Recent General Data Protection Regulation (GDPR) decisions made by data protection authorities (DPAs) across the European Union provide insight into enforcement trends and the concerns of local regulators.
In September, Austria’s national postal service, Austrian Post, was hit with a record €9.5 million (U.S. $11 million) fine for not enabling people to inquire about any personal data it might have on them via email, even though individuals could make queries via letter, online, and through customer service.
The company has been in hot water with the Austrian DPA before. In October 2019, it received an €18 million fine for processing personal data on the alleged political affinity of affected data subjects. That fine, as well as criminal proceedings, was annulled in a court decision in November 2020.
The company said it plans to appeal this second penalty, too.
The Hamburg DPA, which is fast gaining a reputation as one of Germany’s toughest data regulators, announced in September a fine of approximately €900,000 (U.S. $1.04 million) against electricity supplier Vattenfall Europe Sales after the company allegedly used personal data it had ostensibly stored for tax purposes to check whether new customers had repeatedly taken advantage of its welcome sales promotions in the past.
The company was concerned customers were signing up to its introductory offers; leaving to go with a rival firm once the contract term was up; and returning for the same introductory rate a year or two later, according to the Hamburg DPA.
The DPA held Vattenfall violated transparency obligations under the GDPR (Articles 12 and 13), as customers were not sufficiently informed about the data comparison. A total of around 500,000 people were affected.
Of note, the data processing itself was not a breach of the GDPR; in fact, such processing is not explicitly regulated under the rules.
Norway’s DPA fined toll company Ferde around €500,000 (U.S. $580,000) after an investigation—started after media reports—found data on Norwegian cars and their owners was being processed in China illegally.
The DPA held Ferde had breached several of the organization’s “basic” responsibilities under the GDPR between September 2017 to October 2019. The regulator said the company had no valid basis for transferring personal data to China; it had failed to establish a data processing agreement, carry out a risk assessment, and lacked a legal basis for the processing of personal data about motorists in China.
France’s CNIL fined insurance group AG2R La Mondiale €1.75 million (U.S. $2.03 million) in July for retaining the personal data of customers too long after their contracts had ended while also failing to inform people sales calls were being recorded.
It is the regulator’s third largest fine to date, following penalties of €50 million and €2.25 million against Google and supermarket chain Carrefour, respectively.
Following an inspection in 2019, the CNIL found AG2R was storing the data of more than 2 million customers, including health and bank details, beyond the legal retention periods allowed after the end of the contract. It also found the data of almost 2,000 people the company thought it could pitch its products to—but who had not had any contact with the company—were kept for more than three or five years.
The CNIL also found telephone calls made by the company’s data processors could be recorded without the person contacted being informed of his/her right to object to it.
The company has accepted the fine and is in the process of making changes to comply with the GDPR.