Political campaigning in Belgium

In May 2019, the Belgian Data Protection Authority announced a €2,000 fine for the misuse of personal data for electoral campaign purposes. Complainants had contacted the mayor’s office on another matter, but he had later used their email addresses in the run up to the municipal elections. The GDPR specifies that personal data cannot be used for a new purpose if it is incompatible with the original purpose. 

Punished for spamming

French company Performeclic was found guilty of six breaches of the GDPR in December 2020. These included no minimisation of the data collected, with superfluous information also kept; keeping that data for more than three years; no way for individuals to oppose the use of their data; an absence of a suitable data processing agreement between Performeclic and its hosting provider; and consent not being collected in a valid way prior to sending emails. The company only has two employees but was fined €7,300. 

Unlawfully selling personal data

A British motor industry employee was prosecuted for passing the personal information of service users to an accident claims management firm without authorisation. Kim Doyle compiled lists of road traffic accident data including names, phone numbers and registration numbers, before passing them on to William Shaw. Doyle was sentenced at Manchester Crown Court to eight months’ imprisonment, suspended for two year, and will have to repay £25,000 as a benefit obtained as a result of the offence. Shaw was found guilty of conspiracy to secure unauthorised access to computer data, will have to repay £15,000 and was sentenced to eight months in prison, suspended for two years. Both will also have to carry out 100 hours unpaid work and pay £1,000 in costs. 

Failure to appoint a data protection officer

Telecoms company Rapidata GmbH was fined €10,000 by the Berlin Commissioner for Data Protection because of its failure to appoint an internal data protection officer. The 2019 fine came despite repeated requests for the organisation to comply. 

Officially on unofficial business

A police officer working in Germany had to pay €1,400 after requesting data about the owner of a vehicle for private purposes, including their phone number. He then used that information to contact the person without official necessity or their consent. While state owned institutions cannot be fined, the state data protection officer found the police officer in question was not acting on behalf of the police. 

A late response to a subject access request

In Spain, Xfera Moviles was fined €5,000 by the data protection authority for not responding to a subject access request within the required timeframe (usually one calendar month). 

Thousands of unwanted phone calls

The UK’s Information Commissioner’s Office (ICO) issued fines of £270,000 to two separate companies in 2021 for making unlawful marketing calls to numbers registered with the Telephone Preference Service (TPS). It’s a free service that allows people to opt out of receiving cold calls. Call Centre Ops of Nottingham and Horse Guard of Bournemouth were found to have made almost 860,000 illegal calls between them and received fines of £120,000 and £150,000 respectively. 

Ignoring an unsubscribe request

The Romanian National Supervisory Authority fined Dante International S.A. €3,000 in February 2020. The company sent a commercial email message to an individual months after that person had confirmed that he wished to unsubscribe from such communications. The regulator found the company was obliged to complete the unsubscribe within three working days.  

There’s no hiding from the regulator

Telemarketing company Vis Consulting Sp. z.o.o. was fined €20,000 in Poland for refusing to allow the President of the Personal Data Protection Office (UODO) to conduct an inspection. The company’s owner is also subject to criminal liability including a fine or imprisonment of up to two years. After prior notification of the planned inspection, the UODO did not find anyone at the address indicated in the official records. Despite repeated attempts, the company made it impossible to carry out the inspection, and indeed decided to liquidate the entity. 

Failing to ensure the security of health records

In December 2019, London-based pharmacy Doorstep Dispensaree Ltd was fined £275,000 for failing to ensure the security of special category data. The company left 500,000 documents in unlocked containers at its premises in Edgware, including names, addresses, medical information and prescriptions belonging to an unknown number of people. 

So there you have it. At their best, GDPR fines can and do amount to thousands of pounds, and at their worst include a criminal conviction. If only these companies had taken privacy more seriously. 

The Privacy Compliance Hub

At the Privacy Compliance Hub, we make compliance easy for everyone to understand, care about and do properly. We call it a culture of continuous privacy compliance. Our platform, created by two ex-Google lawyers, provides a structured programme to follow, with a suite of engaging, relatable training videos and powerful reporting tools, giving you the confidence you’re keeping your customers, investors and the regulators happy. We tell you what to do. We give you all you need to do it. And we enable you to demonstrate that you’ve done it.