Application of the General Data Protection Regulation (GDPR), which has entered into force almost 4 years ago, is still a challenge for businesses but the investigations initiated by the supervisory authorities and increasing fines show that the “transitional period” is over. 5 out of 10 largest fines for violations of the GDPR in the world were imposed last year. And the first six-figure fine in Lithuania was also imposed last year. So what can we learn from other’s mistakes?
The GDPR fines worldwide in 2021 exceeded EUR 1 billion which is 6 times more than in the previous year. And if the markets were surprised by the first multi-million fine (EUR 50 million) imposed on Google in 2019, the level of fines in the last year reached unexpected heights. Last year, Amazon Europe was fined EUR 746 million and WhatsApp Ireland was fined EUR 225 million for violations of the GDPR.
We suggest to look at some of the most interesting cases in the last year in which significant fines have been imposed by the EU personal data protection supervisory authorities. These cases and the lessons they give can also be very relevant to many organizations in Lithuania.
1. Amazon was fined EUR 746 million for improper personal data processing in direct marketing
The case of Amazon is unprecedented: it is the highest GDPR fine imposed so far and it is two times higher than any other GDPR fines together.
In Luxembourg, it was investigated whether the company had ensured obtaining of the appropriate consent of users in direct marketing and whether such personal data had been illegally transferred to third parties. Amazon tried to justify their position by providing references to the legitimate interest of the company and implementation of the contracts with the customers but the supervisory authorities of Luxembourg were not convinced by such arguments.
What does this imply?
The organizations may send promotional messages only if a person gives a consent thereto. Many businesses in Lithuania have already got used to this rule but still little attention is paid to proper wording of the contents of the consent and proper administration of the systems when such consent is withdrawn.
It should be reminded that a separate consent must be given for each means of communication, i.e. there must be two separate consents for e-mail as well as SMS messages. Finally, the users must have a clear and free-of-charge possibility to withdraw their consent, and when a business receives a withdrawal, it must respond immediately.
2. WhatsApp Ireland was fined EUR 225 million for improper information on the personal data they process
As we know, when the user installs WhatsApp, it checks telephone contacts and identifies if such telephone numbers are users of WhatsApp and then transfers them to the user’s WhatsApp contact list. Irish authorities identified that during such check WhatsApp imports all contacts held on the telephone (i.e. not only the users of WhatsApp) into its system, then uses the algorithms to allegedly depersonalize the telephone numbers of non-users of WhatsApp. But, in fact, it was established that a person could still be identified. The supervisory authority decided that WhatsApp did not act properly in fulfilling their obligation to inform non-users of WhatsApp on their personal data.
It was also established that WhatsApp informed their users in improper and non-transparent manner on transfer of their personal data to Facebook, used ambiguous wording and the information was provided in different documents.
What does this imply?
3. H&M was fined EUR 35 million for illegal collection of employees’ data and Notebooksbilliger.de was fined EUR 10.4 million for illegal monitoring of employees
Another area where significant violations of the GDPR were identified last year is monitoring of employees and illegal collection of employees’ data. In this area, significant fines were imposed on the clothing store chain H&M and the electronics retailer Notebooksbilliger.de. Both companies were fined by the German supervisory authorities.
It was established that H&M collected and stored a lot of data on the personal life of employees, which were stored on the company’s intranet. Data on the personal lives of employees were collected during the meetings of employees and managers, as well as during informal conversations where they were asked to tell about tehir family problems, religious beliefs, etc. Information about the personal life of employee was used to create a profile of a particular employee which was aimed at helping the company in its employment relationship with such person.
A similar violation was registered in e-commerce company Notebooksbilliger.de which was imposed a fine for video surveillance of employees which failed to meet the requirements.
The company had been performing video surveillance of its employees for at least two years using the video cameras installed in the general premises for employees, their work places, warehouse and sales points. In most cases the records were stored for 60 days. Although the company explained that the purpose of such video surveillance was to prevent theft and other criminal offences and to monitor the movement of goods in warehouses, the supervisory authorities were in the view that video surveillance for the purpose of detecting criminal offences was legal only if there were reasonable grounds for suspecting certain persons and such monitoring must be limited in time.
What does this imply?
Personal data protection must be ensured not only in the relationships with the customer, but also with the employee. The fact that the employee has employment relationship with the company does not mean that any processing of his or her personal data, including surveillance, is justified. The Labour Code of the Republic of Lithuania states that the employee’s personal life must be respected.
Before starting the monitoring of employees, the employer must assess the purposes of such monitoring and whether such purposes cannot be achieved by other means. Also, it is necessary to assess the extent and nature of the data collected about the employee and to have approved policies related to that. In general, it is possible to collect only the information that is necessary to achieve a specific purpose of the company or when data processing is required by law. When the data becomes unnecessary for the above purposes, they must be deleted immediately.
4. Booking.com was fined EUR 475,000 for reporting personal data breach to the supervisory authority too late
The Dutch data protection supervisory authority imposed a fine of EUR 475,000 on Booking.com for reporting personal data breach to the supervisory authority too late. The incident occurred in December 2018 when hackers accessed the accounts of 40 employees in different hotels located in the United Arab Emirates and thus illegally obtained data of about 4,100 persons. Booking.com reported the incident to the data protection supervisory authority only 22 days after they had found out about the incident although it had to be done within 72 hours according to the GDPR.
According to the Dutch data protection supervisory authority, the company bears great responsibility for ensuring security of data of millions of its customers, including the obligation to inform the data protection supervisory authority immediately after a breach.
What does this imply?
Companies must have a plan on how to respond, when and what authorities, entities must be reported in case of a personal data breach. It is recommended to have a crisis management plan, procedures for breach identification, investigation and internal reporting, appoint responsible persons to respond and manage the situation in a timely manner, ensure internal as well as external communication on data breach.
In case of a breach, it is important to document the process, take immediate actions to mitigate possible consequences of the breach, and inform the personal data supervisory authority immediately within 72 hours after finding out about the breach. It is also important to inform the data subjects (users, employees, etc.) who have been affected, if there is a high risk to their rights and freedoms.
The cases discussed above show that the companies must inform, in a clear and detailed manner, their custumers about personal data they process, purposes for privacy notices based on their business model rather than the publication of template notices. Also, promotional messages can be sent only if an explicit consent is obtained as practice shows that such statements as “legitimate interest” or “implementation of a contract” are clearly inappropriate. It also obvious that it is illegal to collect data about employees or customers “just in case” as collection of data is allowed only to the extent necessary for the specific purpose. Finally, breaches must be immediately reported to the authorities; otherwise significant fines may be imposed.
Moreover, in case it is established that the data of customers and employees are processed by the company in violation of the GDPR requirements, the business faces legal liability and suffers huge reputational damage. Therefore, it is important to invest into the system security so that the customers could feel secure about protection of their data and into employee training on how to deal with the customers’ data or how to act in case of a data breach.
Comment written by Loreta Andziulytė, the Lawyer and Partner of ECOVIS ProventusLaw
The author’s opinion does not necessarily coincide with the position of the editorial board.