidelines give a five step process to follow when supervisory authorities calculate the amount of a specific fine. DWSE’s fine represented 2% of global annual turnover. Interestingly, this was for a breach of Article 25 (the need to implement data protection by design and default), rather than a breach of the Article 5 data protection principles (which could have resulted in a higher fine of 4% of global annual turnover, or €20 million, whichever is higher). 

DWSE have confirmed they intend to dispute the fine. 

This fine shows that a simple technical failure to allow deletion of data can lead to significant fines.

What is the GDPR fine for difficulties withdrawing consent?

Consent is not as commonly used as a lawful basis for processing data under the GDPR as it was under the Data Protection Act 1998. There are specific requirements that have to be satisfied if a data controller wants to rely on consent. For example, where consent is given, it must be as easy to withdraw as it is to give. 

The President of the Polish Personal Data Protection Office recently fined ClickQuickNow Sp. z o.o. (“ClickQuick”) for obstructing data subjects’ right to withdraw their consent. According to the President, ClickQuick had not implemented appropriate technical and organisational measures enabling data subjects to withdraw consent simply and effectively. It also found ClickQuick did not have sufficient measures in place to allow data subjects to request erasure of their data.  

ClickQuick were fined PLN 201 559 (around €47,000). 

What are the implications of these cases? 

These fines show how failures to address the basic GDPR requirements can result in significant fines. 

Compliance is an ongoing process and needs to be considered when implementing new policies. When looking at compliance, the data protection principles need to be at the forefront. A failure to embed the data protection principles is likely to result in fines. The level of these fines and those proposed by the ICO against British Airways (£183.39 million) and Marriott (£99.2 million) are a reminder of the potential exposure to the GDPR’s greater levels of fines.