GDPR

A cy­ber in­sur­ance loss study in Con­tin­ent­al Europe

When the GDPR was already in force, but not yet ap­plic­able (and not a single fine had been im­posed yet), much at­ten­tion was paid to the for­mid­able fine frame­work. For many com­pany of­ficers, this caused fear: if I vi­ol­ate the GDPR, I have one foot in jail (or at least my or­gan­isa­tion has to pay EUR 20 mil­lion or 4% of its glob­al an­nu­al turnover, cal­cu­lated for the whole group, if the com­pany is part of one).We be­lieve that facts are bet­ter than fear.The con­tinu­ously up­dated list of pub­licly known GDPR fines in the GDPR En­force­ment Track­er is our 24/7 rem­edy against fear, while the an­nu­al En­force­ment Track­er Re­port is our deep dive and per­mits more in­sights in­to the world of GDPR fines. We are pleased that our ana­lys­is for this second edi­tion of the ET Re­port is based on a lar­ger over­all data set of more than 570 fine cases, 526 of which made it in­to the ed­it­or­i­al team's work­sheet.More in­ter­na­tion­al­We are even more pleased that more in­ter­na­tion­al col­leagues sup­por­ted us this time and provided de­tailed in­put on en­force­ment prac­tice, in par­tic­u­lar for EU mem­ber states in the new mem­ber state in­ter­views (Ed­it­or­'s note: the United King­dom re­mains part of the En­force­ment Track­er Re­port and the En­force­ment Track­er as the UK Gen­er­al Data Pro­tec­tion Reg­u­la­tion en­sures reg­u­lat­ory con­sist­ency re­gard­less of Brexit).Loc­al law and prac­tice mat­ter­After al­most three years of GDPR ap­plic­a­tion, we are not the only ones to have learned one thing: des­pite the GDPR's full har­mon­isa­tion ap­proach, hardly any oth­er area is shaped more by na­tion­al laws and of­fi­cial prac­tice than GDPR fines. This may be a reas­on why Spain still tops the list of coun­tries with the most fines this year.Ex­ec­ut­ive Sum­mary­As we are aware that pri­vacy pro­fes­sion­als are un­likely to have a peace­ful job in these chal­len­ging times, the second edi­tion kicks off with an ex­ec­ut­ive sum­mary for the quick read­er (in­clud­ing over­all takeaways, in ad­di­tion to sec­tor-spe­cif­ic ob­ser­va­tions). Hav­ing in­ten­tion­ally op­ted for an on­line-only pub­lic­a­tion, the ET Re­port's Ex­ec­Sum is the only part that you can con­veni­ently down­load (or even print out for bed­time read­ing without a di­git­al device).Num­bers & fig­ures and sec­tor ap­proach­We have put to­geth­er an over­all sum­mary of the ex­ist­ing fines in the "Num­bers and Fig­ures" sec­tion, fol­lowed by tried-and-tested ana­lys­is for the fol­low­ing busi­ness sec­tors:Fin­ance, in­sur­ance and con­sultingAc­com­mod­a­tion and hos­pit­al­ity­Health careIn­dustry and com­mer­ceR­eal es­tate­Media, tele­coms and broad­cast­ing­Pub­lic sec­tor and edu­ca­tion­Trans­port­a­tion and en­ergy­In­di­vidu­als and private as­so­ci­ations plus the over­arch­ing cat­egoryEm­ploy­mentY­our takeawaysThis in-depth ana­lys­is per­mits first con­clu­sions to be drawn as to which busi­ness sec­tors at­trac­ted par­tic­u­larly hefty fines. We also ana­lysed the DPAs' reas­on­ings for the fines. These as­pects to­geth­er al­low us to provide you with key takeaways for each busi­ness sec­tor. Apart from the law­ful­ness of each data pro­cessing op­er­a­tion, bol­ster­ing data se­cur­ity should re­main in the spot­light for every or­gan­isa­tion. There are already rel­ev­ant in­dic­a­tions