National authorities start fining for GDPR breaches

The General Data Protection Regulation (GDPR) was adopted on the 14th of April 2016 and entered into force on the 25th of May 2018. The GDPR allows personal information to flow freely in the European Union (EU) without being subject to any further measures. However, data protection breaches can result in high fines. This is also one of the differences between the GDPR and the old Directive. Moreover, national data protection authorities are already using this mechanism to bring companies into compliance.


How big are the fines?

The GDPR assigns fines depending on the severity of the infringement. For less severe violations, the fines can be up to EUR 10 million, or 2% of the company’s worldwide annual revenue from the preceding financial year, whichever amount is higher. These fines will be applicable to violations of the GDPR articles governing controllers and processors, as well as certification and monitoring bodies.

More serious infringements to the fundamental principles of personal data protection could result in a fine of up to EUR 20 million, or 4% of the company’s worldwide annual revenue from the preceding financial year, whichever amount is higher. Such fundamental principles include the conditions for consent, data subjects’ rights, transfer of data and the basic principles for processing.


National data protection authorities in action

In the past few months, the national data protection authorities have been busy – there are numerous cases of fines imposed on entities due to data protection violations. Examples include:

  • The Romanian national supervisory authority issued a 10,000 lei (approx. EUR 2,000)  fine for allegedly sending commercial emails without consent.
  • The Dutch data protection authority fined a health insurance provider EUR 50,000 due to mishandling of medical data.
  • The Spanish data protection agency found that a company was in violation of data protection laws because its website did not have a configuration panel or management system that allowed users to delete cookies in a granular way. The fine was EUR 30,000.
  • The Austrian data protection authority imposed a EUR 18 million fine against a company for processing the political affiliation of data subjects and further unlawful processing of data for direct marketing.
  • A company was fined EUR 12,000 by the Spanish data protection authority due to the lack of proper measures in place to validate the identity of data subjects.

Other cases are currently ongoing. This shows that compliance with data protection rules is a priority across the EU and companies have to make sure that their processing activities are lawfully conducted.


November 29th, 2019

Efrosina Zhivkova

Deputy Manager - Legal Department


Obelis at Your Service

If you wish to know more about the General Data Protection Regulation, please do not hesitate to contact us. Obelis Expert Consultants, having nearly 30 years of experience with EU Regulations, will answer any questions you may have and will gladly assist you in the process of ensuring the compliance of your data processing activities and the appointment of a GDPR Representative.

Get in touch