Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice
  • 25 May 2022
  • 5 min read

The state of GDPR in retail, energy, transportation, finance, healthcare and more ...

A breakdown of the state of GDPR in the following sectors: retail, energy, telecommunications, transportation, finance, healthcare and more ...
42

From humble beginnings in May 2018, when a pharmacy in North London was fined £275,000 for carelessly storing documents containing patient data… fast forward to May 2022, where we now see huge fines across most sectors. It is fair to say that the General Data Protection Regulation (GDPR) is among the world’s toughest data protection laws.  


In its first four years more than 900 fines were issued under the GDPR regulations, totalling over €1.5 billion. Remember, Supervisory Authorities can impose fines of up to up to €20 million or 4% of worldwide turnover for the preceding financial year – whichever is greater. 


No sector is immune to these fines, here are just a few of the ‘A’ listers. 

GDPR fines in Retail 

Amazon: €746 million  

This huge fine was listed in the company’s July 2021 earnings report. The fine is the second time Amazon has been penalised for the way it collects and shares data via cookies.  

H&M: €35 million  

In October 2020, the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 for violations relating to data minimisation because of how they ‘monitored employees’.  

Notebooksbilliger.de (NBB): €10.4 million  

German electronics retailer notebooksbilliger.de (NBB) were fined in January 2021. The penalty relates to how NBB used CCTV cameras to monitor its employees and customers. While the use of CCTV is not prohibited under the GDPR, it must be used for a legitimate and proportionate response to a specific problem.  

REWE International: €8 Million  

The Austrian food retailer, REWE International, was fined after the misuse of data involved in its loyalty program. The company had been collecting users’ data without their consent and using it for marketing purposes. 

Foodinho: €2.6 million  

The Italian Data Protection Authority, Garante, fined groceries delivery service Foodinho in June 2021, for failing to follow the requirements on ‘automated processing’. The delivery service was using an algorithm to determine employees’ wages and workflow. Any AI-driven decisions about people that could impact their finances, employment, or access to services, must include a human review of such decisions. 


GDPR fines in Telecommunications 

Cosmote Mobile Telecommunications: €6 Million  

The fine was issued by the Greek DPA, Hellenic Data Protection Authority (HDPA), after a hack in September 2020 resulted in customers’ confidential information being compromised. It was revealed that the company was illegally processing customer data, which was not fully pseudonymized, making it easier for cybercriminals to identify individuals from the data. 

Wind: €17 million  

Italian Data Protection Authority (DPA) issued a fine of €16,729,600 on telecoms company Wind due to unlawful direct marketing activities. The regulator found that Wind’s mobile apps forced users to agree to direct marketing and location tracking and that its business partners had undertaken illegal data-collection activities.  

Vodafone Italia: €12.3 million  

Vodafone Italia’s November 2020 fine was given because the company failed to properly secure customer data, shared personal data with third-party call centres, and processed data without a legal basis. This was closely followed in March 2021 by… 

Vodafone Spain: €8.15 million  

This Vodafone fine stands as Spain’s largest fine where the Spanish Supervisory Authority (AEPD) issued many substantial penalties. The fine results from 191 separate complaints regarding Vodafone’s marketing activity.  


GDPR fines in Energy 

Enel Energia: €26.5 million  

In January 2022, Garante, the Italian DPA fined the multinational electric and gas supplier for failing to get user consent or inform customers before using their personal data for telemarketing calls. 

Eni: €8.5 million  

Eni Gas e Luce (Eni) was fined twice for making marketing phone calls without a proper legal basis. There was an earlier instance where they were fined €3 million in 2019. Telemarketing is covered by the ePrivacy Directive, but this demonstrates how processing personal data without a proper legal basis can lead to a GDPR fine. 

Iren Mercato: €2.85 million  

In June 2021, Iren Mercato was fined because a third-party marketing company was acting as their data processor and obtaining personal data without proper consent. 


GDPR fines in Transportation 

British Airways: €22 million  

In 2018 British Airway’s systems were compromised. The breach affected 400,000 customers details including payment card information, and travellers’ names and addresses.   


GDPR fines in Banking and Finance 

Caixabank: €6 million  

The first fine, for €4 million, related to how the bank established a ‘legal basis’ for using consumers’ personal data. Secondly, they were fined €2 million for violating the GDPR’s transparency requirements, namely that their privacy policy was vague and inconsistent about its data processing practices. 

