Since the introduction of the General Data Protection Regulation (GDPR) in 2018, many companies have faced significant fines for violating it. These cases have become important lessons for other businesses, demonstrating the need to take personal data protection seriously. Here are some recent high-profile cases worth knowing.
In May 2023, Meta was fined a record €1.2 billion by the Irish Data Protection Commission (DPC) for GDPR violations. This is the largest fine in the entire history of the regulation. The reason was the transfer of personal data of European users to the USA, which did not meet the security and privacy requirements of the GDPR.
In July 2021, Amazon was fined €746 million for GDPR violations. The Luxembourg Data Protection Commission found that the company handled users' data improperly, violating privacy principles. Although the details of the case have not been fully disclosed, the case has highlighted the importance of data compliance.
In September 2021, WhatsApp, a subsidiary of Meta, was fined €225 million for non-compliance with GDPR transparency requirements. The Irish Data Protection Commission found that the company did not provide enough information to users about how their data was collected, processed and used. This violated the basic principles of the regulation regarding transparency and user awareness.
In January 2019, Google was fined €50 million by the French Data Protection Commission (CNIL) for GDPR violations. The Commission found that Google did not provide users with sufficient information about the processing of their data and did not obtain proper consent for targeted advertising. It was one of the first significant fines to highlight the importance of transparency and user consent.
5. H&M: €35 million
In October 2020, H&M was fined €35 million in Germany for GDPR violations. The company collected and stored confidential information about its employees without their proper consent. This included information about health, family circumstances, and religious beliefs. The fine became a serious warning to other companies about the need to comply with the rules for processing employee data.
The high-profile fines imposed in 2024 are not only a serious warning to companies but also an important source of lessons. Here are some key takeaways from these cases:
Companies must ensure maximum transparency in their personal data processing activities. This includes:
- Clear Privacy Policies: Privacy policies should be written in plain language, without legal jargon, so that users can easily understand how their data is collected, used, and stored.
- Obtaining Consent: Companies must obtain explicit consent from users to process their data, especially for the purposes of targeted advertising. Consent must be voluntary, specific, and informed.
Ensuring a high level of data security is a critical aspect of GDPR compliance. This means:
- Regular Risk Assessments: Conduct regular risk assessments to identify potential threats and vulnerabilities in your systems.
- Implementation of Security Measures: Use modern technologies to protect data, such as encryption, multi-factor authentication, and intrusion detection systems.
It is important to have clear plans for responding to data security incidents:
- Incident management: Develop procedures for rapid detection, response, and elimination of consequences of incidents.
- Notification to Regulators and Users: Under the GDPR, you are required to notify data breaches to regulators and affected users within a set time frame (usually within 72 hours).
Creating a culture of confidentiality among employees is an important aspect of ensuring compliance:
- Employee Training: Conduct regular data protection and privacy training for all employees, especially those who work with personal data.
- Integration of Privacy into Business Processes: Ensure that privacy principles are built into all business processes of the company.
Technology solutions can make GDPR compliance much easier:
- Data Management Systems: Use data management systems that automate the processes of data collection, storage and processing in accordance with GDPR requirements.
- Monitoring and Auditing: Use tools to monitor activities and conduct regular audits to ensure ongoing compliance.
The year 2024 was marked by several high-profile cases for violations of the General Data Protection Regulation (GDPR), which once again confirmed the seriousness of the requirements of this regulation. Here are a few cases that became iconic this year.
In March 2024, TikTok was fined €345 million by the Irish Data Protection Commission (DPC) for breaching the GDPR in relation to the processing of the data of minor users. It was found that TikTok did not ensure an adequate level of consent from parents and guardians for the processing of children's data, and did not inform users about its privacy policies in an understandable and accessible way.
In May 2024, Microsoft was fined €275 million for non-compliance with GDPR requirements regarding the processing of personal data of Office 365 users. Regulators found that the company collected and used user data for targeted advertising without proper consent, violating the principles of transparency and user information.
In July 2024, Airbnb was fined €200 million for breaching the GDPR for improperly processing user and landlord data. Regulators found that the company did not provide enough information about the collection and use of data, and did not ensure adequate protection of personal information. Airbnb was forced to conduct an internal audit and make significant changes to its privacy policies.
In August 2024, Uber was fined €150 million for leaking personal data of users and drivers. Regulators found that the company did not provide a sufficient level of security, which led to the theft of personal information of millions of users. Uber was required to implement additional security measures and improve incident response procedures.
In October 2024, Spotify was fined €120 million for violating the GDPR regarding the use of personal data for targeted advertising. Regulators found that the company did not receive adequate
High-profile cases of GDPR violations in 2024 clearly demonstrate the importance of taking personal data protection seriously. To avoid such situations, companies can implement several key strategies and practices:
- Transparency: Ensure that your privacy policies are accessible and understandable to users. They must clearly explain what data is collected, how it is used, and for what purpose.
- Regular Update: Update your privacy policies according to changes in legislation and internal company processes.
- Explicit Consent: Obtain explicit consent from users before collecting their data. Consent must be voluntary, specific, informed and unambiguous.
- Ease of Withdrawal of Consent: Provide benefit
Loud fines for GDPR violations in 2024 have made it clear that non-compliance with the regulation's requirements can have serious consequences. Businesses must actively work to ensure transparency, security and legality of personal data processing. Investing in technology, training employees, and building a culture of privacy are not just legal requirements, but strategic steps to protect the reputation and trust of users.
Subscribe to our channels on social networks:
Contact us: business@avitar.legal
Serhii Floreskul
,
Violetta Loseva
,
