Please note that in the ETR 2020, this sector included "Real Estate", but as of this edition, "Real Estate" is now a separate section.
In the industry and commerce sector, DPAs from 18 different countries (+6 in comparison to the ETR 2020) have so far imposed 113 fines (+72 in comparison to the ETR 2020) on a variety of different enterprises including utility companies, global retailers, betting operators and courier services, with a total fine volume of EUR 6.9 million (-9.3 million in comparison to the ETR 2020, since "Real Estate" fines have been moved to a separate section as of this edition).
Measured by the number of registered cases, companies in the industry and commerce sector are highly affected by the imposition of GDPR fines. While the number of fines is significant, the average amount per fine is one of the lowest in the current statistics. Roughly EUR 65,000 was due per violation and fine imposed. Apart from the relatively small sector of individuals and private associations, this is the lowest average fine for a single sector (along with the public and education sector). A mere 6 cases resulted in 6-figure fines and only twice has a DPA imposed more than a million euros per fine in this sector – EUR 1,405,000 for a violation of TOMs in the UK and EUR 2,250,000 for non-compliance with general data protection principles issued by the French DPA.
Most companies in this sector were fined due to an insufficient legal basis for data processing (40), insufficient fulfilment of information obligations (20) and insufficient technical and organisational measures (TOM – 19). The highest average amounts per fine were due for non-compliance with general data processing principles (EUR 234,925), insufficient TOMs (EUR 131,336) and insufficient fulfilment of data subjects' rights (EUR 54,660). Compared to those numbers, the average amounts per fine for a violation of information obligations (EUR 4,480) and insufficient cooperation with supervisory authorities (EUR 2,407) were relatively low. No DPA was more active than the Spanish Data Protection Authority, imposing more than 40% of all fines in this sector (47), followed by the authorities of Romania (15), Belgium, France and Italy (7 each).
Let's take a closer look:
- The standout fine in this sector is the EUR 2.25 million penalty imposed on Carrefour France, currently ranking as number 16 amongst the highest individual fines imposed under the GDPR (ETid-457). The French DPA (CNIL) fined Carrefour for a total of 7 different data protection violations. Firstly, the information on the processing of data was neither easily accessible nor comprehensible for data subjects and incomplete in several regards. Secondly, Carrefour did not comply with storage time limits. Thirdly, the data of more than 28 million customers who were inactive for 5 to 10 years were stored for the purposes of the companies' loyalty programme. This was also the case for 750,000 users of the carrefour.fr website, who were inactive for 5 to 10 years. Fourthly, Carrefour illegally required proof of identity for almost every user request to exercise a right. Fifthly, the company did not respond to several requests from individuals who wanted to access their personal data. Sixthly, in numerous cases, the company did not carry out the erasure of data requested by individuals. Finally, the company has not responded to several requests from persons who did not agree to receive advertising by SMS or email.
- The British Information Commission issued the second 7-figure fine in this sector against Ticketmaster UK Ltd. (ETid-440). GBP 1.25 million (approximately EUR 1.41 million) was imposed for failing to protect the personal data of customers with adequate security measures. Potentially 9.4 million European customers could have been affected by a cyberattack between February 2018 and 23 June 2018 due to the use of an insufficiently secured chatbot hosted by a third party on its online payment site which allowed an attacker to gain access to customers' financial information. According to the British DPA, personal data such as names, full payment card numbers, Ticketmaster usernames and passwords, expiry dates and Card Verification Value (CVV) numbers were affected. The DPA also found that 60,000 payment cards belonging to Barclays Bank customers were subject to fraud, and several international banks also reported fraudulent activity to Ticketmaster.
- Insufficient TOMs also earned the Polish TechOnlineShop morele.net a hefty fine in the amount of EUR 660,000 from the Polish National Personal Data Protection Officer (ETid-79). The determined lack of data security facilitated unauthorised access to the personal data of 2.2 million clients.
- An insufficient legal basis caused the DPA of Italy to impose a fine in the amount of EUR 200,000 against Merlini S.r.l. (ETid-335). The company had carried out telemarketing activities on behalf of Wind Tre S.p.A. through a third-party provider as data processor without sufficient legal basis for data processing (Art. 5-7 GDPR) and without sufficient contractual agreements (Art. 28, 29 GDPR) with the third‑party provider.
In particular, non-compliance with general data protection principles and insufficient data security measures resulted in severe fines for companies in the industry and commerce sector. DPAs have shown that they are willing to impose 6 or even 7-figure fines for insufficient TOMs, especially when large amounts of personal data are exposed to public access. The example of Carrefour France shows that smaller violations can be sanctioned individually and added up to large overall fines.