Sanctions for infringing data protection legislation

May will mark three years since the General Data Protection Regulation (GDPR) became directly applicable. Since May 25, 2018, national data protection authorities have started to take infringements of the Regulation seriously and the sanctions have increased constantly.

Sanctions for infringing data protection legislation
February 22, 2021

May will mark three years since the General Data Protection Regulation (GDPR) became directly applicable. Since May 25, 2018, national data protection authorities have started to take infringements of the Regulation seriously and the sanctions have increased constantly.

Today, Spain is the country that has imposed most sanctions for data protection infringements, with 186 sanctions; however, if we look at the total sum of the amounts of all the fines, Italy leads the way with €70.4 M and just 45 fines. It is followed by: Germany with €63.4 M and 28 fines, France with €54.7 M and 14 fines, and the United Kingdom with €44.2 M and 4 fines. Spain occupies fifth position in this list, with €15.9 M, a particularly significant figure taking into account the high number of fines imposed by the Spanish Data Protection Agency (AEPD), 138 more than the second highest, Romania, which has imposed 48 sanctions.

The main grounds for imposing sanctions at European and Spanish level has been insufficient legal basis for data processing. Of the 516 sanctions that the various data protection authorities have imposed, 210 were for infringing Article 6 of the GDPR, although some of these sanctions are based on several infringements. In Spain, almost €9 M of the total fines relate solely to a lack of legal basis for the processing. The other two infringements most tackled by the European authorities were a lack of appropriate technical and organizational measures to guarantee information security under Article 24 of the GDPR, with 120 fines, and the breach of the principles relating to processing under Article 5 of the GDPR, with 89 sanctions. In Spain, some of the other most common infringements are failing to provide sufficient information under Article 13 of the GDPR and a lack of integrity and confidentiality in processing under Article 5.1.f of the GDPR.

European data protection authorities have focused most on the Media, Telecommunications and Broadcasting sector, with total fines of €119.2 M. In Spain, however, the banking sector has clearly been the most sanctioned, with €11.1 M infines since January 2020.

The figures presented are undoubtedly significant and indicate a clear determination on the part of national authorities to ensure compliance with data protection rules, guaranteeing that processing is brought into line with the GDPR. We will follow developments in this area closely in this blog.

Authors: Josu Andoni Eguiluz and Miquel Peguera

February 22, 2021