How to Avoid Fines Under the GDPR

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 01 July 2022.

How to Avoid Fines Under the GDPR

It's one thing to have rules, and another to have consequences for breaking them. When the GDPR took effect, not everyone was convinced it would have any real effect unless breaches led to punishments.

It's now clear that regulators really will impose substantial fines on businesses that don't follow the rules.

In this article we'll explore exactly what offenders did wrong and how a clearly-written Privacy Policy can dramatically reduce your chances of getting fined for lack of GDPR compliance.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



The Basics of the GDPR

The Basics of the GDPR

The General Data Protection Regulation (GDPR) has been in legal force for more than two years now, but in case you need a quick reminder, these are the key points.

The GDPR restricts the way you can process personal data in the European Union.

  • Process has a broad definition that includes collecting, using, sharing and selling data
  • Personal data means information that relates to an identified or identifiable human being

The GDPR applies if:

  • The organization processing the data (the data controller) has a presence in a European Union country,
  • The person the data is about (the data subject) lives in a European Union country, or
  • The processing itself takes place in a European Union country (for example, in a data center in the EU)

The GDPR's measures will also apply in the United Kingdom through domestic law unless and until that domestic law changes.

When the GDPR applies, it's only lawful to process data if one of a list of "legal bases" applies. These include but aren't limited to legal obligations, contracts, to protect someone's life, and some official public activity.

For businesses, the two most relevant lawful bases are:

  • The data subject has given meaningful consent to you processing data for a specific purpose
  • The processing is needed for your legitimate interests and these aren't outweighed by the data subject's data privacy rights

As well as covering lawful and unlawful processing, the GDPR also says you must:

  • Only process the minimum amount of data needed for the stated purpose and only keep it for as long as necessary
  • Make sure the data is accurate and correct it if necessary
  • Keep the data secure
  • Make sure data subjects know what data you have and how to exercise their rights

Penalties for Breaching the GDPR

Penalties for Breaching the GDPR

National data protection authorities known as "supervisory authorities" have the power to enforce the GDPR and punish data controllers that breach it. These powers include the supervisory authority having the right to:

  • Issue an official warning
  • Temporarily or permanently stop the data controller from processing personal data
  • Order the data controller to stop sending data to a non-EU country

The supervisory authorities can also issue financial penalties known as administrative fines. (In Denmark and Estonia the supervisory authorities must instead recommend that a national court issue the penalty.)

The amount of the fine is not simply designed to rectify the breach and any resulting damage. Instead, supervisory authorities can set a fine designed to deter future breaches, though it cannot be disproportionate to the specific circumstances of the breach.

The factors a supervisory authority must take into account include the following:

  • How many data subjects were affected
  • Whether the infringement was deliberate or cause by negligence
  • What the data controller did to mitigate the effects
  • Whether the data controller has previously breached the GDPR
  • Whether the data controller reported the breach to the supervisory authority
  • Whether the data controller complied with a relevant code of conduct

The GDPR sets out two maximum limits on fines, though these are at significantly high levels.

Some breaches come under the lower maximum limit. These generally involve breaching more administrative parts of the GDPR rather than the fundamental principles. With these cases the maximum allowable fine is whichever is greater: either €10 million or two percent of the business's worldwide revenue in the previous financial year.

More serious breaches have a maximum allowable fine of whichever is greater: either €20 million or four percent of the business's worldwide revenue in the previous financial year.

Although data controllers that receive an administrative fine have the right to appeal, successful appeals have been extremely rare to date.

Examples of Significant GDPR Fines

Examples of Significant GDPR Fines

The following notable cases show that the threat of GDPR fines is very real. In most cases, the data controllers could easily have avoided the breach and financial penalty with better data practices. We'll also shown examples of organizations that do this correctly.

Arp-Hansen Hotel Group

This business was fined 1.1 million Danish crowns (€148,000) for keeping data longer than necessary. This included a database of customer details and records from a booking system.

The GDPR says businesses can only keep data for as long as necessary for the stated purpose, such as holding a reservation on a room. Once this is no longer necessary (for example, because the hotel stay has finished), the data must be deleted.

The hotel company could have kept the data for longer and for a different purpose, for example as a mailing database for promotional offers, as long as its Privacy Policy made this clear.

However, the data subjects have the rights to request the data be deleted or to withdraw consent. These are rights which a Privacy Policy must explain.

The Right Way:

This example from The Guardian explains its data retention policy:

The Guardian Privacy Policy: How long we keep your personal data clause

A clause like this is crucial to GDPR compliance. While you don't need to say exactly how long you retain data, you need to make it clear that you only retain it for as long as you need it for.

Let users know that you will delete or anonymize data after this period, depending on your practices.

Google

Google was fined 75 million Swedish Kroner (€7 million) for breaching the GDPR's requirements to deal with data subjects requesting their data be deleted if inaccurate or irrelevant. In particular, it took too long to handle one request, and handled another in a way that undermined the point of deleting the data.

The GDPR requires data controllers to mention the right to request data deletion in their Privacy Policy. This case is a good example of why you not only need a clear Privacy Policy, but you need to live up to it.

The Right Way:

Belbin clearly explains the circumstances in which somebody can request data deletion:

Belbin Data Deletion Policy excerpt with the Right to Erasure highlighted

Make sure your users:

  • Know about the right to erasure
  • Know how to exert this right

Also make sure that you honor erasure requests appropriately.

H&M

This retailer was fined €35.3 million for storing and processing employee data without consent.

Some of this data was gathered through informal discussions with employees who were unaware it would be stored or used to make decisions about their employment.

