Biggest GDPR Fines of 2021

As I told you in my post In my opinion, data management is one of the 10 biggest challenges that Regulatory Compliance presents for 2022, an example of this was the second half of 2021, a year that was full of millionaire fines for GDPR violations. Here is a summary of the most relevant:

1.          Amazon Europe – €746m fine

2.          WhatsApp Ireland – €225m fine

3. – €10.4m fine

4.          Austrian Post – €9.5m fine

5.          Grindr LLC – €6.3m fine

6.          Caixabank SA – €6m fine and BBVA – €5m fine

7.          Fastweb SpA – €4.5m fine

8.          Sky Italia – €3.3m fine

9.          Caixabank Payments & Consumer EFC – €3m fine

10.        Iren Mercato – €2.9m fine

11.        Dutch Minister of Finance – €2.75m fine

12.        Foodinho – €2.6m fine

13.        Mercadona – €2.52m fine

14.        Deliveroo Italy – €2.5 fine

15.        EDP Energía and EDP Comercializadora – €1.5m fine each one

We have been continuously tracking the largest data protection fines, since before the introduction of the GDPR breaches – Non-compliance with general data processing principles

Luxembourg’s National Commission for Data Protection (CNPD) fined Amazon Europe a record-breaking €746 million in respect of the way it uses customer data for targeted advertising purposes.

In 2018, French privacy rights group La Quadrature du Net submitted a complaint. The complaint – which also targeted Apple, Facebook, Google and Linkedln – was filed on behalf of more than 10,000 customers. It alleged that Amazon had manipulated customers for commercial means by choosing what advertising and information they received. The CNPD ruled that Amazon must commit to changing its business practices.

After, Ireland’s data authority fined WhatsApp €225m for violating privacy standards. It’s the highest penalty the Irish Data Protection Commission (DPC) has ever imposed and the second-highest under EU GDPR standards (Articles 5, 12, 13, 14)

A 2018 investigation revealed that WhatsApp was not transparent enough, with its customers, on how it collected, managed and processed their data. Following «a lengthy and comprehensive investigation,» the Irish DPC said it had communicated its decision to other regulators, as required by under GDPR law, and had received complaints from eight countries, including Germany, France, and Italy.

The Lower Saxony data protection authority (LfD Niedersachsen) issued a €10.4 million fine against, an online retailer, for video monitoring its employees for over two years without any legal basis (GDPR breaches – Articles 5 and 6)

The Austrian Data Protection Authority (‘DPA) has fined Austrian Post €9.5m for violations relating to data protection (Non-compliance with general data protection principles). This follows the data protection fine of €18 million that the company received in 2019.

The DPA claims that people should be able to inquire via email about personal data that the Austrian Post might have on them. Email inquiry is in addition to the contact opportunities already available through the mail, a web contact form and the company customer service centre.

As recent as March 2021, the Spanish data protection authority, AEPD, had imposed its largest-ever fine of €8.15 million on mobile telephone network operator, Vodafone España. According to the AEPD, Vodafone España had violated multiple data protection laws while conducting various marketing campaigns and non-compliant data transfers (GDPR breaches – Articles 21, 23, 24, 28, 44, 48). Through their investigations, the AEPD found that Vodafone had failed to comply with GDPR as it, along with its distributors, collaborators, and agents, had contacted customers via email, telephone and text who had opted out of its marketing campaigns.

In their defence, Vodafone had claimed that they were trialling the implementation of a new routing system to verify the legality of its data and filter out users who had opted out of marketing communications. However, the AEPD had concluded that the system continued sending marketing messages to those who had specifically opted out of receiving these and noted there should have been a filtering system for all parties to use.

The AEPD found no guarantees were put in place by the processors to ensure that they had implemented effective technical and organisational measures and that Vodafone had made no such requirements.

Vodafone had also transferred personal customer data to a telecom supplier in Peru, which is outside the European Economic Area. That contract did not provision to abide by the

In the same country, the AEPD had issued a €6 million fine to Caixabank SA for breaching Articles 6, 13 and 14 of the GDPR.

In its investigations, this Spanish data protection authority found that Caixabank did not sufficiently justify the legal basis for processing personal data belonging to its customers. The bank did not comply with obtaining valid, unequivocal, and informed consent from its customers before processing their data.

The AEPD had also found that the information provided by Caixabank within various documents and channels was not uniform, and the terminology used in its privacy policy was deemed imprecise.

There was also insufficient information on the customer user profiles made by the bank, how these were leveraged, what rights customers had over these profiles and what the data retention periods were for these.

Subsequently, the Data Protection Agency imposed a record fine of 5 million euros on BBVA for the use of data without consent. The agency’s resolution includes five claims from different users who received telephone calls from BBVA, despite the fact that they had denied the transfer of their data for advertising purposes.

The Dutch Data Protection Authority (DPA) imposed a €2.75 million fine on the Dutch Tax Administration for discriminatory and unlawful data processing (GDPR breaches – Articles 5 (1), 6 (1) and 8).  The administration should have deleted data relating to dual nationality back in 2014. Instead, they retained it and misused it.

Entitlement to childcare benefits is not contingent on nationality but on lawful residence in the Netherlands. It is unlawful to use nationality data to assess applications, combat fraud or determine risk. Which was exactly what was being done.

The Tax Administration has ceased these violations now.

And finally, the last two best-known companies Mercadona (€2.52m fine) and Deliveroo Italy (€2,5 fine).

The Spanish data protection authority, AEPD, fined the Mercadona supermarket chain €2.5 million for unlawful use of facial recognition.

Mercadona was using a facial recognition system in 48 of its Spanish shops to detect individuals with criminal convictions or restraining orders. The system also captured facial images of all customers entering their supermarkets, including children and employees.

The AEPD found the processing of biometric data through its facial recognition system unlawful, as none of the legal grounds available under Article 9 of the EU GDPR could be used by Mercadona. In addition, it found that the processing did not meet the principles of necessity, proportionality and data minimisation, transparency and privacy by design.

The data protection impact assessment conducted by Mercadona was insufficient and incomplete as it did not account for the risks posed to Mercadona employees by the data processing. Deliveroo collected a disproportionate amount of personal data of its riders in violation of the principles of storage limitation, data minimisation, transparency and lawfulness under Article 5 of the GDPR.

The company used this data for the automated rating of riders’ performance and assignment of work. The company was not sufficiently transparent about the algorithms used for managing its riders, for both the assignment of orders and the booking of work shifts.

Garante imposed a number of corrective measures on Deliveroo. These included compliance with transparency requirements and implementing appropriate measures to periodically verify the correctness and accuracy of the results from their algorithmic systems.

In conclusion, compliance professionals must ensure compliance with data protection within our scope of action, because the improper handling of data is one of the greatest risks today, as well as one of the assets most sought after by cybercriminals. If you liked this content, use the buttons below to share with your friends on social networks!

If you want to leave your opinion, remember that it is always positive and with respect. On the contrary, any aggressive opinion, conduct or expressions that go against respect, dignity, or constitute insults or slander will be blocked, and reported to the Authorities in accordance with the provisions of article 208 of the Spanish Penal Code. The crime of libel provides for a fine ranging from 3 to 14 months and for slander the penalty will be imprisonment from 6 months to 2 years or a fine from 6 to 24 months.

Deja una respuesta

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de

Estás comentando usando tu cuenta de Salir /  Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Salir /  Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Salir /  Cambiar )

Conectando a %s

Subir ↑

A %d blogueros les gusta esto: