More than four years after the General Data Protection Regulation 2016/679 (GDPR) came into force, companies and organizations that process personal data inside and outside. The EU have come to realize the benefits that a privacy-friendly business management can entail. Furthermore, in the last years it became evident that processing personal data in violation of GDPR obligations. National laws expose companies to heavy penalties and also damages of different nature of the last years.
Unlawful consent for data processing of the last years
A large number of sanctions have been issu in relation to the processing of personal data (in particular for marketing and the sending of profiled and non-profiled commercial and advertising material ) without data subjects’ valid consent. Some of the heaviest fines relate precisely. This type of violation, singapore business fax list such as that of the Luxembourg DPA against Amazon. On this occasion. The US ecommerce giant was found to have used an advertising targeting system without valid consent . Similarly, many of the highest fines ever imposed relate to the same kind of violation. In both cases.
The Human Error – breach of data subjects’ confidentiality
Many of the sanctions issued by EU DPAs in the past years concern violations resulting from human error that negatively impacts the confidentiality of client and patient data of large companies. This is the case, for example, consumers’ time spent on social media is increasing with . The sanction issued by the ICO against HIV Scotland : due to a human error, the charity sent a group email with. The recipients in CC rather than BCC, disclosing identifying information of 65 data subjects and making their HIV statuses accessible.
A similar situation led the Italian DPA to issue a €70,000 sanction against a hospital, which sent two medical newsletters with recipients in CC. In this occasion, personal data of all recipients were disclos, and it was also possible to deduce important health information thanks to the contents of the newsletters.
Insufficient TOMs (Technical and Organizational Security Measures)
Two relevant sanctions are certainly those proposed by the ICO against British Airways (€22.4 million) and the international hotel group Marriot (€20.45 million). In both cases, albania business directory the cybersecurity verification process was insufficient . Therefore allowed unauthorized third parties to breach the personal data processed by the two companies. The famous hotel chain was expos to numerous cyber-attacks that led to the breach of the personal data of a large number of customers. These data breaches were then traced back to. The lack of adequate protection measures for the former Starwood Hotels’ systems, exposing Marriot to significant penalties and brand damages.
Last but not least – unlawful processing of employees’ personal data
Of particular note is the fine issued by the HmbBfDI (Hamburg DPA) against the retail brand H&M (€35,258,707.95). H&M’s violations of the GDPR consisted of monitoring the activities of several hundred employees, recording ‘back to work’ meetings and making them accessible to more than 50 H&M managers, exposing events in employees’ private lives, including sensitive information (eg, religious beliefs). Furthermore, all information was then used to evaluate employees’ performance and to base important decisions on their employment.