With the inception of the GDPR in May 2018, several companies and their offices were not, and many are still not ready to be compliant with the enhanced European privacy rules and were scared for the potential high penalty payments. This fear was not without grounds.

First fines

In January 2019, tech giant Google received a EUR 50 million fine by the French Data Protection Authority CNIL for not properly informing

In July 2019, the airline British Airways and the Marriott hotel chain received even higher fines of respectively EUR 205 million and EUR 110 million for not properly protecting the personal information of its customers. These cases, of course, are the most notorious considering the substantial financial punishments. However, the Data Privacy Authorities (DPAs) throughout Europe are not only focusing on the big conglomerates and the major fines. Over the past year, smaller organizations and even individuals have also received penalties for non-compliance with the GDPR.users regarding their data consent policies, and not giving users enough control over how their personal data that was used for personalized advertising.

Here are a few examples to better paint the picture:

  • in January 2019, the Portuguese hospital Centro Hospitalar Barreiro Montijo received a fine of EUR 400,000 from the Portuguese Data Protection Authority as a result of three identified non-compliances with the GDPR. Two of these three focused on the lack of technical and organizational security measures to protect the confidentiality, integrity, and availability of medical data;
  • in May 2019 the Data Privacy Authority of Norway issued a fine of EUR 170,000 to the municipality of Bergen for having insufficient security measures in place: usernames, passwords, dates of birth and school grades were unprotected; 
  • in June 2019 the football league La Liga was issued a fine of EUR 250,000 by the Spanish Data Protection Authority for using a mobile app to discover bars that were ‘illegally’ streaming football matches. The app used the user’s microphone while users were unaware and unable to withdraw consent; and
  • in May 2019 the Belgium data protection authority issued a modest fine of EUR 2,000 to a mayor who misused personal data for election purposes.

Getting ready for more GDPR enforcement

These examples represent over EUR 56 million fines issued by the DPAs of 11 EU member states in the first year of the GDPR. In this respect, the European Data Protection Board indicated that in the first year already 281,088 cases have been reported, divided by 144,376 ‘complaints’ and 89,271 ‘data breach notifications’ [1]. It’s important to note that this is only the beginning, as many European DPAs have substantially increased their workforce and budget. Indicating that further and more extensive GDPR enforcement is expected soon [2]. Now, most of the DPAs are ready for the next phase! But what are the potential repercussions? Let’s, for example, take a look at what the Dutch DPA (Autoriteit Persoonsgegevens or AP) did in this respect. 

On March 14th, 2019, the AP released a policy guideline which included, among other things, the fines categorization based on the GDPR. The AP has divided the different provisions of the GDPR in four categories, each category reflecting a base fine and a specific range for the fines in that category:

Category I

Fine range between EUR 0 - EUR 200,000

Base fine: EUR 100,000

Category II

Fine range between EUR 120,000 - EUR 500,000

Base fine: EUR 310,000

Category III

Fine range between EUR 300,000 - EUR 750,000

Base fine: EUR 525,000

Category IV

Fine range between EUR 450,000 - EUR 1,000,000

Base fine: EUR 725,000

In the policy guideline, it is listed per provision of the GDPR in what fine category a breach thereof would fall. Some examples:

  • the obligation for both controllers and processors to enter into a data processing agreement (clause 28 GDPR). Breach? Fine: Category II;
  • the obligation to ensure a level of security appropriate to the risk (clause 32 GDPR): Category II;
  • the obligation to only process personal data when you have a legal ground (such as specific consent or a contract) (clause 6 GDPR) - Category III;
  • the prohibition of processing sensitive personal data (such as biometric data, ethnic origin, and political opinions), unless explicit consent has been granted (clause 9 GDPR) - Category IV.

Not millions?

One might think: “Hey, that is not the EUR 10 million, EUR 20 million or part of our worldwide turnover, often used to scare me with!” Well, that’s not totally true. It is just an overall outline and the AP always has the authority to issue fines from a higher category. The AP still has the autonomy to apply higher or even the GDPR maximum penalties if it deems appropriate. Therefore, you are not off the hook and should ensure that you are and will be GDPR compliant. The policy guideline is just to be considered another critical step towards more active imposing fines by the AP. 

Buckle up…

Such policy guidelines, and the overall increase in workforce and budget for GDPR enforcement, as well as the significant number of cases already reported to the DPAs, gives the DPAs guidance, power, and ability to actually impose the GDPR. So, let’s see what year two is going to bring... Buckle up, it’s gonna be fines!

Everything you need to know about secure mail

For more information on how ZIVVER can help your organization be compliant with GDPR, please visit our Secure Email page below. 

Go to our secure email page

[1]: IAPP Report, May 2019: “GDPR at One Year: What We Heard from Leading European Regulators

[2]: E.g., the Irish Data Protection Commission has increased its budget to EUR 15.2 million this year, which allows them to hire more staff. Also, the Dutch DPA got an extra EUR 3.4 million for enforcing the GDPR in the upcoming years. In Lithuania, the DPA has published a plan to perform 75 ex- officio investigations in 2019.  E.g., Annual report 2018 Dutch DPA (in Dutch), page 18


Authors: Nadine Hoogerwerf (ISO) & Reinout Bautz (GC)

Written by
Picture of Nadine Hoogerwerf (ISO) & Reinout Bautz (GC)

Nadine Hoogerwerf (ISO) & Reinout Bautz (GC)

Originally published on July 8, 2019

Last update on February 9, 2021