Home / GDPR Enforcement Tracker Report / Public Sector and Education

Public Sector and Education

GDPR Enforcement Tracker Report - Public Sector


So far, in the public sector 13 DPAs (the German fines are from two different DPAs) have imposed 28 fines on representatives of local government (such as mayors), police officers, schools, universities and other authorities, amounting to a total of more than EUR 3.2 million.

It is noteworthy that the groups of fines relating to insufficient legal bases for data processing (15 fines in total) and insufficient technical and organisational measures (10 fines in total) cover almost all types of violations in the public sector.

Let's take a closer look

  • In some cases, fines were imposed on schools and other educational establishments which processed some special types of personal data, such as biometric information or data relating to minors. Particularly when using modern information systems (such as cashless payment systems in canteens based on facial recognition), it must be ensured that less privacy-intrusive alternatives are kept available, as otherwise the voluntariness of consent – even if it is given by parents – may be seen as not satisfied by the data protection authorities.
  • The Data Protection Commission of Bulgaria (KZLD) sanctioned the National Revenue Agency with a fine of EUR 2.6 million for a leakage of personal data in a hacking attack due to inadequate technical and organisational measures resulting in access to personal data concerning some six million persons.
  • In Germany, two police officers were fined EUR 1,400 and EUR 800 respectively for using police databases and other police-related information for private purposes. It must be noted that in Germany, Section 43 (3) of the BDSG stipulates that no fines can be imposed on authorities and other public bodies. Accordingly, the fines against the police officers were not directed against the respective police authorities, but against the police officers as private individuals.

Main takeaway 

Public authorities' special position of trust requires particularly strict compliance with data protection laws and an exceptionally high level of protection of such data against unauthorised access. Further, the authorities must ensure that they have a legal basis for every data processing operation. Although private companies are currently the main focus of DPAs' fining activity, this may partly shift in the future. The importance of privacy in the public sector will increase, not least in connection with the use of technology in the public health system, which municipalities will rely on to tackle the COVID-19 pandemic. If the public sector neglects privacy considerations, citizens will rightly pursue their privacy rights.