in terms of data pro­tec­tion lit­ig­a­tion – in par­tic­u­lar, data sub­ject­s' claims for ma­ter­i­al or im­ma­ter­i­al dam­ages un­der Art. 82 of the GDPR are on the rise. This trend is un­likely to stop, be­ing in par­tic­u­lar sup­por­ted by col­lect­ive re­dress mech­an­isms and leg­al tech of­fer­ings that are already in­creas­ing the risks of and re­sources needed for data pro­tec­tion claims man­age­ment.Meth­od­o­logy­We do not re­sort to witch­craft nor do we have pref­er­en­tial ac­cess to GDPR fine in­form­a­tion (at least in most cases, but we are still work­ing on that…) when work­ing in the En­force­ment Track­er en­gine room and pre­par­ing the En­force­ment Track­er Re­port. In ad­di­tion to our ne­ces­sary fo­cus on pub­licly avail­able fines, there are some oth­er in­her­ent lim­its to the data be­hind this whole ex­er­cise. For the "small print", please see our more de­tailed re­marks on meth­od­o­logy. On a more gen­er­al level, al­though we have done our best to break down a com­plex top­ic in­to neat pieces, we have res­isted the tempta­tion to fol­low SEO re­com­mend­a­tions for the whole con­tent pack­age and would ask you to con­sider it a "long read" format if you de­cide to read it in full.What's next?The En­force­ment Track­er Re­port and the En­force­ment Track­er are a work in pro­gress. We highly ap­pre­ci­ate any form of feed­back (prefer­ably con­struct­ive…) and would like to thank every­body who has reached out over the last year. We re­ceived in­ter­est­ing ideas, in­form­a­tion about for­got­ten fines (hid­den deeply in re­mote corners of a sup­posedly com­pletely cap­tured world) and re­com­mend­a­tions for ad­di­tion­al fea­tures (our buck­et list is grow­ing stead­ily), as well as rel­ev­ant con­tri­bu­tions from stake­hold­ers out­side the EU – demon­strat­ing that the data pro­tec­tion land­scape is evolving rap­idly on a glob­al scale and in­ter­faces between na­tion­al/re­gion­al con­cepts are de­vel­op­ing even in the ab­sence of a glob­al data pro­tec­tion law. We have en­gaged with peers from the leg­al pro­fes­sion, pri­vacy pro­fes­sion­als with a more ad­vanced tech back­ground as well as re­search­ers from vari­ous dis­cip­lines. We strongly en­cour­age you to con­tin­ue en­ga­ging with us. And we apo­lo­gise in ad­vance if our feed­back may take some time; the data pro­tec­tion world is not a quiet one right now.Stay safe – and keep on fight­ing, Chris­ti­an Runte, Mi­chael Kamps, ed­it­ors and the en­force­ment track­ing and re­port­ing team

Data pro­tec­tion 1. Loc­al data pro­tec­tion laws and scope Gen­er­al Data Pro­tec­tion Reg­u­la­tion ("GDPR") (Alge­mene Ver­or­den­ing Gegevens­bes­cherm­ing)The Dutch GDPR Im­ple­ment­a­tion Act ("DGIA") (Uit­vo­er­ing­swet...

Ar­ti­fi­cial in­tel­li­gence is not new: the term it­self was coined over 60 years ago. However, the con­ver­gence of data volume, pro­cessing power and tech­nic­al cap­ab­il­ity has con­vinced many that the AI era...

In 2019, the Dutch Data Pro­tec­tion Au­thor­ity (DDPA) re­ceived 26.956 data breach no­ti­fic­a­tions. The ma­jor­ity of these breaches were no­ti­fied by or­gan­isa­tions act­ive in health sec­tor (mostly hos­pit­als...

COV­ID-19, the dis­ease as­so­ci­ated with the coronavir­us that has dom­in­ated glob­al news in re­cent weeks, is be­ing battled on many fronts with spe­cif­ic meas­ures de­signed to re­duce its ef­fects. Al­though the...