For violation of the GDPR is punished more actively - fresh fines and the impact of regulations outside the EU

We tell whom the regulators have punished, how and what this can affect.

/ photo by Marco Verch CC BY

GDPR entered into force over a year ago. During this time, the European Commission issued almost a hundred fines - the total amount exceeded tens of millions of euros. We told about some of them last time .

Today we continue the topic - we are talking about fresh "letters of happiness", and discuss the impact that the General Regulations on data protection have on regulation in other countries.
')

New fines

Interestingly, one of the most recent ones was issued by IDdesign, which sells furniture. The organization violated the requirement of the fifth article of the GDPR . It says that you can store personal data of users no longer than required by the processing goals. In IDdesign, the data of 385 thousand clients was not timely removed. This feature has not been implemented in a new CRM system of the company. As a result, the furniture store received the largest fine, which the Danish regulator wrote out since the entry into force of the GDPR - 200 thousand euros.

For a similar violation in Lithuania punished payment service MisterTango. The company has not deleted the personal data of customers when the need for their processing has disappeared. Plus, the company’s employees did not inform the regulator about last year’s incident, when information on 9,000 payment transactions was accidentally made public. MisterTango ordered to pay 61 thousand euros.

In Germany, the transport company Kolibri Image received a fine. She was obliged to pay 5 thousand euros for a violation related to an error in the documentation. Another fine of 2 thousand euros was issued to a private person. The user sent an email to a large number of recipients, setting its type as CC (copy), not BCC (hidden copy). As a result, email addresses were seen by other recipients. This situation was regarded as a leak of personal data.

By the way, a similar violation was recorded in the UK a few years earlier. Only in this case, the clinic for HIV patients received a fine (in the amount of 180 thousand pounds). Then the penalty was issued according to the Data Protection Directive, which was replaced by the GDPR. It is believed that with the GDPR, the organization would have to write a check for a much larger amount.

Is GDPR effective?

Representatives of the European Commission believe that over the past year, the GDPR has proven its effectiveness. According to them, the regulations helped to draw users' attention to the problem of data security. For example, the number of complaints registered by the British regulator has almost doubled over the past year - from 21 thousand to 41 thousand.

But in the IT industry there is an opinion that GDPR has just created another market for law firms and consultants. According to Bjorn Stormorken, financial director of the Swedish social platform Idka AB, the main goal pursued by companies in the new environment is not data security. It is the desire to satisfy the requirements of the GDPR with minimal costs.

Some regulators do not rush to punish violators. About ten EU countries have not written a single penalty for GDPR. Among them are: Belgium, Croatia, the Czech Republic, Finland, Spain, etc. Some states have limited themselves to relatively minor sanctions. In Latvia, the maximum penalty to date is 2 thousand euros, and in Bulgaria - 5 thousand.

Although experts say that in the future we can expect a sharp increase in the number of fines and their size. Already in Ireland are studying the affairs of several major American IT companies. Probably, positive decisions will be made on them.

Impact of GDPR outside the EU

Many countries followed in the footsteps of GDPR, having worked through their data protection laws. Last year, the corresponding bill was presented in India. The authors say that the document was drafted taking into account the specifics of IT regulation in the country, but foreign experience was also introduced. Another example is CCPA, which was approved in California. We talked about these two bills in our blog - here and here .


/ photo by Alexander Gerst CC BY-SA

The law, similar to the GDPR, decided to introduce China - its final version was presented earlier this year. The authors of the law themselves say that it was created “based on” the GDPR. His goal is to give Chinese people more control over their personal data.

Chinese regulators have already begun to assess the "scale of the problem." Since January, they check popular applications for smartphones and see if they collect extra information about users. Checks touched food delivery services, taxis and navigators.

Some believe that the new law will lead to a common denominator of 200 other regulations relating to cybersecurity. However, Professor Chi Aimi (Qi Aimi) from Chongqing University nevertheless noted that the new bill should not copy the GDPR, since China has many more Internet users and one of the most developed digital economies in the world.

Time will show how the Chinese bill will show itself and what impact it will have on the global community. A law very similar to the Chinese has already been prepared in Vietnam. And in Tanzania, they work closely with Chinese lawmakers responsible for cyberspace.

---

What we write about in our Telegram channel:

• What you need to know about PCI DSS: talking about the requirements of the standard
• How to get PCI DSS certification

Other content on the regulation of PD in our blog:

• Year in action: who and for what was punished according to the GDPR
• GDPR effect: how the new regulation has affected the IT ecosystem

---