They don’t make the headlines as often as they used to, but fines for GDPR (General Data Protection Regulation) violations continue to roll in.
There were 22 such penalties in July 2022, according to the GDPR Enforcement Tracker, bringing the total for the year to 274.
We round up some of the most notable recent incidents in this blog, looking at an online clairvoyant that illegally recorded phone calls and a Spanish bank that failed to verify its customers’ identity.
KG COM hit with €150,000 fine
Several weeks ago, the French data protection authority, CNIL, completed its three-year investigation into KG COM, and issued a €150,000 fine.
KG CM operates several websites that offer clairvoyance readings over the phone or via an online chat. Questions about its data protection practices began in 2020, when the organisation reportedly suffered a security incident that compromised customers’ data.
It sparked an investigation into KG COM that unearthed a series of GDPR breaches. The CNIL was particularly concerned with the organisation’s practice of systematically recording phone calls and its unlawful collection of sensitive data, including health records and information related to sexual orientation.
The CNIL also discovered that the firm kept banking data without individuals’ consent, and it didn’t notify individuals about the data breach that sparked the investigation.
In a notice disclosing the fine, the CNIL said that the €150,000 figure comes from two separate regulatory breaches. The first relates to the various GDPR infringements, totalling €120,000 fine.
The penalty was issued in cooperation with other EU supervisory authorities – Belgium, Luxembourg, Italy, Spain, Portugal, Bulgaria and Ireland – within the framework of the one-stop shop procedure, given that KG COM has customers from several EU member states.
Meanwhile, the CNIL issued a €30,000 fine for KG COM’s non-compliance relating to the use of cookies. This penalty relates to Article 82 of the French Data Protection Act, which contains similar but distinct rules to the GDPR regarding the collection of cookies.
The CNIL implied that that, given the scale of the penalties, the fine could have been much larger. However, it said that it accounted for the organisation’s financial situation when considering an appropriate penalty.
According to the CNIL’s investigation, KG COM showed a negative net result in 20202 after a significant decrease in turnover in recent years.
This demonstrates the oft-repeated mantra given by data protection regulators, which is that GDPR fines are intended to dissuade organisations from non-compliance rather than punish them as harshly as possible.
Although much of the debate surrounding the GDPR has concerned the enormous disciplinary powers it gives to supervisory authorities, we have seen few instances of eye-watering fines. For the most part, penalties have been reasonable and they are have almost always been proportional to the organisation’s size.
CaixaBank fined after familial dispute
The Spanish data protection authority recently fined CaixaBank €25,000 for a GDPR breach.
According to a translated version of the AEDP’s (Agencia Española de Protección de Dato) decision, the penalty relates to the bank’s failure to implement systems to verify the identity of a customer before granting access to personal data.
This violates Article 32(1) of the GDPR, which states that organisations must take appropriate technical and organisational measures to protect personal data from unauthorised access.
In this case, the mother of a data subject was trying to obtain information regarding her child’s bank account. CaixaBank initially responded by saying that it could not process the request because it had not come from the contact details associated with the account.
However, the bank later relented in a phone call and, without any identity verification, provided information about her daughter’s account.
But in a further blunder, the mother soon realised that CaixaBank had shared details about her other child and not the one she initially asked about.
The mother eventually got the information she requested after visiting an in-store branch, but she subsequently filed a complaint with the AEDP’s for CaixaBank handling of the matter.
This incident represents a curious case of GDPR enforcement. The AEDP ruled that the mother was permitted to access information about her daughter; the GDPR states that parental figures can make requests on behalf of their children, with the age at which someone in Spain is considered a minor being 14.
Nonetheless, the organisation must verify the person’s identity before completing this request, and it must ensure that it is providing the correct information. CaixaBank failed to do either of these things, which is why the AEDP imposed a €25,000 fine.
Reflect – review – refresh
Whatever your current GDPR practices look like, it’s important to remember that GDPR compliance is an ongoing process.
To ensure you continue to meet your data processing obligations, you need to regularly reflect on the requirements that affect your organisation, review your data processing activities and then refresh your compliance programme accordingly.
IT Governance has been at the forefront of GDPR compliance solutions since it was introduced. In the past five years:
- More than 4,000 people have taken our GDPR training courses;
- We’ve delivered GDPR staff awareness training to more than 78,000 people;
- We’ve provided GDPR consultancy to more than 750 organisations; and
- Hundreds of organisations have bought our GDPR books, documentation templates and toolkits.
If you need to update your GDPR compliance activities to ensure you still meet your obligations, we have everything you need.
[banner]
