Home / Publications / GDPR Enforcement Tracker Report / Industry and Commerce

Industry & Commerce

In the industry and commerce sector, DPAs from 24 different countries (+6 in comparison to the 2021 ETR) have so far imposed 233 fines (+120 in comparison to the ETR 2021) on a variety of different enterprises including utility companies, global retailers, grocery store chains and food-delivery services, with a total fine volume of EUR 776 million (+ 769 million in comparison to the 2021 ETR).

Measured by the number of registered cases, companies in the industry and commerce sector remain highly affected by the imposition of GDPR fines. While the number of fines is significant, the average amount of roughly EUR 3.53 million  mainly results from the extraordinary fine against Amazon for the amount of EUR 746 million.

The majority of companies in this sector were fined due to an insufficient legal basis for data processing (67), insufficient fulfilment of information obligations (48) and insufficient technical and organisational measures (TOMs – 37). No DPA was more active than the Spanish Data Protection Authority, imposing more than 45% of all fines in this sector (aepd: 106), followed by the authorities in Italy (Garante: 21) and Romania (ANSPDCP: 20).

But let's take a closer look

  • As already mentioned, the standout fine in the past year was the EUR 746 million penalty imposed on Amazon Europe Core S.a.r.l. (ETid-778) by the Luxembourg DPA (CNPD). Amazon has already stated that it plans to appeal this decision. Specifics of the case have not been publicly disclosed as the CNPD is bound to professional secrecy by Luxembourg laws until the appeal process is completed. This fine is the largest GDPR fine across all sectors thus far. It exceeds the total of the other 9 of the top 10 highest fines in all sectors by about EUR 150 million and represents nearly half of the amount of all fines across all sectors combined since the GDPR came into effect.
  • In the summer of 2021, the Austrian DPA (dsb) imposed a fine of EUR 2 million on Unser Ö Bonus Club GmbH, the company behind the bonus programme of REWE International AG for relying on an insufficient legal basis for data procession (ETid-792). The company failed to properly explain that customers' data and shopping behaviour are used to create individual profiles, and that the information is also passed on to partner companies. According to the GDPR, the clarification must be easily accessible and in simple language. However, the company had designed the registration for the bonus programme in such a way that the clarification about profiling could only be found after scrolling down. Furthermore, the company placed a signature box at the bottom of physical flyers, which appeared to be a confirmation for the enrolment to the bonus programme, but actually constituted consent to profiling of data subjects and data-transfer to third parties. In early 2022, the authority also imposed a fine on REWE International AG directly, possibly connected to their bonus programme, amounting to EUR 8 million (ETid-988). Further details on this case and its connection to the first fine remain unknown at this point in time.
  • The Italian DPA (Garante) sanctioned two food delivery services (Foodinho s.r.l. and Deliveroo Italy s.r.l.) with fines of EUR 2.6 million (ETid-743) and EUR 2.5 million (ETid-790) for non-compliance with general data processing principles, especially the principle of data-minimisation. Both services tracked their delivery drivers and processed this data excessively, Deliveroo even tracking their drivers every 12 seconds via GPS. Furthermore, Deliveroo also defined a storage period of six years, violating the principle of storage limitation. Both services failed to conduct data protection impact assessments and did not sufficiently inform their drivers of the system they installed on their smartphones.
  • The Spanish DPA (aepd) imposed a fine of EUR 2.25 million on a grocery store chain (Mercadona S.A.) due to insufficient legal basis and other violations of the GDPR by using a facial recognition system in their stores (ETid-777). The supermarket chain originally installed the system to track individuals with known criminal convictions or restraining orders. However, the system tracked everyone entering the stores including minors and employees. Individuals were not sufficiently informed of this processing and the system allowed the controller to process multiple biometric data. The aepd found that this approach violated the principle of data minimisation as well as the principle of data necessity and proportionality. The original fine of EUR 3.15 million was reduced to EUR 2.25 million because of voluntary payment. Noteworthy about the aepd fines is, that the majority of the entire 106 fines (94) imposed were EUR 10,000 or less and that the authority only imposed one other fine with 6-figures or higher (ETid-609).

Main takeaway

In particular, non-compliance with general data protection principles and insufficient data security measures resulted in severe fines for companies in the industry and commerce sector. DPAs have shown that they are willing to impose 6 or even 7-figure fines for insufficient TOMs, especially when large amounts of personal data are exposed to public access. In terms of general data protection principles, authorities are closely examining the necessity of data processing and the length of storage periods. Depending on the severity of the violation, 7 figure fines are also possible for those types of violations. Amazon’s appeal is highly anticipated by all authorities and most likely will not be the last large GDPR fine for a big tech company.