The GDPR came into force in May 2018. This European regulation revolutionized personal data protection, and helped increase awareness of this important subject. The regulation sets out hefty fines of up to 4% of a company’s global annual turnover, or up to €20 million, for organizations that infringe the rules.

Although we started to see  a few sanctions under the GDPR in 2018, it wasn’t until 2019 that the first million euro fines started to fall. Below, we’ll go over the six highest fines that we’ve seen to date, and the articles of the GDPR applied in each case.

British Airways

  • Country: United Kingdom
  • Fine: €204,110,000
  • GDPR article infringed: 32

In July, British Airways was fined ÂŁ183 million by the UK Information Commissioner’s Office (ICO) in relation to a data breach that took place in September 2018. Attackers managed to steal the personal information of around 500,000 BA customers. This data included names, credit card numbers and their CVV codes, and email addresses. Article 32 of the regulation requires that companies implement technical and organizational measures to ensure the security of information.

Marriott International, Inc.

  • Country: United Kingdom
  • Fine: €118,714,808
  • GDPR article infringed: 32

At the end of November 2018, Marriott International was the protagonist of what was at the time the second largest data breach of all time. The personal data of up to 339 million customers was found to have been stolen. The attackers had had access to the hotel’s data since 2014.

According to the Information Commissioner’s Office investigation, the stolen data includes that of around 30 million residents in 31 countries in the European Economic Area. It is thought that the vulnerability started when Starwood Hotel Group was compromised in 2014; Marriott bought Starwood in 2016. The Information Commissioner Elizabeth Denham explains: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition”.

Marriott International’s fine is £99,200,396

Google LLC

  • Country: France
  • Fine: €50,000,000
  • GDPR articles infringed: 5 , 6 , 13 , 14

The CNIL (Commission Nationale de l’Informatique et des LibertĂ©s), the French data protection agency, fined Google LLC €50 million in January for violating GDPR rules about transparency and for not having a valid legal basis for processing personal data for advertising purposes. According to the CNIL, Google users do not receive enough information about the use of their data. What’s more, the consent obtained by Google is neither “specific” nor “unambiguous”.

Ă–sterreichische Post AG

  • Country: Austria
  • Fine: €18,000,000
  • GDPR articles infringed: 5, 6

In October, Ă–sterreichische Post AG, an Austrian postal company, received an 18 million euro fine for creating profiles of around three million people, which included their addresses, personal preferences and political affiliations. These profiles were then sold to political parties and other companies. The GDPR articles cited are related to obtaining a legal basis for data processing.

Deutsche Wohnen

  • Country: Germany
  • Fine: €14,500,000
  • GDPR articles infringed: 5, 25

On October 30, the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit) fined the real estate company Deutsche Wohnen €14.5 million in relation to data retention. The German company stored its customers’ personal data for longer than necessary without having sufficient legal basis to do so. This goes against the right to deletion enshrined in the GDPR.

1&1 Telecom

  • Country: Germany
  • Fine: €9,550,000
  • GDPR articles infringed: 32

In December, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) fined the telecommunications company 1&1 Telecom €9.5 million. The company failed to implement sufficient technical and organizational measures to protect the personal data at its call centers: it was discovered that customer information could be obtained simply by providing their name and date of birth. According go the BfDI, this level of authentication was insufficient to protect customer data.

How to avoid a GDPR fine

To guarantee GDPR compliance, any company that stores and processes personal data must ensure they have a legitimate legal basis to do so, and must communicate the purpose of this processing to customers when obtaining personal data. Another essential aspect for GDPR compliance is to know where personal data is at all times and who has access to it.

Panda Adaptive Defense has an additional module, Panda Data Control discovers, audits, and monitors unstructured personal and sensitive data on computers; from data at rest, to data in use and data in motion. What’s more, it helps companies to comply with several specific articles of the GDPR, including article 32, cited in the fines given to British Airways, Marriott and 1&1 Telecom.

With the proliferation of the use of personal data, the possibility of infringing one of the articles required to protect European users, and incurring a fine from the relevant DPA, is only a matter of time. Make sure your company isn’t the next victim with Panda Data Control.