From pandemonium to fines – a review of GDPR enforcement in Europe

Do you remember the Y2K bug in the run-up to the new millenniumWarnings that computer systems and networks would stop functioning on 1 January 2000 led to panic and pandemonium as people prepared for its impact 

In some ways, the introduction of the GDPR (General Data Protection Regulation) was reminiscent of the Y2K scare. 

Despite the two-year transition period, a lot of organisations left it to the last few months before the enforcement date to get themselves GDPR ready.  

Inboxes were flooded with emails about updated privacy policiesand plenty of organisations sought reconsent to continue processing information they had gathered prior to the GDPR –even though, in many cases, they did not need to. 

So, what did happen on 25 May 2018? 

Here are a few newspaper headlines from the day: 

Max Schrems files first cases under GDPR against Facebook and Google 

Schrems is an Austrian activist and founder of non-profit organisation NOYB (None of Your Business) who is known for launching campaigns against Facebook, claiming the tech giant violated consumer privacy and transferred users personal data to the US National Security Agency.  

The day the GDPR came into force, Schrems lodged complaints against Facebook, Instagram and WhatsApp through data protection authorities in Austria, Belgium and Hamburg, Germany. He stated that Facebook and its subsidiaries were forcing users to accept the platform’s updated ‘intrusive’ terms and conditions or lose access to the services.  

Schrems also filed a complaint about Google’s operating system with the French data protection authority, CNIL. The complaint stated that users who purchased a phone with an Android operating system are automatically pushed into Google’s environment, breaching their right to be informed.  

U.S. news outlets block European readers over new privacy rules 

Some organisations in the US decided to deal with the GDPR by not dealing with it. Their solution to handling the Regulation was to stop providing their products and services to readers in the EU. This is still the case today for a number of US news organisations.

The Irish Times view on GDPR: bigger than Beyoncé 

In the weeks leading up to 25 May 2018, the term GDPR trended higher in Google searches than BeyoncéGiven that Beyoncé has more than 100 million followers on Instagram, and more than 15 million on Twitterthis is a considerable achievement. 


What has happened over the past year? 

Its just over a year since the GDPR became applicableWhats happened in that time?  


GDPR notifications so far  

The DLA Piper GDPR Data Breach Survey: February 2019 looks at data breaches reported to supervisory authorities between 25 May 2018 and 28 January 2019 

The report is based on figures from 23 EU member states and Norway, Iceland and Liechtenstein. 

In that period there were 59,430 reported data breaches, ranging from minor breaches, such as emails sent to the wrong individual, to major incidents, such as cyber attacks that affected millions of people 

In terms of data breach notifications, the Netherlands tops the list with more than 15,400, followed by Germany (12,600) and the UK (10,600). Ireland is fourth with 3,800While this doesnseem too bad compared to the Netherlands, Germany and the UKwhen the results are weighted to consider the countrys population, Ireland moves up to second place. The Netherlands is still first but the UK and Germany drop to 10th and 11th respectively 

The number of notifications continues to growOn 22 May 2019the EDPB (European Data Protection Board) revealed that EEA (European Economic Area) supervisory authorities had logged 144,376 queries and complaints and 89,271 data breaches since the GDPR’s enforcement date.


Some GDPR fines to date 


On 21 January 2019, the French supervisory authority, CNIL, imposed €50 million fine on Google – the highest GDPR fine to date. The fine was issued for lack of transparency, inadequate information and lack of valid consent regarding the personalisation of advertisements.  

The fine results from complaints made to CNIL by two groupsone of which was Max Schrem’s NOYB group 

CNIL found that information held by Google is not easily accessible for users and that users are not sufficiently informed when giving their consent.


In October 2018, a Portuguese hospital was fined €400,000 for three GDPR violations: 

  • €150,000 for excess numbers of users having access to patient data. Although only 296 doctors worked at the hospital, there were 989 doctor profiles on the systemall with access to patient files and medical information 
  • €150,000 for not having adequate technical or organisational measures in place to prevent unlawful access. 
  • €100,000 for not being able to ensure the continued confidentiality, integrity and availability of systems.  

Whats interesting about this fine is that CNPD, the Portuguese supervisory authority, acted on a newspaper report and not on any complaint. 


UODO, Polanddata protection office, fined digital marketing company Bisnode €220,000 in March this year for failing to fulfil its obligations under Article 14 of the GDPR.  

Bisnode took the data of more than 6 million individuals from the government public register and used it for commercial reasons without informing them 


Germany’s data protection authority differs from other countries as data protection laws are delegated to each of the 16 states, each of which has its own authorityA committee of representatives is appointed from each authority to ensure a consistent approach throughout the state 

So far, fines have been imposed in 6 of the 16 German states and by May 2019 a total of 75 fines had been issued.  


O12 September 2018, €4,800 fine was issued to a sports betting café in Austria for operating an unauthorised CCTV system that covered public streets as well as car parksIt was not adequate for the purposes of the processing and was not limited to a necessary extent. There were no logs of video surveillance processing operationsno deletion of the personal image data recorded and no separate logs for processing in this regard. In addition, the filmed area did not have adequate signage about CCTV being in use


O28 May 2019, the Belgian Data Protection Authority announced its first GDPR fine. A mayor was fined €2,000 for misusing personal data for electoral campaign purposes. The mayor reportedly sent election propaganda to two constituents who had contacted him about an urban development project. According to officials, this was a breach of the Regulation as the mayor used the personal data for a different purpose from that for which it was originally collected. 

This is an excerpt from Alice Turley’s webinar ‘GDPR – One Year On’. To view the full webinar, click here.  

Alice is a qualified data protection, compliance and insurance professional, consultant and trainer. She is highly experienced in data protection, consumer protection and compliance, providing expert and solution-based advice to organisations within the insurance, advertising and education industries. 


Further reading:  

Delve deeper into the Regulation with part one of our ‘GDPR one year on series: An overview of the GDPR with Alice Turley, data protection expert’.  

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.