BBVA (bank): €5 million  

The Spanish Supervisory Authority, AEPD, fined the bank for sending SMS messages without obtaining consumers’ consent.  

Dutch Tax and Customs Administration: €3.7 Million  

In April 2022, the Dutch Tax and Customs Administration was fined for illegal processing of personal data of around 270,000 people onto the Fraud Signalling Facility (FSV) blacklist. 

National Revenue Agency (Bulgaria): €2.6 million  

In 2019 the Agency suffered a data breach affecting 5 million people. The breached data included people’s names, contact details, and tax information. The Bulgarian DPA found that the agency failed to take effective technical and organisational measures to protect the personal data under its control. 


GDPR fines in Healthcare 

Capio St. Göran AB: €2.9 million  

The fine followed an audit that revealed that the healthcare provider had failed to carry out appropriate risk assessments and access controls resulting in many employees having access to sensitive personal data. 


GDPR fines in Hospitality 

Marriott: €20.4 million  

383 million guest records were exposed after the hotel chain’s guest reservation database was compromised. The hack originated in Starwood Group’s reservation system in 2014. While Marriott acquired Starwood in 2016, the hack was not detected until September 2018. The UK Supervisory Authority (ICO) found that Marriott failed to perform adequate due diligence after acquiring Starwood.  


GDPR fines on Social media platforms 

WhatsApp: €225 million  

The messaging service had failed to properly explain its data processing practices in its privacy notice. 

Facebook: €60 million  

The social media platform received this fine for failing to obtain proper cookie consent from its users. 

Meta (Facebook) Ireland: €17 Million  

In March 2022, the Irish Data Protection Commission (DPC) fined Meta Platforms Ireland because it could not demonstrate the security measures it had in place to protect users’ data.  

Google Ireland: €90 million  

Fined for its cookie consent procedures on YouTube.  

Google LLC: €60 million  

Google LLC fined on the same day for the same reason but in relation to its website rather than YouTube. 

Google: €50 million  

The case related to how Google provided privacy notice to its users—and how the company requested their consent for personalized advertising and other types of data processing. 


Finally for the present 

Some of the biggest fines involve marketing activities. However, in addition to the failure to comply with people’s right to object and removal of personal data when requested, there is also the unlawful requirement to have biometric data recorded, shown here in the Clearview example. 

Clearview AI: €20 Million  

Fined for unlawful processing of personal biometric and geolocation data, and the breaching of several principles of the GDPR. These include purpose limitation, and storage limitation.  


The future 

The GDPR has been a leader where other countries have followed. The California Consumer Privacy Act (CCPA) came into force in 2020, and the more expansive California Privacy Rights Act (CPRA) will replace it in 2023. Brazil has introduced the LGPD, and India has the long-awaited Personal Data Protection Bill (PDP), while China has the Personal Information Protection Law. The list continues but it demonstrates that data protection is now at the forefront of everyone’s mind.  

Financial and security regulations are aligning. Penalties are no longer the sole domain of Data Protection Supervisory Authorities but could come from any regulator. The Financial Conduct Authority fined Tesco £16.4 million for failing to protect customers’ accounts and not doing enough to prevent financial crime. 

We also see an increased desire to control Big Tech, for example the German Data Protection Commissioner insisting government organisations shut down Facebook pages, and the Online Safety Bill in the UK, seeking oversight to tackle harmful online content. 

Let’s not forget that regulations are often challenged, and the Schrems II judgement has led to massive changes in the international transfer of personal data. 

Data protection and privacy regulations are now part of everyday life but watch this space because it is an evolving landscape. 


Building cybersecurity awareness, especially in relation to emerging threats and GDPR, is the backbone of TSC’s offering. No matter the attack service or platform, TSC’s service will ensure your employees are aware and knowledgeable of the threats they will come across.

If you would like more information about how The Security Company can support you to minimise the risks your organisation is facing, please contact Jenny Mandley.

Nas
Written by
Nas Ali
Cyber security and awareness content creator focused on emerging threats and the next wave of cyber security risks like AI, deepfakes and tech 4.0 initiatives in order to build towards a more secure organisational culture.
View Profile

See how we can help you protect your organisation today?

Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice