In January 2019, Google received the largest of the GDPR fines for noncompliance since the data privacy law became enforceable in May 2018. The fine measured 50 million euros, which is roughly $57 million in USD. CNIL, the French regulatory organization that levied the fine, stated that Google did not properly disclose how user data is gathered from services including Google Maps, YouTube, and search, for the purpose of displaying ads.
This fine signals that there are severe consequences for violation of this data privacy law, and that large tech companies such as Google may need to re-evaluate practices that are now noncompliant with GDPR. Though this is the most sizable GDPR fine since the enforcement date, it’s not the only one. Here are three other GDPR fines for noncompliance from various locations in the EU.
Amount of fine: 400,000 euros (About $450,000)
Date: July 17, 2018
Barreiro Hospital in Portugal received two GDPR fines for noncompliance. The first was for allowing unrestricted access to medical data by non-medical personnel, and for that offense, they were fined 300,000 euros. The second offense was noted because the hospital was deemed unable to “ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services.”GDPR
Articles Violated: Not mentioned.
German Social Network Knuddels.de
Amount of fine: 20,000 euros (About $23,000)
Date: September 2018
The first German fine followed a data breach of social networking site Knuddels.de that was reported by the site in September 2018 but originally took place in July 2018. The data breach exposed 330,000 users’ personal information and uncovered that Knuddels.de had failed to ensure adequate data security, including storing unencrypted password. The organization’s cooperation with the supervisory organization LfDI Baden-Württemberg lessened the fine.
Associated GDPR Article: 32
Austrian Limited Liability Company’s Sports Betting Café
Amount of fine: 5,280 euros (About $6,000)
Date: September 12, 2018
A sports betting cafe in Austria was fined over 5,000 euros because their video surveillance system, which covered some public areas such as streets and parking lots, was deemed noncompliant by the Austrian DPA. The list of infringements included “no logs of video surveillance processing operations,” “no deletion of the personal image data recorded by the video surveillance within 72 hours,” and inadequate notices about the surveillance in the area. This was the first of Austria’s GDPR fines for noncompliance.
Associated GDPR Articles: 5.1.a & c, 6.1
GDPR fines for noncompliance are a reality in the post-enforcement world. Learn about GDPR compliance, and how FormAssembly fits into it, in our eBook: Data Collection and the GDPR: What You Need to Know as a FormAssembly Customer.