In the second quarter of 2020, data protection bodies across Europe issued at least 46 administrative fines under the GDPR (General Data Protection Regulation), with the penalties totalling nearly €2.9 million (£2.6 million).
This is a sharp decrease on Q1, which saw more than £45 million in fines – something that is to be expected given the disruption caused by COVID-19.
Like all organisations, supervisory authorities have struggled to operate during lockdown and many have had to suspend or restrict investigations.
However, as our GDPR Fines Quarterly Report: Q2 2020 shows, business as usual is starting to resume as lockdown measures are eased throughout Europe. The report found that 27 of the fines were issued in June and accounted for €2,025,640.
Which countries are issuing fines?
The Spanish Data Protection Authority led the way this quarter, issuing 16 fines.
Meanwhile, Nordic countries were a large contributor to the quarter’s totals, with both the Norwegian Data Protection Authority and Finland’s Office of the Data Protection Ombudsman meting out four fines, and Sweden’s supervisory authority handing out three fines.
These include a €283,000 (£255,000) fine issued to Bergen Municipality and a €100,000 (£90,000) to Posti Oy.
Spain is responsible for by far the most GDPR fines.
Romania’s National Supervisory Authority for Personal Data Processing also handed out three penalties, although these were all for minor infractions and totalled €11,000 (about £10,000).
The figures listed in the report should be considered approximations, owing to fluctuations in currency values.
Similarly, not all supervisory authorities publish information about the action they have taken, and other fines for the quarter may come to light at a later date.
However, it’s a strong indication that – although you may not hear about all of these fines – they are still occurring.
Organisations violating CCTV requirements
Several fines were issued in Q2 related to the unlawful use of CCTV. It’s important to remember that CCTV footage that allows individuals to be identified is classed as personal data under the GDPR.
Whether you operate a surveillance system yourself or contract a third-party CCTV company to do it on your behalf, you are a data controller under the GDPR and must comply with the Regulation.
This includes adhering to the Article 5 processing principles, determining a lawful basis for processing, providing an appropriate privacy notice, storing any footage securely, and having processes in place to facilitate data subject access where necessary.