First financial penalties for breaching the GDPR
First six months of the effective period of the GDPR are over. From the beginning, most of the emotions aroused among entrepreneurs were caused by severe sanctions of non-compliance with the new regulations. Penalty for breach of obligations related to the processing of personal data may amount to up to 20 000 000 € or 4% of the annual global turnover. According to the announcements, the first scheduled inspections will cover mainly the administrators who conduct video monitoring, as well as entities from the medical and education sector. Practice will show how severely will entities that do not comply with obligations related to the processing of personal data be punished. For now, the Office reassures, that at least in the first period of inspections, it does not intend to abuse the right to impose financial penalties.
However, information about the first penalties are coming from the supervisory authorities of other European countries. It is worth paying attention not only the amount of penalties imposed, but also to the violations described in the decisions, which can be a valuable hint in the scope of practical application of the GDPR.
In Austria, similarly as in Poland, in the initial period of the validity of the GDPR, it was declared to use warnings rather than financial penalties. Nevertheless, the first fine of 4,800 euros was imposed in September on an entrepreneur who improperly used video surveillance. The camera mounted in front of his workplace also included a large part of the pavement – so it entered the public area. In addition, the entrepreneur neglected the proper marking of monitoring.
The Barreiro-Montijo Hospital Center in Portugal received a significantly higher penalty. Two serious violations of data protection rules cost the hospital a total of 400,000 euros. The hospital incorrectly managed access to patients’ personal data. Access to medical data was granted not only to doctors, but also to some social workers. In addition, over 900 profiles were created in the IT system with access rights at the doctor’s level, despite the fact that the institution employed three times less doctors than available profiles. The hospital not only provided personal data to too many employees, but also failed to ensure the integrity and security of data collected in the system.
In the near future, we can also expect penalties from the Information Commissioner’s Office (ICO) in the United Kingdom (equivalent to the Polish PUODO). The first entrepreneur called to cease infringement under the threat of imposing a financial penalty is the Canadian company AggregateIQ Data Services Ltd (AIQ), accused of being affiliated with Cambridge Analitica. ICO accuses the company of processing personal data of British citizens without their knowledge and without an effective legal basis. AIQ’s actions before the current effective period of the GDPR were very controversial, due to the involvement in the USA presidential campaign and the Brexit referendum. Due to the fact that in the ICO’s opinion, after 25th of May 2018, the company continued to process personal data in violation of the law, the steps provided for in the GDPR were taken. Due to the relation between the amount of the penalty and the financial results of the data processor, Sanctions for AIQ can be very severe.