Data Breach Fines and Penalties Update
Technology and Innovation Partner Deirdre Crowley outlines some notable fines and penalties from 2022
Trend Analysis: Surveillance of Employees
A clear trend which has started to emerge is the increased willingness of data protection regulators to impose fines for the unlawful surveillance by employers of their employees. These fines heighten the importance of HR Departments considering data protection laws prior to implementing any form of employee monitoring, whether that be CCTV within the workplace; email monitoring; biometric verification for keeping track of attendance, or productivity monitoring software.
Amongst other things, it is essential that the data protection principles are complied with at all times; that there is a clear lawful basis for the monitoring; that such monitoring is transparent and proportionate, and that a Data Protection Impact Assessment ("DPIA") is carried out in advance of such monitoring.
The following are some examples of fines which were issued by data protection authorities due to the unlawful surveillance of employees:
Romania
17 May 2022 - €1,500
MAYR MELNHOF PACKAGING ROMANIA S.R.L.
The controller installed a surveillance system which captured the employees' dining room and smoking area. The controller was found by the DPA to have excessively monitored employees beyond the stated purpose of ensuring the health and safety of employees, and the security of the company's assets.
GDPR Provision Breached: Article 5(1)(b) and (c) Article 5(2), Article 6
Spain
30 November 2021 - €20,000
DAVISER SERVICIOS, S.L.
The controller processed biometric data (i.e. the fingerprints) of employees for access to certain rooms, although less intrusive means (such as key cards) could have been used to protect the privacy of the data subjects.
GDPR Provision Breached: Article 5(1)(c)
Trend Analysis: Data Protection Officers
Another trend which we have seen emerge recently is the heightened scrutiny data protection authorities are placing on controllers' compliance with their obligations relating to data protection officers ("DPO").
Key learnings from recent fines on this topic are:
- the importance of appointing a DPO and notifying your supervisory authority of their contact details if you fall within one of the three criteria outlined in Article 37(1)(a) – (c);
- the importance of ensuring your DPO's full independence and not appointing your DPO to roles which may impede their ability to act independently as the DPO; and
- ensuring that your DPO has a direct line to the C-Suite.
There is likely to be further scrutiny and enforcement in regard to DPOs in the year ahead, as the EDPB has announced its next coordinated enforcement action will focus on the designation and position of DPOs. In a coordinated action, the EDPB prioritises a certain topic for DPAs to work on at national level. The results of these national actions are then "bundled and analysed, generating deeper insight into the topic and allowing for targeted follow up at both national and EU level".
The following are some examples of fines which were issued by data protection authorities due to controllers breaching their obligations relating to DPOs:
Italy
1 August 2022 - €26,000
Municipality of Policoro
The DPA found that the municipality had not fulfilled its obligations in appointing a DPO as the municipality had appointed its attorney as DPO, which the DPA found constituted a conflict of interest.
GDPR Provision Breached: Article 5(1)(a) and (e), Article 5(2), Article 12, Article 13, Article 24, Article 38(6)
Belgium
16 December 2021 - €75,000
Banking Organisation
The DPA identified a conflict of interest regarding the DPO. In addition to his work as DPO, he was also head of a department to which he had to report in his capacity as DPO. The DPA considered this to be a violation of Article 38 (6) GDPR.
GDPR Provision Breached: Article 38(6)
Greece
29 December 2021 - €75,000
Greek Ministry of Tourism
The DPA's investigation found that the Ministry of Tourism had not appointed a DPO, even though an email address of the Ministry's DPO was provided on the Ministry's online platform. This email address, as it turned out, was not active.
GDPR Provision Breached: Article 13, Article 32, Article 33, Article 37
Luxembourg
27 October 2021 - €154,000
Unknown
The DPA found that the controller failed to involve the DPO in all matters related to personal data protection. The DPO did not report directly to the highest management level. Also, the controller did not have a data protection control plan in place to demonstrate that the DPO was performing their duties appropriately.
GDPR Provision Breached: Article 38(1), Article 38(3), Article 39(1) (a) and (b)
Trend Analysis: EDPB Fines Guidelines
A final noteworthy trend which has emerged this year in relation to data protection law fines is the move by the European Data Protection Board ( the "EDPB") to seek to ensure a level of consistency in the fines handed down by DPAs across the EU. In their recent 'Guidelines 04/2022 on the calculation of administrative fines under the GDPR,' the EDPB put forward a methodology and starting point for calculating GDPR fines, but not the outcome. The level of fine will depend on the circumstances of the particular case, including the type of infringement under the GDPR, the undertaking's annual turnover and the level of seriousness of the infringement.
The 5 key steps which the EDPB identify are as follows:
Step 1: Identify whether multiple infringements of the GDPR have been committed within the context of the same or linked processing activities. All such infringements should be considered in the calculation of the relevant fine for the purposes of Article 83(3) GDPR, however the total amount of the fine should not exceed the amount specified for the gravest infringement.
Step 2: Find the starting point for further calculation based on an evaluation of:
- the classification in Article 83(4)–(6) GDPR;
- the seriousness of the infringement pursuant to Article 83(2)(a), (b) and (g) GDPR; and
- the turnover of the undertaking with a view to imposing an effective, dissuasive and proportionate fine, pursuant to Article 83(1) GDPR.
Step 3: Evaluate aggravating and mitigating circumstances related to past or present behaviour of the controller or processor and increase or decrease the fine accordingly.
Step 4: Identifying the relevant legal maximums for the different processing operations. Increases applied in previous or next steps cannot exceed this amount.
Step 5: Analyse whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, as required by Article 83(1) GDPR, and increase or decrease the fine accordingly.