The breach was particularly serious as it involved sensitive personal data, which must be protected with higher security levels than ordinary personal data. Ironically it was a failure to maintain this higher security that revealed the company was collecting and processing the data.

Some of this data could have been collected and processed had the company gathered explicit informed consent from the employee concerned, while other data should never have been processed. Either way, it's a reminder that the GDPR covers personal data about any individual, not just customers.

The Right Way:

The Ministry of Justice has a separate Privacy Notice for employees:

Ministry of Justice GDPR Privacy Notice for Employees, Workers and Contractors in the UK - Purpose clause

While you don't need to have a separate policy like this, you do need to make sure that your employee data is handled in a compliant way.

Consider including a section in your Privacy Policy that addresses employee data, or at minimum, make it clear that your policy applies to employee data as well.

Royal Dutch Lawn Tennis Association (KNLTB)

The KNLTB was fined €525,000 for selling personal data about its members to two sponsors. The organization had relied on the legitimate interest basis in doing do, an argument which was rejected by the supervisory authority.

The sale of the data would have been lawful had the organization obtained consent from the data subjects.

To do this they would have needed a Privacy Policy or similar notice that clearly stated the data would be disclosed to the sponsors. They would also need a clear indication of consent from the data subject after having a reasonable opportunity to read the Policy.

The Right Way:

Dennis Publishing gives an example of when it could sell data:

Dennis Publishing Privacy Policy: Research clause

Make it clear to your users if you sell or share their personal data. If you do so, explain at least broadly with whom the data may end up with.

Vodafone Espana

Vodafone Espana faced several GDPR fines in 2020. The biggest was for €120,000 for two violations.

The company processed a person's data to provide a phone line and passed on the data two credit reporting agencies. While both of these actions might seem reasonable, the company could not prove it had consent.

It could have avoided this by having the person sign a form or use an online confirmation process (such as a checkbox) in which they acknowledged reading a clear Privacy Policy detailing how the company would use their information, and agreeing to the policy.

The Right Way:

This sign-up form from Scientific American requests consent for multiple different things:

Scientific American newsletter sign-up form with consent checkboxes

It requests separate consent from the user to receive third-party emails, and links the Privacy Policy multiple times throughout the area.

Make sure you make it clear how you will use someone's personal information, and get as clear of consent as you can.

Wind Tre

This telecoms company was fined €16.7 million for a series of GDPR breaches, mainly centered on using personal data to send unsolicited marketing communications.

Among the specific breaches, the company failed to give clear and complete information about how to contact it to withdraw consent after previously giving it.

The company's apps were also inadequate as they required consent to processing before the user could access the app, and would not allow the user to withdraw the consent until 24 hours had passed. This breached the requirement for consent to be meaningful and freely given, and for the data subject to be able to withdraw consent at any time.

The Right Way:

This example from EASA details both the right to withdraw consent and how to do so:

EASA Privacy Policy: User Rights clause

Steps to Take Now

Nothing will reliably protect you against the risk of an administrative fine under the GDPR if you intentionally or recklessly breach the rules, for example by collecting, using or selling data while knowing you don't have a lawful reason to do so.

However, in many cases you can reduce or remove the risk of a fine by making sure data subjects are aware of how you intend to process their data, and that they have the ability to withhold consent or tell you to stop the processing.

A clearly written and compliant Privacy Policy is the best way to make sure you have the necessary consent and that data subjects are aware of your activities and their rights.

The key points to include in a Privacy Policy to make sure it complies with the GDPR are as follows:

  • The data subject's rights under the GDPR including to withdraw consent at any time and to complain to a supervisory authority
  • Your identity and contact details and those of your Data Protection Officer
  • What personal data you want to process
  • The specific purpose for which you will process the data
  • The lawful basis that covers the processing, including details of your legitimate interests if relevant
  • Who you will disclose the data to
  • Whether you will transfer the data outside of the EU and, if so, how you will safeguard it
  • How long you will keep the data (or how you will decide)
  • Whether the data subject is legally or contractually required to provide the data and what happens if they don't
  • Whether you use any automated decision-making based on the data

Remember that the GDPR says consent must be meaningful. The data subject must give consent freely and actively. To make sure this happens you should do the following:

  • Always make sure the Privacy Policy is clearly signposted and accessible before the data subject provides personal data. This could be in a pop-up window, on the data submission page, or on a standalone page to which you clearly link.
  • Require an assertive, intentional action from the data subject to give consent such as checking a box, clicking a button or switching a toggle. Never work on the basis of presuming consent unless the data subject says otherwise.
  • Don't use pre-ticked checkboxes or toggles set to "on" by default. Supervisory authorities have ruled this creates too much risk of a user "giving consent" by mistake.
  • Don't treat scrolling through a message as a signal of consent. This doesn't give a clear enough signal and there's no easy way to withdraw the consent.

Summary

Let's recap what you need to know about avoiding fines under the GDPR:

  • The GDPR applies if you process personal data about somebody and either you, they or the processing is in a European Union country.
  • Under the GDPR, you can only process personal data if a specific lawful basis applies. For businesses this is usually consent or legitimate interests.
  • Breaching the GDPR can lead to fines from a supervisory authority. These can be as high as €20 million or four percent of your annual global turnover, whichever is bigger.
  • Supervisory authorities have issued many substantial fines, few of which have been successfully appealed.
  • Breaches that have led to fines include:

    • Keeping data longer than necessary
    • Failing to properly handle requests to delete data
    • Storing data about employees without consent
    • Selling data without consent
    • Processing data without consent
    • Making it too difficult to withdraw consent

In many cases, the fines could have been avoided by writing a clear Privacy Policy (and sticking to it) and getting informed consent before processing data.